Skip to content

Commit 35c648f

Browse files
Merge pull request #9394 from mendix/kv-UserCommons-MxAdmin
UserCommons: deactivate MxAdmin update
2 parents e83aef5 + 3bc45a6 commit 35c648f

File tree

3 files changed

+30
-15
lines changed

3 files changed

+30
-15
lines changed

content/en/docs/appstore/use-content/platform-supported-content/modules/SAML/_index.md

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -440,8 +440,13 @@ You can set up custom user provisioning by setting the following constants. You
440440
| IdPAttribute | the IdP claim which is the unique identifier of an authenticated user | *Default* | `NameId` |
441441
| AllowcreateUsers | allows to create users in the application | *Optional* | `True` |
442442
| Userrole | the role which will be assigned to newly created users | *Optional* | `User` |
443-
| UserType | assigns user type to the created user | *0ptional* | `Internal` |
444-
| CustomUserProvisioning | a custom microflow to use for user provisioning | *0ptional* – in the form `modulename.microflowname` – the microflow name must begin with the string `CustomUserProvisioning` | `Mymodule.CustomUserProvisioningEntra` |
443+
| UserType | assigns user type to the created user | *Optional* | `Internal` |
444+
| CustomUserProvisioning | a custom microflow to use for user provisioning | *Optional* – in the form `modulename.microflowname` – the microflow name must begin with the string `CustomUserProvisioning` | `Mymodule.CustomUserProvisioningEntra` |
445+
| DisableMxAdmin | deactivates Mx admin | *Optional* | `True` |
446+
447+
{{% alert color="info" %}}
448+
You may have a requirement that users log in to your application only via SSO. However, when you deploy your app on the Mendix Cloud, the platform may still create an MxAdmin user with a local password. From version 2.1.0 of the UserCommons module, if the flag for the `DisableMxAdmin` constant is set to `True`, the MxAdmin user will be deactivated via the startup microflow `ASU_UserCommons_StartUp`.
449+
{{% /alert %}}
445450
446451
### Custom User Provisioning at Runtime{#custom-provisioning-rt}
447452

content/en/docs/appstore/use-content/platform-supported-content/modules/oidc.md

Lines changed: 18 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -513,13 +513,18 @@ You can set up custom user provisioning by setting the following constants. You
513513

514514
| Constant | Use | Notes | Example |
515515
| --- | --- | --- | --- |
516-
| CustomUserEntity | a custom user entity | in the form `modulename.entityname` – a specialization of `System.User` | `Administration.Account` |
517-
| PrincipalEntityAttribute | the attribute holding the unique identifier of an authenticated user | | `Name` |
518-
| PrincipalIdPAttribute | the IdP claim which is the unique identifier of an authenticated user | | `sub` |
519-
| AllowcreateUsers | allows to create users in the application | *optional* | `True` |
520-
| Userrole | the role that will be assigned to newly created users | *optional* - Default Userrole is assigned only at user creation <br> - User updates do not change the default role <br> - No bulk update for existing users when the default userrole changes | `User` |
521-
| UserType | assigns user type to the created user | *optional* | `Internal` |
522-
| CustomUserProvisioning | a custom microflow to use for user provisioning | *optional* – in the form `modulename.microflowname` – the microflow name must begin with the string `UC_CustomProvisioning` | `Mymodule.UC_CustomProvisioning` |
516+
| `CustomUserEntity` | a custom user entity | in the form `modulename.entityname` – a specialization of `System.User` | `Administration.Account` |
517+
| `PrincipalEntityAttribute` | the attribute holding the unique identifier of an authenticated user | | `Name` |
518+
| `PrincipalIdPAttribute` | the IdP claim which is the unique identifier of an authenticated user | | `sub` |
519+
| `AllowcreateUsers` | allows to create users in the application | *optional* | `True` |
520+
| `Userrole` | the role that will be assigned to newly created users | *optional* - Default Userrole is assigned only at user creation <br> - User updates do not change the default role <br> - No bulk update for existing users when the default userrole changes | `User` |
521+
| `UserType` | assigns user type to the created user | *optional* | `Internal` |
522+
| `CustomUserProvisioning` | a custom microflow to use for user provisioning | *optional* – in the form `modulename.microflowname` – the microflow name must begin with the string `UC_CustomProvisioning` | `Mymodule.UC_CustomProvisioning` |
523+
| `DisableMxAdmin` | deactivates Mx admin | *optional* | `True` |
524+
525+
{{% alert color="info" %}}
526+
You may have a requirement that users log in to your application only via SSO. However, when you deploy your app on the Mendix Cloud, the platform may still create an MxAdmin user with a local password. From version 2.1.0 of the UserCommons module, if the flag for the `DisableMxAdmin` constant is set to `True`, the MxAdmin user will be deactivated via the startup microflow `ASU_UserCommons_StartUp`.
527+
{{% /alert %}}
523528

524529
#### Runtime Configuration of End-user Onboarding{#custom-provisioning-rt}
525530

@@ -528,16 +533,16 @@ By default, users are provisioned by [Default User Provisioning Configuration](#
528533
You can set up just-in-time user provisioning as follows:
529534

530535
1. Sign in to the running app with an administrator account.
531-
2. Navigate to the `OIDC.OIDC_Client_Overview` page which is set up in the app navigation.
536+
2. Navigate to the `OIDC.OIDC_Client_Overview` page, which is set up in the app navigation.
532537
3. In the **IdPs for SSO and API security** tab, click **New** and access the **UserProvisioning** tab.
533538

534-
Below fields are available in the **UserProvisioning** tab for the User Provisioning configuration.
539+
Fields below are available in the **UserProvisioning** tab for the User Provisioning configuration.
535540

536541
* **Custom user Entity (extension of System.User)** – the Mendix entity where you will store and look up the user account. If you are using the [Administration module](https://marketplace.mendix.com/link/component/23513), this would be `Administration.Account`.
537-
* **The attribute where the user principal is stored** – unique identifier associated with an authenticated user.
542+
* **The attribute where the user principal is stored**a unique identifier associated with an authenticated user.
538543
* **Allow the module to create users** – this enables the module to create users based on configurations of JIT user provisioning and attribute mapping. When disabled, it will still update existing users. However, for new users, it will display an exception message in the log.
539544
* By default, the value is set to ***Yes***.
540-
* **User role** (optional) – the role which will be assigned to newly created users. This is optional and will be applied to all IdPs. You can select any user role as a default or keep the field empty. User Provisioning does not allow you to assign user roles dynamically. It can only set a default role. If you need additional user roles, use Access Token Parsing microflow to assign multiple roles. For more information, see the [Dynamic Assignment of Userroles (Access Token Parsing)](#access-token-parsing) section below.
545+
* **User role** (optional) – the role which will be assigned to newly created users. This is optional and will be applied to all IdPs. You can select any user role as a default or keep the field empty. User Provisioning does not allow you to assign user roles dynamically. It can only set a default role. If you need additional user roles, use the Access Token Parsing microflow to assign multiple roles. For more information, see the [Dynamic Assignment of Userroles (Access Token Parsing)](#access-token-parsing) section below.
541546
* By default, the value is set to ***User***.
542547
* **User Type** – this allows you to configure end-users of your application as internal or external. It is created upon the creation of the user and updated each time the user logs in.
543548
* By default, the value is set to ***Internal***.
@@ -599,8 +604,8 @@ Select it in the **Custom UserProvisioning** field. The custom microflow name mu
599604

600605
* **UserInfoParameter(UserCommons.UserInfoParam)**: A Mendix object containing user claims information through its associated objects. You can use this parameter to retrieve user provisioning configuration information.
601606
* **User(System.User)**: A Mendix object representing the user to be provisioned. Ensure that the selected microflow matches this parameter signature.
602-
603-
The custom microflow will be executed after the user is created or updated.
607+
* The microflow must return a **System.User** object to ensure proper user provisioning and updates. It will be executed after user creation or update of user. However, starting from version 2.0.0 of the UserCommons module, this is no longer mandatory.
608+
* If you have added a new microflow, you need to refresh the module containing your microflow as described in the [Mx Model Reflection](/appstore/modules/model-reflection/).
604609

605610
### Configuring User Provisioning for Version 2.4.0 and Below
606611

content/en/docs/appstore/use-content/platform-supported-content/modules/scim.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -298,6 +298,11 @@ The table below lists all supported constants. Mandatory constants must be set a
298298
| `Default_UserNameMapping` | sets the mapping entity attribute to the Identity provider attribute | Optional | No default Value |
299299
| `Default_UserRole` | sets the mapping entity attribute to the Identity provider attribute | Optional | `User` |
300300
| `Default_UserType` | sets the mapping entity attribute to the Identity provider attribute | Optional | `Internal` |
301+
| `DisableMxAdmin` | deactivates Mx admin | Optional | `True` |
302+
303+
{{% alert color="info" %}}
304+
You may have a requirement that users log in to your application only via SSO. However, when you deploy your app on the Mendix Cloud, the platform may still create an MxAdmin user with a local password. From version 2.1.0 of the UserCommons module, if the flag for the `DisableMxAdmin` constant is set to `True`, the MxAdmin user will be deactivated via the startup microflow `ASU_UserCommons_StartUp`.
305+
{{% /alert %}}
301306

302307
#### Configuration with Entra ID
303308

0 commit comments

Comments
 (0)