Users

User controllers

📄️ Synchronize a new user or an existing user

Synchronize a user. Caller requires the USERS:EDIT permission. An Identity as a Service directory must be configured and associated with an Identity as a Service Gateway 5.0 or later. If you unsynchronize a user using the unsync API, the user becomes locally managed. In order to set the user back to an AD Sync user, the user should be synchronized again using this API. Using an AD Sync crawl will only re-synchronize the user if the user is updated in AD (i.e., the user's last update time in AD is updated) or a new custom user attribute mapping is added for the directory (this resets The last update time for all users such that all AD users will be re-synchronlized).<br/><br/>The following response status attribute values are possible: <ul><li>CONVERTED: the locally managed Identity as a Service user was converted into an AD Sync user.</li><li>CREATED: a new user was created as an AD Sync user.</li><li>DELETED: the user was not found in AD and has been deleted in Identity as a Service.</li><li>LOCALIZED_ENABLED: the user was not found in AD and has been set as locally managed and enabled in Identity as a Service.</li><li>LOCALIZED_DISABLED: the user was not found in AD and has been set as locally managed and disabled in Identity as a Service.</li><li>UPDATED: the user was synchronized.</li></ul>

📄️ Unsynchronize an existing user

Unsynchronize a user. Caller requires the USERS:EDIT permission. An Identity as a Service directory must be configured and associated with an Identity as a Service Gateway 5.0 or later. If you unsynchronize a user using this API, the user becomes locally managed. In order to set the user back to an AD Sync user, the user should be synchronized again using the sync API. Using an AD Sync crawl will only re-synchronize the user if the user is updated in AD (i.e., the user's last update time in AD is updated) or a new custom user attribute mapping is added for the directory (this resets the last update time for all users such that all AD users will be re-synchronlized).

📄️ Update user state

Update the state of the specified user. Caller requires the USERS:EDIT permission.

📄️ Unlock user

Unlock the specified user. Caller requires the USERS:EDIT permission.

📄️ Create and get the Magic Link for a user

Create and get the Magic Link for the specified user. Caller requires the MAGICLINKS:ADD permission.

📄️ Delete the Magic Link for a given user

Delete the Magic Link for the specified user. Caller requires the MAGICLINKS:REMOVE permission.

📄️ Modify user organization membership

Modify the list of organizations assigned to a specified user. Caller requires the USERS:EDIT permission.

📄️ Create a user

Create a user. Caller requires the USERS:ADD permission.

📄️ Get a user by externalId

Get the user with the specified externalId.

📄️ Update multiple users

Update multiple users. Caller requires the USERS:EDIT permission.

📄️ Create multiple users

Create multiple users. Caller requires the USERS:ADD permission.

📄️ Delete multiple users

Delete multiple users. Caller requires the USERS:REMOVE permission.

📄️ Get a user by userid or user alias

Get the specified user by userid or user alias.

📄️ Get a user by UUID

Get the specified user by UUID.

📄️ Update a user

Update the specified user. Caller requires the USERS:EDIT permission.

📄️ Delete a user

Delete the specified user. Caller requires the USERS:REMOVE permission.

📄️ Lists a page of users

Returns users for the provided search parameters. Caller requires the USERS:VIEW permission. The following searchByAttributes are supported: <ul><li>userId: a String value (it matches both the User ID or any alias). Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li><li>roleId: a String value should be a UUID of an existing role. Allowed operator: EQUALS. </li><li>authenticator: a String with value ENTRUST_SOFT_TOKEN or FIDO or GOOGLE_AUTHENTICATOR or GRID or HARDWARE_TOKEN or KBA or OTP or PASSWORD or SMARTCREDENTIALPUSH or TEMP_ACCESS_CODE or FACE. Allowed operator: EQUALS, NOT_EQUALS. </li><li>state: ACTIVE or INACTIVE. Allowed operator: EQUALS. </li><li>locked: 'true' is the only value allowed. Allowed operator: EQUALS. </li><li>userType: a String with value LOCAL or SYNC or EXTERNAL. Allowed operator: EQUALS. </li><li>registrationRequired: true or false. Allowed operator: EQUALS. </li><li>verificationRequired: true or false. Allowed operator: EQUALS. </li><li>lastAuthTime: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are: GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL, EXISTS, NOT_EXISTS.</li><li>passwordExpirationTime: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are: GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL, EXISTS, NOT_EXISTS.</li><li>organizationId: a String value should be a UUID of an existing organization. Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br/><br/>The orderByAttribute supports these attribute names: userId, state, lastAuthTime.<br/><br/>The following attributes can be optionally included in the returned User object: grids, tokens, smartCredentials, tempAccessCode, fidoTokens, userAttributeValues, userAliases, groups, oauthRoles, authenticatorLockoutStatus, organizations