Map Users to the Organization

Once you have set up an OpenID Connect (OIDC) Identity Provider, map the users stored in the Identity Provider to the OIDC Organization. For mapping, GoodData.CN uses the sub claim.

If you use Dex, a built-in OIDC Identity Provider, use the value of the authenticationId property as the value of the sub claim. The authenticationId property of a user is returned when you create the user in Dex.
If you use an external OIDC Identity Provider, use the value of the id_user token as the value of the sub claim. For information about how to get the id_user token of a user, see your Identity Provider’s user documentation.

Access-control lists (ACLs) that prevent users from viewing and editing all entities in the Organization are currently not available and will be delivered in future releases.

When mapping and managing users, you will have to provide the $GDC_API_TOKEN.

Map a User in the Identity Provider to the Organization

To map a user, submit a POST request to /api/users.

Provide the value of the sub claim in the authenticationId section of the API request body.

curl --request POST \
  --header "Authorization: Bearer $GDC_API_TOKEN" \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  --data '{
      "data": {
        "id": "john.doe",
        "type": "user",
        "attributes": {
          "authenticationId": "<user-sub-claim>"
        },
        "relationships": {
          "userGroup": {
            "data": {
              "id": "adminGroup",
              "type": "userGroup"
            }
          }
        }
      }
}' https://analytics.alpha.example.com/api/entities/users

Once you have mapped the users to the Organization, create workspaces and set up their hierarchy.

Update a Mapped User

To update a mapped user (change the value of the authenticationId section or the user group that the user belongs to), submit a PUT request to /api/entities/users/{:userId}.

curl --request PUT \
  --header "Authorization: Bearer $GDC_API_TOKEN" \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  --data '{
      "id": "john.doe",
      "type": "user",
      "attributes": {
        "authenticationId": "<user-sub-claim>"
      },
      "relationships": {
        "userGroup": {
          "data": {
            "id": "adminGroup",
            "type": "userGroup"
          }
        }
      }
}' https://analytics.alpha.example.com/api/entities/users/john.doe

You cannot update a user’s id property. It is automatically generated when the user is being mapped and is immutable.

Delete a Mapped User

To delete a user, submit a DELETE request to /api/entities/users/{:userId}.

curl --request DELETE \
  --header "Authorization: Bearer $GDC_API_TOKEN" \
  https://analytics.alpha.example.com/api/entities/users/john.doe

Use an External OIDC Identity Provider

Use an API Token for Authentication