User Management APIs
To manage large teams in TIBCO Cloud, you can use APIs to manage users in bulk. You can perform tasks such as inviting new users, removing users, and getting or updating their information.
Enabling Access to Bulk User Management APIs
Bulk user management enables you to invite multiple users at a time to join your organization by using REST APIs. By default, an email is sent to each invited user. It contains an activation link that you can use to set up a password needed to access the account. These emails are not sent if Enterprise SSO has already been configured and enabled. To get access to the bulk user management APIs for your organization, contact the TIBCO Support team. For more information about contacting TIBCO Support, see Contacting Support.
After you have obtained access to the bulk user management APIs for your organization, an owner or any Team Administrator for the domain can run the APIs as instructed in the following paragraphs.
All the API calls are secure; hence, you must sign in to TIBCO Cloud and generate the Connected Intelligence Cloud access token. For more information, see OAuth Access Tokens.
Note: Use the Connected Intelligence Cloud access token in the respective regions to invite members to that region. The host names are as follows:
-
us-west-2 (Oregon): account.cloud.tibco.com
-
eu-west-1 (Ireland): eu.account.cloud.tibco.com
-
ap-southeast-2 (Sydney): au.account.cloud.tibco.com
-
westus2 (Washington): account.us.azure.cloud.tibco.com
-
us-east-1 (North Virginia): us-east.account.cloud.tibco.com
API Schemas
The schemas used to invite, delete, and update users are as follows:
Invite Schema
To invite, you must specify the tenantId
of the domain to which you want to invite the user to join. For a list of tenant IDs that are available for use, see the Tenant IDs and Roles section.
You can specify one or more roles, if available, for every user as a comma-separated list. You can invite a maximum of 50 users in bulk.
{
"tenantId": "string",
"tenantUsersRolesInviteDetails": [{
"firstName": "string",
"lastName": "string",
"company": "string",
"state": "string",
"country": "string",
"phone": "string",
"extendedUserAttributes": {
"reportsTo": "string",
"description": "string",
"department": "string",
"jobTitle": "string",
"communicationEmail": "string"
},
"email": "string",
"tenantRoleIds": [
"string", "string"
],
"teamAdmin": false
}]
}
You can use the invite schema to update the roles of users that are existing in the domain capability. For example, a user has the existing roles of an Account Admin, Author, and Contributor. If you call the invite API with a schema that has only the roles of Author and Contributor, then this is computed as the role of Account Admin being removed and the roles are updated accordingly.
Similarly, if a user is assigned the roles of an Author and a Contributor, and you call the invite API with the role of Account Admin only, the user is assigned the Account Admin role, and the Author and Contributor roles are removed. In other words, the final roles assigned to the user are the ones passed in the invite schema.
Delete Schema
To remove users, you must specify the tenant ID of the domain from where you want to remove users. For a list of tenant IDs that are available for use, see the Tenant IDs and Roles section.
For every user, you can specify up to 50 emails as a comma-separated string.
{
"tenantId": "string",
"emails": [
"string"
]
}
Update User Schema
The user details can be updated only by an authenticated user of the API who is also an owner of the organization. The users being updated must belong to the organization owned by the caller of this API.
To update user details, first, you must provide the email of the user. This email must be the same as in TIBCO Cloud. Then, you can specify the other details that need to be updated.
Only those fields that are passed as part of the payload are updated. The fields that are not specified in the payload are retained.
You can update a maximum of 50 users at a time.
{
"usersDetails": [{
"email": "string",
"firstName": "string",
"lastName": "string",
"company": "string",
"country": "string",
"phone": "string",
"state": "string",
"extendedUserAttributes": {
"reportsTo": "string",
"department": "string",
"jobTitle": "string",
"description": "string",
"communicationEmail": "string"
}
}]
}
Tenant IDs and Roles
The following tables list different tenant IDs and their roles:
Nimbus
Tenant ID: NIMBUS
Roles | Logical name | Description |
---|---|---|
ACCOUNT_ADMIN | Account-administrator | Creates, edits, and manages custom group memberships for the user base. Also owns, creates, edits, and governs content and comments on it. Is a part of review, authorization, and other collaboration cycles. |
AUTHOR | Author | Owns, creates, edits, and governs content. Comments on it too. Is also a part of review, authorization, and other collaboration cycles. |
CONTRIBUTOR | Contributor | Owns, views, and comments on content. Is also a part of review, authorization, and other collaboration cycles. |
Live Apps
Tenant ID: BPM
Roles | Logical name | Description |
---|---|---|
Administrator | Live Apps administrator | This is an elevated role that allows access to all functions except for team administrators. |
AllUsers | Regular user | Creates use cases in Live Apps |
ApplicationDeveloper | Developer | Develops Live Apps applications |
Integration
Tenant ID: TCI
Roles | Logical name | Description |
---|---|---|
ADM | TCI administrator | Has a complete control of all settings, including the management of all applications and team members |
USR | Regular user | Can create, modify, and delete applications owned by the user. Access to a number of security features is restricted |
RO | Read-only user | User who can only view apps or solutions |
AuditSafe
Tenant ID: TCTA
Roles | Logical name | Description |
---|---|---|
TADM | Team Administrator | Completely controls all settings, including the management of all applications, user roles, and team members |
ADM | Administrator | Moderates data and configures applications such as workflows, event validation, and detailed access rights |
USR | User | Views data, posts, and queries audit events |
API Management
Tenant ID: MASHERY
Roles | Logical name | Description |
---|---|---|
ADMIN | API Management administrator | Performs all tasks that can be done in the API Management control center |
APIMGR | API manager | Creates and manages APIs, packages, and plans |
CIADMIN | Call inspector administrator | Manages and sets up call inspector |
CIUSER | Call inspector user | Uses call inspector |
CMMGR | Community manager | Manages the community |
CTMGR | Content manager | Manages the content of the portal |
POMT | Portal manager | Manages the complete portal |
PRMGT | Program manager | Manages API programs |
REPMGT | Reports user | Views API usage reports |
SUPMGR | Support user | View-only role |
ORGUSR | Organization user | A user who can be used for DAPI |
Events
Tenant ID: TCE
Roles | Logical name | Description |
---|---|---|
ADM | Administrator | Performs management tasks, administrator tasks on the operational sandbox, and all WebStudio operations. For more information, see the Users and Roles in TIBCO Cloud Events topic. |
DEV | Developer |
Develops and manages own TCE applications and WebStudio operations based on project ownership. For more information, see Users and Roles in TIBCO Cloud Events WebStudio. |
Messaging
Tenant ID: TCM
No roles needed
Spotfire
Tenant ID: SPOTFIRE
Roles | Logical name | Description |
---|---|---|
CLOUD_ANALYST | Analyst | Prepares dashboards and applications that can be used by self and other users |
CLOUD_BUSINESS_AUTHOR | Business Author | Visualizes and analyzes data to uncover information to be used by self |
CLOUD_CONSUMER | Consumer | Uses dashboards and applications to make data-informed decisions |
For more information about Roles in TIBCO Cloud Spotfire, see Roles in TIBCO Cloud Spotfire.
Using cURL
You can use cURL to perform the following tasks:
Note: When using cURL, the API domains for different regions are as follows:
-
us-west-2 (Oregon): account.cloud.tibco.com
-
eu-west-1 (Ireland): eu.account.cloud.tibco.com
-
ap-southeast-2 (Sydney): au.account.cloud.tibco.com
-
westus2 (Washington): account.us.azure.cloud.tibco.com
-
us-east-1 (North Virginia): us-east.account.cloud.tibco.com
Inviting Members
After you have the access token, you must pass it in the “Authorization” header as a Bearer token when invoking the Invite Users API.
You can use this API to invite users (maximum 50 users per request) and update the roles of the existing members of the domain. After you invite a new or existing user to a domain, an email is sent from TIBCO to the user's email address with instructions on How to Sign in. Such emails are not sent if Enterprise SSO is already configured and enabled. Users always receive an email whenever their roles change.
curl -X PUT \
"https://account.cloud.tibco.com/api/v1/members" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer {{accessToken from step #2}}' \
-d '{
"tenantId": "string",
"tenantUsersRolesInviteDetails": [{
"firstName": "string",
"lastName": "string",
"company": "string",
"state": "string",
"country": "string",
"phone": "string",
"extendedUserAttributes": {
"reportsTo": "string",
"description": "string",
"department": "string",
"jobTitle": "string",
"communicationEmail": "string"
},
"email": "string",
"tenantRoleIds": [
"someRole", "maybeAnotherRole"
],
"teamAdmin": false
}]
}'
Example: To add a user as an API manager in API Management while also allowing the user to add team members, the JSON is as follows:
{
"tenantId": "MASHERY",
"tenantUsersRolesInviteDetails": [{
"firstName": "Jane",
"lastName": "Doe",
"company": "Jane Doe Inc.",
"state": "CA",
"country": "US",
"phone": "+1345678654",
"extendedUserAttributes": {
"reportsTo": "CEO",
"description": "Executive VP",
"department": "Sales",
"jobTitle": "EVP",
"communicationEmail": "jane@doe.com"
},
"email": "jane1@doe.com",
"tenantRoleIds": [
"APIMGR", "SUPMGR"
],
"teamAdmin": true
}]
}
Removing Members
After you have the access token, you must pass it in the "Authorization" header as a Bearer token when invoking the Remove Users API.
You can use this API to remove users from a domain or an organization. You can removed maximum 50 users per request. You can also remove users who are in the "invited" status and have not yet accepted the invitation to join the domain or the organization.
curl -X DELETE \
"https://account.cloud.tibco.com/api/v1/members" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer {{accessToken from step #2}}' \
-d '{
"tenantId": "string",
"emails": [
"remove@example.com",
"delete@example.com"
]
}'
Retrieving Member Details
After you have the access token, you must pass it in the "Authorization" header as a Bearer token when invoking the Retrieve Users API.
You can use this API to retrieve member details from the domain teams. This is a paginated API and so you can specify the number of pages and records per page by using the page
and the limit
query parameters while retrieving the details. For tenant IDs, see the Tenant IDs and Roles section.
curl -X GET \
"https://account.cloud.tibco.com/api/v1/members?tenant-id=<tenantId>®ion=<region>" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer'
Updating Member Details
After you have the access token, you must pass it in the "Authorization" header as a Bearer token when invoking the Update Users API.
You can use this API to update user details. Send only those fields that you want to update as a payload. Fields that are not part of the payload are retained. However, the email field is mandatory.
curl -X PUT \
"https://account.cloud.tibco.com/api/v1/users" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer {{accessToken from step #2}}' \
-d '{
"usersDetails": [{
"email": "jane1@doe.com",
"firstName": "Jane",
"lastName": "Doe",
"company": "Jane Doe Inc.",
"country": "US",
"phone": "+1345678654",
"state": "CA",
"extendedUserAttributes": {
"reportsTo": "CEO",
"department": "Sales",
"jobTitle": "EVP",
"description": "Executive VP",
"communicationEmail": "jane@doe.com"
}
}]
}'