Documentation Center

Provisioning users through the API

You can automate user provisioning using the Content Manager Web Services API.

User authentication happens through Tridion Access Management and an identify provider. Once authenticated as an external user, Content Manager maps it to a Content Manager user profile for authorization and application data. These Content Manager user profiles need to be provisioned.

There are two types of user profiles:

  • Internal users are authenticated by the Tridion Docs Identity Provider. Internal users require a password maintained by Content Manager (for storage, complexity rules, expiration, lost passwords, and so on. ).
    • The incoming user name and password are passed to, and validated by Application.Login to be matched to a unique Content Manager user profile.
    • User profile creation happens through User.Create where the field FISHUSERTYPE should contain Internal, and you have to specify the PASSWORD field.
  • External users are authenticated by an external identity provider before getting matched to a Content Manager user profile for authorization. There is no password management for these users.
    • The incoming authenticated identity is matched to a unique Content Manager user profile using the field, FISHEXTERNALID.
    • User profile creation happens through User.Create where field FISHUSERTYPE should hold External, and FISHEXTERNALID should contain a match for an incoming IIdentity.Name call (e.g. MYDOMAIN\username). You are not allowed to specify the PASSWORD field.
The API allows you CRUD and Disabling of user profiles. The following algorithm can guide you in synchronizing your user systems.
  1. Delete or Disable Content Manager User Profiles that no longer exist in the central system.
    1. List all Content Manager user profiles that have FISHUSERTYPE set to External and FISHUSERDISABLED set to No
    2. For every user in the Content Manager user list, find the external user profile by FISHEXTERNALID
      • If none exist, delete the Content Manager user profile if not referenced, otherwise disable the Content Manager user profile.
      • If one or more exist; check if disabled, possibly disable the Content Manager user profile.
  2. Create or Update Content Manager User Profiles in the Content Manager system.
    1. List all external users required to have a matching profile in Content Manager (e.g. limited by a role,…)
    2. For every user in the external-user-list find the Content Manager User Profile by FISHEXTERNALID
      • If multiple hits; throw exception as multiple profile hits never grant a login
      • If none exists; create the user profile with required roles and user groups
      • If one exists; enable, skip or possibly update the user profile