Users¶
A user is a human that is using a registered client to access resources. The information managed by the system is the minimum set of data required to identify the user and manage the security concerns. All other information associated to the user but specific to a given application must be considered user profile information and managed by each application. In this set of information we have to include the User Type model existing in the legacy security model. The user information is stored at [authorization].[user] table in the database.
Models¶
User's basic details¶
Personal information¶
| Property | Description |
|---|---|
| Username | string. Unique Identifier for the user. |
| EmailAddress | string. Email address of the user. Must be unique. Required. |
| FirstName | string |
| LastName | string |
| PhoneNumber | string |
| AutomaticallyCreated | bool. Flags if the user was created automatically (e.g. Origin Portal) |
Security¶
| Property | Description |
|---|---|
| LastLoginDateUtc | DateTime?. Last login date (stored at UTC) |
| ActiveEndDateUtc | DateTime?. User will be inactive from this date (UTC) |
| PasswordHash | string. Password hashed |
| PasswordExpiryDateUtc | DateTime?. Date when password will expire (UTC) |
| SecurityStamp | GUID. The security timestamp is used for tracking changes made to the user profile. It is used for security purposes when important properties of a user change, such as changing the password. |
| AccessFailedCount | int. Counts the number of failed access since last successful access. |
| LockoutEndDateUtc | Date?. Locked till this date. Keeping Lookout* for implementing this functionality in the new service. |
| LockoutEnabled | bool. Enables/disables lockout mechanism |
Single sign-on¶
| Property | Description |
|---|---|
| AzureUserIdentifier | string. To store the oid provided by Azure AD for users using Azure AD authentication |
| SsoUserName | string. User name used for matching SSO with external providers. |
| SsoDomain | string. User's domain used for matching SSO with external providers. |
| LdapSyncEnabled | boolean. Determines where this user will be included in the AD/Azure AD sync |
| LdapSyncUpdatedAt | datetime. When the user was synced with AD/Azure AD for the last time. |
Membership¶
A permission defines which CRUD actions (Create, Read, Update and Delete) are allowed over a specific securable for users assigned to a specific role. Role and group have to belong to the same application.
| Property | Description |
|---|---|
| Key | Integer. Unique Key to refer the permission . Required. Autogenerated |
| GroupKey | String. Group.Key where this membership is defined. Required |
| RoleKey | String. Role.Key which this membership is configuring. Required. |
| LadpSyncEnabled | Boolean. Indicates if the membership is affected by LDAP/Azure AD sync. |
UserTypeAssignedToUser¶
Each user can be assigned to one User Type per Application. Same UserType cannot be assigned more than once.
| Property | Description |
|---|---|
| Key | Integer. Unique Id to refer the UserType assignation. Required. Autogenerated |
| UserTypeId | String. UserType.Id assigned to this user. Required |
How to manage users¶
Users can be managed with the administration UI, using directly the API or importing a user package:
-
UI at
/applications/users. In the next sections, we will describe with more detail how to manage users using the UI. -
API at
/Authorization/Users. Please, use OpenAPI specs offered by Swagger athttps://your-security-server/SecurityApi/swagger/. -
sequel-security tool with command
-import,-exportand-add-admin-user. More information at sequel-security tool page.
Actions performed with UI and API are protected by securable Sec.Users.