Skip to main content

Users

Identity Cloud stores and provides a variety of information on your users.

Under User management > Users, you have the following options to manage your users and their attributes:

View users

Under User management > Users you see a list of your users and their basic attributes:

  • Name: The first and the last name of the user.
  • Email: The email of the user.
  • Recent activity: The timestamp of the last successful or failed login.
  • Status: The status of the user. For more information, see User states.

The listed users are ordered by their email. Each page displays a maximum of 20 users. With the arrow buttons on the bottom left you can go to the Next page, Previous page, First Page and Last page.

User management

Search for users

Under User management > Users in the top right corner, you can search for users.

You can search based on the user attributes

The search is case-insensitive. The search finds users also by partial matches on values of user attributes, as long as the attribute values start with the search input value. Enter at least two characters for the search to start.

You can reset the search with the x on the right side of the search bar.

Partial search

View user details

The details of a user include personal information, authentication methods, and roles.

In the user list click a user or click View more in the more options menu ︙ to view the details of a user.

View more

Personal data

On the Personal data tab, you can view all user attributes.

Personal data in the user details

You can request custom user attributes. For more information, see Custom user attributes.

Authentication methods

On the Authentication methods tab, you can view the authentication methods of a user. Read more about the authentication methods supported in Identity Cloud.

note

All registered authentication factors of a user are displayed, regardless of whether the authentication method is enabled.

Authentication methods in the user details

Roles

On the Roles tab, you can view the roles of a user. For more information, see Manage roles of a user.

Create users

You can create users from the Identity Cloud management console.

You need to provide a valid email address. The email address is used as username for the login. The email address needs to be unique within Identity Cloud.

Upon creation an email with an invitation link is sent to the user. You can select the Language of the User invitation email. Your Language selection also determines the initial language of the signup flow for the user.

By selecting the checkbox Do not send an invitation the user is created without sending an invitation. You can invite the user later. For more information, see Invite users.

Create user
note

The initial user state is Pending invitation or Not invited if no invitation is sent. The user state changes to Active once the signup is completed.

The Recent activity field is populated once the user logs in for the first time.

note

You need to have the user's permission to process their data. Additionally, in many countries, a legal basis for processing user data may be required.

To create a user:

  1. Go to User management > Users.
  2. On the top right click Create user.
  3. Provide a valid email address and select the language. Optionally, select the checkbox Do not send an invitation.
  4. Click Create user.

Invite users

You can invite users with incomplete signup from the Identity Cloud management console.

Send invitation

Upon invitation a User invitation email with a link is sent to the user. The link is valid for 7 days for one use.

  • You can send an invitation to users who are Not invited.
  • You can send an invitation to users with a Pending invitation. An invitation with a new link is sent and replaces the existing link.
  • You can send an invitation to users with an Expired invitation. An invitation with a new link is sent and replaces the expired link.
Send invitation

The invitation link leads to a page where the user can set a password and complete the signup.

Password setup

To invite a user:

  1. Go to User management > Users.
  2. Select a user.
  3. Click Send invitation in the more options menu ︙ of the user.
  4. In the dialog confirm that you want send an invitation email to the user.
  5. Click Send.

Edit users

Personal data

You can edit the attributes of a user.

note

The email address of the user is used as username for the login for automatic account linking. If you change the email, then the user can only log in with the new email address.

note

The phone is used as second factor in the multi-factor authentication, If you change the phone number and SMS is enabled as authentication method, then the user can only log in with the new phone number.

To edit a user:

  1. Go to User management > Users.
  2. Select a user.
  3. Click View more in the more options menu ︙ of the user.
  4. On the Personal data tab adapt any user attribute.
  5. Click Save.

Authentication methods

On the Authentication methods tab, you can manage the authentication methods of a user. Read more about the authentication methods supported in Identity Cloud.

You can remove the authentication factors of a user. You are prevented to remove all second factors of a user. If you delete an authentication factor for a user, then the user cannot use this authentication factor to log in anymore.

note

In case of multi-factor authentication a user can register new second factors during login, if the user has currently no second factors or only recovery codes.

If you delete one of the social login authentication factors, the link to the social login provider stored for that user is removed. The link to a social login provider is recreated the next time the user logs in with that social login provider.

info

If you delete the social login authentication method Apple, then the user still has the link in their Apple account.

If the user wants to sign in using Apple login again, they have to stop using their Apple ID with the application first. For quick instructions, see the Apple documentation.

Workaround for using Apple login again

After that, they can use Apple login again.

To delete an authentication factor for a user:

  1. Go to User management > Users.
  2. Select a user.
  3. Click View more in the more options menu ︙ of the user.
  4. On the Authentication methods tab select an authentication method.
  5. Click Delete.
  6. In the dialog confirm that you want to delete the authentication factor for the user.
  7. Click Delete.

To revoke recovery codes for a user:

  1. Go to User management > Users.
  2. Select a user.
  3. Click View more in the more options menu ︙ of the user.
  4. Switch to the Authentication methods tab.
  5. Click Revoke.
  6. In the dialog confirm that you want to revoke the recovery codes for the user.
  7. Click Revoke codes.

Roles

On the Roles tab, you can manage the roles of a user. For more information, see Manage roles of a user.

Block users

You can block active users from logging in to your applications. If you block a user the user state changes to Blocked. Users who are blocked cannot log in or execute the Refresh Token flow. User sessions are not terminated, neither in Identity Cloud, nor in applications. Access tokens can still be used as long as they are not expired. Thus, we recommend setting a short lifetime for access tokens.

Blocking a user is a reversible action.

Block user
info

The user does not get an email notification about the blocking.

A blocked user sees the following screen on login:

User Blocked screen

To block a user:

  1. Go to User management > Users.
  2. Select a user.
  3. Click Block in the more options menu ︙ of the user.

Unblock users

You can unblock blocked users. If you unblock a user the user state changes to Active. Active users can log in to your applications.

Unblock user
info

The user does not get an email notification about the unblocking.

To unblock a user:

  1. Go to User management > Users.
  2. Select a user.
  3. Click Unblock in the more options menu ︙ of the user.

Reset passwords

You can trigger password resets for your active and blocked users from the Identity Cloud management console.

Upon password reset the user receives an email with a password reset link. The link is valid for 7 days for one use. The email will be sent in the preferred user language. The password reset link leads to a page where the user can set a new password and complete the password reset.

note

The current password of the user is still valid to log in until the user has set a new password using the password link.

note

You can trigger a password reset again, if the password reset link expires for a user.

In any case, triggering a password reset will generate a new password reset link and invalidate any existing password links for the user.

Password reset

Send a password reset link to the user.

Unblock user

You can check the default content of the password reset email in Email templates.

To trigger a password reset for a user:

  1. Go to User management > Users.
  2. Select a user.
  3. Click Reset password in the more options menu ︙ of the user.
  4. In the dialog confirm that you want to trigger a password reset for the user.
  5. Click Send link.

Import users

Identity Cloud offers the possibility of importing users that exist in other systems.

You can use the Request import action in the Users screen to initiate the user import request.

Request import action

By clicking the Request import action, a dialog is shown with the instructions of the user import process.

Request user import dialog

Click Open form to proceed and fill out the form by providing the required inputs. We will get back to you for further inquiries or once the users have been imported to your Identity Cloud instance.

At the end of the user import process, you can test the result by searching for your imported users.

Delete users

You can delete a user from the user list or in the user details. Once confirmed, this operation cannot be undone.

info

If you delete a user, all authentication methods will be deleted too. In addition, all roles assigned to the user will be removed.

note

The email address can be reused after deletion. The user can sign up with the same email address, or you can create a user with the same email address.

To delete a user:

  1. Go to User management > Users.
  2. Select a user.
  3. Click Delete in the more options menu ︙ of the user.
  4. In the dialog confirm that you want to delete the user.
  5. Click Delete.

User attributes

A user has the following attributes:

  • First name: The first name of the user. The maximum length of the First name is of 50 characters. The attribute is optional.
  • Last name: The last name of the user. The maximum length of the Last name is of 100 characters. The attribute is optional.
  • Email: The email of the user. The email is used as username for login and is hence a required user attribute.
  • Phone: The mobile phone number of the user is optional, and has to be in E.164 format: [+][country code][subscriber number including area code].
  • State: The state of a user. Possible values are Not invited, Pending invitation, Expired invitation, Active, or Blocked. For more information, see User states.
  • User created: The creation date of the user. This is a read-only attribute and cannot be modified.
  • Signup completed: The signup completion date of the user. This is a read-only attribute and cannot be modified.
  • User ID: The unique identifier of the user. This is a read-only attribute and cannot be modified.

User states

A user can have the following pending states before completing the signup:

  • Not invited: The user has no invitation.
  • Pending invitation: The user has a pending invitation.
  • Expired invitation: The user has an expired invitation.

A user can have the following states once having completed the signup:

  • Active: The user is active.
  • Blocked: The user is blocked.

Custom user attributes

Identity cloud supports a variety of out-of-the-box user attributes.

  • You can administer basic user attributes on the Personal data tab of a user on the Identity Cloud management console.
  • You can administer user attributes with the Identity Cloud API, see Create user, Get user, or Update user.

You can extend user attributes with your own custom user attributes if you need user attributes specific to your business that are not covered by the out-of-the-box user attributes.

Custom user attributes are added to your Identity Cloud instance upon request. Once added, you can administrate your custom user attributes on the Identity Cloud management console as well as with the API.

Request custom user attributes

You can request to add one or more custom user attributes in two different ways:

  • Under Settings > Global settings click Request custom attribute.
  • Under User management > Users > Personal data click Request custom attribute.

By clicking the Request custom attribute, a dialog is shown with the instructions to request custom user attributes.

Request user import dialog

Click Open form to proceed and fill out the form by providing the required parameters. We will get back to you once the custom user attributes have been added to your Identity Cloud instance.

Custom user attribute parameters

Each custom user attribute supports the following parameters:

ParameterTypeRequired / OptionalDescription
namestringRequiredThe name of the custom user attribute in the API. See properties in Create user, Get user, or Update user. The name has to be unique, and can contain alphanumeric characters and underscore only. The maximum length of the name is 30 characters.
labelstringRequiredThe label of the custom user attribute. The label is displayed above the input field of the custom user attribute on the Personal data tab of the user on the management console. The maximum length of the label is 120 characters.
maximum lengthintegerOptionalThe maximum length of the custom user attribute value. The value must be in the range [1,1000]. Default: 1000
regular expressionstringOptionalThe regular expression which is used to validate the custom user attribute value. Default: no regular expression is applied for validation