Users - Bloomreach Experience - Open Source CMS
18-02-2020

Users

User Configuration

Users are stored in the repository under path /hippo:configuration/hippo:users as children of hipposys:userfolders nodes. The user folders can also contain nested user folders. This can be useful if the number of users gets very large, like a hunderd or more. Then the users can be split up in sub folders for example by using their first letter. 
A user in the repository is represented by a single node. The node name is the username.

Users can be managed by the CMS or synchronized with an external source like LDAP. For users that are managed from the CMS the hipposys:user node type is used. For externally managed users the hipposys:externaluser type can be used. The hipposys:securityprovider property specifies which security provider manages the user. For CMS managed users the provider is internal.

If a user is marked as a system user the user is not allowed to login to the CMS and the console. A user can be made a system user by setting the property hipposys:system to true. System users also are protected and hidden from the CMS setup management UI. 

To disable a user the property  hipposys:active can be set to false. A disabled user can not login to the repository. The  hipposys:password property contains the password of the user. The password can be stored in plain text, which is discouraged, or prefixed with the encryption between two dollar signs. By default the CMS uses SHA-256, for example: $SHA-256$dGeytXwnqAU=$NqCe6sJcM4qAwV8166GdueUVA/TSyidpAI3Evn+y/hc=.

Node type definitions

hipposys:user

[hipposys:user] > nt:base
- hipposys:securityprovider (string) = 'internal' mandatory autocreated
- hipposys:active (boolean) = true mandatory autocreated
- hipposys:system (boolean)
- hipposys:password (string)
- hipposys:passkey (string)
- hipposys:lastlogin (date)
- hipposys:firstname (string)
- hipposys:lastname (string)
- hipposys:email (string)
- hipposys:previouspasswords (string) multiple
- hipposys:passwordlastmodified (date)
- hipposys:userroles (string) multiple

Name

Type

Required

Description

node name

String

yes

The username

hipposys:securityprovider String yes default 'internal'. Mandatory property indicating which security provider to use.

hipposys:active

Boolean

yes

Can be used to (temporary) disable the user.A user MUST have hipposys:active set to true to be able to login.

hipposys:system

Boolean

no

Can be used to indicate that the user is a system user.

hipposys:password

String

no

The hipposys:password can be stored in plain text or with a hash. A hash has the following form:

$<hash algorithm>$<salt>$<hash>

For example the password "admin" could result in the following hash:

$SHA-256$HIlytXwnqSU=$NqCi2sJoM4qAwQ8136GYueUVA/TSyidpAI3Evn+y/hc=

The hashing algorithm can be any algorithm supported by MessageDigest like MD5, SHA-1 and SHA-256. The password utility class " PasswordHelper" can be used to generate hashes with the static method PasswordHelper.getHash(String password).

hipposys:passkey String no

hipposys:passkey is in general not present, but in case it is present and its value is jvm://, the user can be accessed as a JVM enabled user. Typically HST site users are JVM enabled.

hipposys:firstname

String

no

user's first name

hipposys:lastname

String

no

user's last name

hipposys:email

String

no

user's email

hipposys:userroles String no The set of userroles assigned to the user

hipposys:externaluser

[hipposys:externaluser] > hipposys:user
- hipposys:lastsync (date)
- * (string)

hipposys:userfolder

[hipposys:userfolder] > nt:base
+ * (hipposys:user) = hipposys:user
+ * (hipposys:userfolder) = hipposys:userfolder

Example user configuration

/hippo:configuration:
  /hippo:users:
    /admin:
      jcr:primaryType: hipposys:user
      hipposys:securityprovider: internal
      hipposys:password: secret
      hipposys:active: true
    /myuser:
      jcr:primaryType: hipposys:user
      hipposys:securityprovider: internal
      hipposys:password: secret
      hipposys:active: true
      hipposys:firstname: John
      hipposys:lastname: Doe
      hipposys:email: [email protected] 

Default provided users

name userroles system jvm enabled description
admin xm.default-user.system-admin
xm.repository-browser.user
no no the default administrator, has all privileges, NOT member of the admin group
author   no no example author user only provided for and in development mode, member of the author group
editor   no no example editor user only provided for and in development mode, member of the editor group
workflowuser xm.repository.admin yes no used internally by the CMS workflow
liveuser xm.live-documents.reader yes yes used internally by the delivery tier to read live document variants

previewuser

xm.preview-documents.reader yes yes used internally by the delivery tier to read preview document variants
sitewriter xm.form.writer yes yes used internally by the delivery tier to write to /formdata nodes, or to invoke workflow on documents if given more authorization
configuser xm.repository.reader yes yes used internally by the delivery tier to read amongst others the HST configuration node
frontend-system-user xm.frontend-config.reader yes yes used internally by the CMS and Console to read the default (minimal) frontend configuration for not-yet-logged-in users
hippo-relevance xm.default-user.webmaster yes yes used internally by the relevance feature
ping-user   yes yes user internally by the Repository ping service (servlet)
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?