Map Users to the Organization

Once you have set up an OpenID Connect (OIDC) Identity Provider, map the users stored in the Identity Provider to the OIDC Organization. For mapping, GoodData uses the sub claim.

Access-control lists (ACLs) that prevent users from viewing and editing all entities in the Organization are currently not available and will be delivered in future releases.

Map a User in the Identity Provider to the Organization

To map a user, submit a POST request to /api/v1/entities/users.

Provide the value of the sub claim in the authenticationId attribute in the API request body:

If you use the internal OIDC identity provider, use the value of the authenticationId property as the value of the sub claim. The authenticationId property of a user is returned when you create the user in the internal OIDC identity provider.
If you use an external OIDC Identity Provider, use the value of the user sub claim supplied to you by that identity provider.

You will have to provide the $BOOTSTRAP_API_TOKEN in the request header.

curl --request POST \
  --header "Authorization: Bearer $BOOTSTRAP_API_TOKEN" \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  --data '{
      "data": {
        "id": "john.doe",
        "type": "user",
        "attributes": {
          "authenticationId": "<user-sub-claim>"
        },
        "relationships": {
          "userGroups": {
            "data": [ {
              "id": "adminGroup",
              "type": "userGroup"
            } ]
          }
        }
      }
}' https://analytics.alpha.example.com/api/v1/entities/users

Once you have mapped the users to the Organization, create workspaces and set up their hierarchy.

For further details on user and user-groups see section User and UserGroups management.

Use an External OIDC Identity Provider

Use an API Token for Authentication