Map Users to the Organization

Once you have set up an OpenID Connect (OIDC) Identity Provider, map the users stored in the Identity Provider to the OIDC Organization. For mapping, GoodData.CN uses the sub claim.

If you use the internal OIDC identity provider, use the value of the authenticationId property as the value of the sub claim. The authenticationId property of a user is returned when you create the user in the internal OIDC identity provider.
If you use an external OIDC Identity Provider, use the value of the id_user token as the value of the sub claim. For information about how to get the id_user token of a user, see your Identity Provider’s user documentation.

Access-control lists (ACLs) that prevent users from viewing and editing all entities in the Organization are currently not available and will be delivered in future releases.

When mapping and managing users, you will have to provide the $GDC_API_TOKEN.

Map a User in the Identity Provider to the Organization

To map a user, submit a POST request to /api/entities/users.

Provide the value of the sub claim in the authenticationId section of the API request body.

curl --request POST \
  --header "Authorization: Bearer $GDC_API_TOKEN" \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  --data '{
      "data": {
        "id": "john.doe",
        "type": "user",
        "attributes": {
          "authenticationId": "<user-sub-claim>"
        },
        "relationships": {
          "userGroups": {
            "data": [ {
              "id": "adminGroup",
              "type": "userGroup"
            } ]
          }
        }
      }
}' https://analytics.alpha.example.com/api/entities/users

Once you have mapped the users to the Organization, create workspaces and set up their hierarchy.

For further details on user and user-groups see section User and UserGroups management.

Use an External OIDC Identity Provider

Use an API Token for Authentication