Requirements for Connecting an External User Manager

For an external user manager to be able to return sensible data via the user manager interface, the following conditions must be fulfilled:

  1. The user manager in use must be able to handle both individual users as well as user groups. It must be possible to allocate users to groups and to remove them from groups again. Users and groups must be able to possess attributes whose values must be able to be queried.

  2. The user manager must be able to handle global permissions. This means that it must be able to allocate the name of a global permission it has been given to a user or user group and to be able to make this allocation public upon request. It does not need to handle global permissions itself since these belong to the responsibilities of the CMS applications.

  3. The user manager must offer access functions which make it possible to implement the Tcl procedures described in the following section. Ideally, the user manager has a Tcl interface or the possibility to create such an interface.

  4. The user manager almost exclusively decides which criteria it uses to judge whether a user is a superuser or not. The CMS application simply demands that all users who have the permissionGlobalRoot permission are identified as superusers. If the user manager cannot do this, the API procedure userWithLoginIsSuperUser can perform this task as a substitute.

  5. The user manager should be able to offer defined and, most important, detailed error messages when operations partly or completely fail. The error messages must be able to be forwarded to the CMS application via the Tcl interface.

The CMS application is not intended to have write access to the user manager.