This topic has 3 replies, 2 voices, and was last updated 6 years, 1 month ago by laurent.bristiel.

  • Author
  • #4289
     Morten Lømo

    I have done usecase3. If I understand correctly, user.1 should now have access to Business systems. When I login to OpenIDM User UI with openidm-admin and select user.1, I cannot see any information about this.

    1. How can I verify that user.1 has access to Business systems?

    2. To my understanding, a user typically has many accesses. For example he has access to system A, B, C .. where a system is a server or application. For example he may use different usernames to login to each system. He may have different access rights (read&write, read-only, group memberships, ..) on each system. Is this correct? If so, how do I see which accesses a user has? (in fact, the same question as 1)

    • This topic was modified 6 years, 3 months ago by Morten Lømo.


    1) in those use cases, the information about systems users is stored in the “accounts” property of managed users. So if you want to check users has access to a system, you can retrieve the record via REST:

    $ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request GET "http://localhost:8080/openidm/managed/user/user.1"  | jq '.'
      "telephoneNumber": "+1 680 734 6300",
      "mail": "[email protected]",
      "city": "New Haven",
      "givenName": "Aaren",
      "userType": "employee",
      "employeeNumber": "1",
      "accounts": [    <== here it is

    Regarding GUI, this property is not visible in the Data Management UI (/openidmui) but you can see it in the Admin UI (/admin). See the Web Based UI section in the integrator’s guide to get an overview of the UI. To see a single record for a managed users, you have to click on the “User” menu (three little dots) , choose “edit” and select a record in the user list.

    The reason why you can not see “account” property is that this property is specific to those use cases. So it is not shown in the “Data Management UI” because this one shows a fixed list of properties per users. Whereas Admin UI as some generic pages for resources that will show all properties listed in the schema of the object.

    2) to manage access, either you use a custom property that contains the authorisations of your users and you build/update GUI to show it. Another possibility is to use roles which are already managed/showed in the GUI. See roles section of the integrator’s guide.

     Morten Lømo

    Thanks for your reply. It was very helpful. Two follow-up questions:

    1. Is it possible to have attributes per account. E.g. something like this:

    “accounts”: [ <== here it is
    -> “username”: …
    -> “permissions” …
    -> “username”: ..
    -> “permissions”: …

    2. You write: “.. click on the “User” menu (three little dots)”. Is this only for the latest nightly builds and not the latest stable version 3.1.0.? (I am using Version 3.1.0 and I have not seen the three dots)

    Thanks Morten

    • This reply was modified 6 years, 1 month ago by Morten Lømo.

    1) sure, this “accounts” data model is custom for this use case and could be modified/expanded with more elaborate objects. You will have to update the accessRequest.bpmn20.xml workflow definition file. (and adapt the UI to your needs)

    2) oh yes, sorry, I was talking about the trunk. Which at the moment might be a bit broken because we are going through many changes. (follow OPENIDM-3695 and OPENIDM-3661 in https://bugster.forgerock.org)

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?