From 01f87d1cc7029de50967284046ca64e9d783ac6a Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Wed, 16 Apr 2025 10:30:36 +0530 Subject: [PATCH 1/6] UserCommons: deactivate MxAdmin update --- .../modules/SAML/_index.md | 5 +++++ .../modules/oidc.md | 19 ++++++++++++------- .../modules/scim.md | 5 +++++ 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md index 872c566d702..a21da90f8a1 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md @@ -442,6 +442,11 @@ You can set up custom user provisioning by setting the following constants. You | Userrole | the role which will be assigned to newly created users | *Optional* | `User` | | UserType | assigns user type to the created user | *0ptional* | `Internal` | | CustomUserProvisioning | a custom microflow to use for user provisioning | *0ptional* – in the form `modulename.microflowname` – the microflow name must begin with the string `CustomUserProvisioning` | `Mymodule.CustomUserProvisioningEntra` | +| DisableMxAdmin | deactivates Mx admin | *0ptional* | `False` | + +{{% alert color="info" %}} +From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +{{% /alert %}} ### Custom User Provisioning at Runtime{#custom-provisioning-rt} diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md index a5be64fff47..f77021f2df7 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md @@ -513,13 +513,18 @@ You can set up custom user provisioning by setting the following constants. You | Constant | Use | Notes | Example | | --- | --- | --- | --- | -| CustomUserEntity | a custom user entity | in the form `modulename.entityname` – a specialization of `System.User` | `Administration.Account` | -| PrincipalEntityAttribute | the attribute holding the unique identifier of an authenticated user | | `Name` | -| PrincipalIdPAttribute | the IdP claim which is the unique identifier of an authenticated user | | `sub` | -| AllowcreateUsers | allows to create users in the application | *optional* | `True` | -| Userrole | the role that will be assigned to newly created users | *optional* - Default Userrole is assigned only at user creation
- User updates do not change the default role
- No bulk update for existing users when the default userrole changes | `User` | -| UserType | assigns user type to the created user | *optional* | `Internal` | -| CustomUserProvisioning | a custom microflow to use for user provisioning | *optional* – in the form `modulename.microflowname` – the microflow name must begin with the string `UC_CustomProvisioning` | `Mymodule.UC_CustomProvisioning` | +| `CustomUserEntity` | a custom user entity | in the form `modulename.entityname` – a specialization of `System.User` | `Administration.Account` | +| `PrincipalEntityAttribute` | the attribute holding the unique identifier of an authenticated user | | `Name` | +| `PrincipalIdPAttribute` | the IdP claim which is the unique identifier of an authenticated user | | `sub` | +| `AllowcreateUsers` | allows to create users in the application | *optional* | `True` | +| `Userrole` | the role that will be assigned to newly created users | *optional* - Default Userrole is assigned only at user creation
- User updates do not change the default role
- No bulk update for existing users when the default userrole changes | `User` | +| `UserType` | assigns user type to the created user | *optional* | `Internal` | +| `CustomUserProvisioning` | a custom microflow to use for user provisioning | *optional* – in the form `modulename.microflowname` – the microflow name must begin with the string `UC_CustomProvisioning` | `Mymodule.UC_CustomProvisioning` | +| `DisableMxAdmin` | deactivates Mx admin | *optional* | `False` | + +{{% alert color="info" %}} +From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +{{% /alert %}} #### Runtime Configuration of End-user Onboarding{#custom-provisioning-rt} diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md index ed04446bc98..c749eaa73c3 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md @@ -298,6 +298,11 @@ The table below lists all supported constants. Mandatory constants must be set a | `Default_UserNameMapping` | sets the mapping entity attribute to the Identity provider attribute | Optional | No default Value | | `Default_UserRole` | sets the mapping entity attribute to the Identity provider attribute | Optional | `User` | | `Default_UserType` | sets the mapping entity attribute to the Identity provider attribute | Optional | `Internal` | +| `DisableMxAdmin` | deactivates Mx admin | Optional | `False` | + +{{% alert color="info" %}} +From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +{{% /alert %}} #### Configuration with Entra ID From 81ee1e7f2157afbc4c547c02c8eabc6cb93a9622 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Wed, 16 Apr 2025 13:06:49 +0530 Subject: [PATCH 2/6] Swapping the values --- .../platform-supported-content/modules/SAML/_index.md | 8 ++++---- .../platform-supported-content/modules/oidc.md | 4 ++-- .../platform-supported-content/modules/scim.md | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md index a21da90f8a1..42197d2b9dc 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md @@ -440,12 +440,12 @@ You can set up custom user provisioning by setting the following constants. You | IdPAttribute | the IdP claim which is the unique identifier of an authenticated user | *Default* | `NameId` | | AllowcreateUsers | allows to create users in the application | *Optional* | `True` | | Userrole | the role which will be assigned to newly created users | *Optional* | `User` | -| UserType | assigns user type to the created user | *0ptional* | `Internal` | -| CustomUserProvisioning | a custom microflow to use for user provisioning | *0ptional* – in the form `modulename.microflowname` – the microflow name must begin with the string `CustomUserProvisioning` | `Mymodule.CustomUserProvisioningEntra` | -| DisableMxAdmin | deactivates Mx admin | *0ptional* | `False` | +| UserType | assigns user type to the created user | *Optional* | `Internal` | +| CustomUserProvisioning | a custom microflow to use for user provisioning | *Optional* – in the form `modulename.microflowname` – the microflow name must begin with the string `CustomUserProvisioning` | `Mymodule.CustomUserProvisioningEntra` | +| DisableMxAdmin | deactivates Mx admin | *Optional* | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +From version 2.1.0 of the UserCommons module, if the flag is set to `False` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} ### Custom User Provisioning at Runtime{#custom-provisioning-rt} diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md index f77021f2df7..6c869462217 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md @@ -520,10 +520,10 @@ You can set up custom user provisioning by setting the following constants. You | `Userrole` | the role that will be assigned to newly created users | *optional* - Default Userrole is assigned only at user creation
- User updates do not change the default role
- No bulk update for existing users when the default userrole changes | `User` | | `UserType` | assigns user type to the created user | *optional* | `Internal` | | `CustomUserProvisioning` | a custom microflow to use for user provisioning | *optional* – in the form `modulename.microflowname` – the microflow name must begin with the string `UC_CustomProvisioning` | `Mymodule.UC_CustomProvisioning` | -| `DisableMxAdmin` | deactivates Mx admin | *optional* | `False` | +| `DisableMxAdmin` | deactivates Mx admin | *optional* | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +From version 2.1.0 of the UserCommons module, if the flag is set to `False` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} #### Runtime Configuration of End-user Onboarding{#custom-provisioning-rt} diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md index c749eaa73c3..65a021a533b 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md @@ -298,10 +298,10 @@ The table below lists all supported constants. Mandatory constants must be set a | `Default_UserNameMapping` | sets the mapping entity attribute to the Identity provider attribute | Optional | No default Value | | `Default_UserRole` | sets the mapping entity attribute to the Identity provider attribute | Optional | `User` | | `Default_UserType` | sets the mapping entity attribute to the Identity provider attribute | Optional | `Internal` | -| `DisableMxAdmin` | deactivates Mx admin | Optional | `False` | +| `DisableMxAdmin` | deactivates Mx admin | Optional | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +From version 2.1.0 of the UserCommons module, if the flag is set to `False` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} #### Configuration with Entra ID From db32b3c389655ae6a367e133d2771021aa0d3ec3 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Wed, 16 Apr 2025 13:56:35 +0530 Subject: [PATCH 3/6] Fix --- .../platform-supported-content/modules/SAML/_index.md | 2 +- .../use-content/platform-supported-content/modules/oidc.md | 2 +- .../use-content/platform-supported-content/modules/scim.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md index 42197d2b9dc..0288b610038 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md @@ -445,7 +445,7 @@ You can set up custom user provisioning by setting the following constants. You | DisableMxAdmin | deactivates Mx admin | *Optional* | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `False` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} ### Custom User Provisioning at Runtime{#custom-provisioning-rt} diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md index 6c869462217..626b7e74c7a 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md @@ -523,7 +523,7 @@ You can set up custom user provisioning by setting the following constants. You | `DisableMxAdmin` | deactivates Mx admin | *optional* | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `False` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} #### Runtime Configuration of End-user Onboarding{#custom-provisioning-rt} diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md index 65a021a533b..2a317e92e83 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md @@ -301,7 +301,7 @@ The table below lists all supported constants. Mandatory constants must be set a | `DisableMxAdmin` | deactivates Mx admin | Optional | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `False` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} #### Configuration with Entra ID From 1819dec326adb631219262db0c2a0ce69c5cc5c8 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Mon, 5 May 2025 17:24:07 +0530 Subject: [PATCH 4/6] additional update --- .../use-content/platform-supported-content/modules/oidc.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md index 626b7e74c7a..d37cff2bb97 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md @@ -604,8 +604,8 @@ Select it in the **Custom UserProvisioning** field. The custom microflow name mu * **UserInfoParameter(UserCommons.UserInfoParam)**: A Mendix object containing user claims information through its associated objects. You can use this parameter to retrieve user provisioning configuration information. * **User(System.User)**: A Mendix object representing the user to be provisioned. Ensure that the selected microflow matches this parameter signature. - -The custom microflow will be executed after the user is created or updated. +* The microflow must return a **System.User** object to ensure proper user provisioning and updates. It will be executed after user creation or update of user. However, starting from version 2.0.0 of the UserCommons module, this is no longer mandatory. +* If you have added a new microflow, you need to refresh the module containing your microflow as described in the [Mx Model Reflection](/appstore/modules/model-reflection/). ### Configuring User Provisioning for Version 2.4.0 and Below From 3e552ac8e62b70c9fb2d5254184c97350d54176c Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Thu, 8 May 2025 14:05:51 +0530 Subject: [PATCH 5/6] feedback comments --- .../platform-supported-content/modules/SAML/_index.md | 2 +- .../use-content/platform-supported-content/modules/oidc.md | 2 +- .../use-content/platform-supported-content/modules/scim.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md index 0288b610038..d46a8d779f8 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md @@ -445,7 +445,7 @@ You can set up custom user provisioning by setting the following constants. You | DisableMxAdmin | deactivates Mx admin | *Optional* | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +You may have a requirement that users log in to your application only via SSO. However, when you deploy your app on the Mendix Cloud, the platform may still create an MxAdmin user with a local password. From version 2.1.0 of the UserCommons module, if the flag for the `DisableMxAdmin` constant is set to `True`, the MxAdmin user will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} ### Custom User Provisioning at Runtime{#custom-provisioning-rt} diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md index d37cff2bb97..552a38c12c1 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md @@ -523,7 +523,7 @@ You can set up custom user provisioning by setting the following constants. You | `DisableMxAdmin` | deactivates Mx admin | *optional* | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +You may have a requirement that users log in to your application only via SSO. However, when you deploy your app on the Mendix Cloud, the platform may still create an MxAdmin user with a local password. From version 2.1.0 of the UserCommons module, if the flag for the `DisableMxAdmin` constant is set to `True`, the MxAdmin user will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} #### Runtime Configuration of End-user Onboarding{#custom-provisioning-rt} diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md index 2a317e92e83..f3dce7da367 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md @@ -301,7 +301,7 @@ The table below lists all supported constants. Mandatory constants must be set a | `DisableMxAdmin` | deactivates Mx admin | Optional | `True` | {{% alert color="info" %}} -From version 2.1.0 of the UserCommons module, if the flag is set to `True` for the `DisableMxAdmin` constant, MxAdmin will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. +You may have a requirement that users log in to your application only via SSO. However, when you deploy your app on the Mendix Cloud, the platform may still create an MxAdmin user with a local password. From version 2.1.0 of the UserCommons module, if the flag for the `DisableMxAdmin` constant is set to `True`, the MxAdmin user will be deactivated via the startup microflow `ASU_UserCommons_StartUp`. {{% /alert %}} #### Configuration with Entra ID From 3bc45a6af943a5d80398a45ff0addb86cd0e4eb3 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Thu, 8 May 2025 19:29:05 +0530 Subject: [PATCH 6/6] proofreading --- .../platform-supported-content/modules/oidc.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md index 552a38c12c1..169334254b3 100644 --- a/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md +++ b/content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md @@ -533,16 +533,16 @@ By default, users are provisioned by [Default User Provisioning Configuration](# You can set up just-in-time user provisioning as follows: 1. Sign in to the running app with an administrator account. -2. Navigate to the `OIDC.OIDC_Client_Overview` page which is set up in the app navigation. +2. Navigate to the `OIDC.OIDC_Client_Overview` page, which is set up in the app navigation. 3. In the **IdPs for SSO and API security** tab, click **New** and access the **UserProvisioning** tab. -Below fields are available in the **UserProvisioning** tab for the User Provisioning configuration. +Fields below are available in the **UserProvisioning** tab for the User Provisioning configuration. * **Custom user Entity (extension of System.User)** – the Mendix entity where you will store and look up the user account. If you are using the [Administration module](https://marketplace.mendix.com/link/component/23513), this would be `Administration.Account`. -* **The attribute where the user principal is stored** – unique identifier associated with an authenticated user. +* **The attribute where the user principal is stored** – a unique identifier associated with an authenticated user. * **Allow the module to create users** – this enables the module to create users based on configurations of JIT user provisioning and attribute mapping. When disabled, it will still update existing users. However, for new users, it will display an exception message in the log. * By default, the value is set to ***Yes***. -* **User role** (optional) – the role which will be assigned to newly created users. This is optional and will be applied to all IdPs. You can select any user role as a default or keep the field empty. User Provisioning does not allow you to assign user roles dynamically. It can only set a default role. If you need additional user roles, use Access Token Parsing microflow to assign multiple roles. For more information, see the [Dynamic Assignment of Userroles (Access Token Parsing)](#access-token-parsing) section below. +* **User role** (optional) – the role which will be assigned to newly created users. This is optional and will be applied to all IdPs. You can select any user role as a default or keep the field empty. User Provisioning does not allow you to assign user roles dynamically. It can only set a default role. If you need additional user roles, use the Access Token Parsing microflow to assign multiple roles. For more information, see the [Dynamic Assignment of Userroles (Access Token Parsing)](#access-token-parsing) section below. * By default, the value is set to ***User***. * **User Type** – this allows you to configure end-users of your application as internal or external. It is created upon the creation of the user and updated each time the user logs in. * By default, the value is set to ***Internal***.