Bulk user management for TIBCO Cloud

By:
Last updated:
2:55am Feb 18, 2021

 

As TIBCO Cloud has matured over time, more and more sizeable teams and companies are using the different capabilities it has to offer. With this increased growth, also comes the need to be able to handle larger and larger teams. 

TIBCO Cloud is very capable of handling these team sizes, but especially when you are just getting started, it can be a bit tedious in adding all team members individually, hence we opened up the API's that lie underneath this to help you automate the onboarding of users into your TIBCO Cloud teams

This page describes what you need to do to enable bulk user management for TIBCO Cloud, it will showcase the JSON specification of the API and provide a step by step guide on how to use the API from a tool like curl

Enabling Access to bulk user management APIs

Bulk user management enables you to invite multiple users at a time to join your organization by using REST APIs.  By default an email is sent to each invited user.  It contains an activation link which allows to set up a password needed to access the account.  These emails are not sent if Enterprise SSO has already been configured and enabled.  To get access to the bulk user management APIs for your organization, contact the TIBCO Support team. For more information about contacting TIBCO Support, see the Contacting Support page in the TIBCO Cloud documentation.

Assuming you have obtained access to the bulk user management APIs for your organization, now an owner or any Team Administrator for the domain can execute the APIs as instructed in the following steps. NOTE: You can also read the attached Plain text iconswagger specification file using the swagger editor to understand the request and response schemas in detail.

  1. All the API calls are secure; hence, you need to sign in to TIBCO Cloud and generate the Connected Intelligence Cloud access token from http://account.cloud.tibco.com/manage/settings/oAuthTokens. For steps click here.

Note: Use the respective region Connected Intelligence Cloud access token to invite member on that region. For e.g. user to be invited on us-west-2 (Oregon) region then use above link. For other regions, the hostnames will be as follows:

eu-west-1 (Ireland): eu.account.cloud.tibco.com

ap-southeast-2 (Sydney): au.account.cloud.tibco.com

westus2 (Washington): account.us.azure.cloud.tibco.com

API schemas

Below are the schemas used to invite and to delete users

Invite schema

{
	"tenantId": "string",
	"tenantUsersRolesInviteDetails": [{
		"firstName": "string",
		"lastName": "string",
		"company": "string",
		"state": "string",
		"country": "string",
		"phone": "string",
		"extendedUserAttributes": {
			"reportsTo": "string",
			"description": "string",
			"department": "string",
			"jobTitle": "string",
			"communicationEmail": "string"
		},
		"email": "string",
		"tenantRoleIds": [
			"string", "string"
		],
		"teamAdmin": false
	}]
}

To invite, you need to specify the tenant ID for the team the user should be invited too (see below for available tenant IDs)

Per-user you can specify one or more roles (if available, see role tables per tenant below), this is a comma-separated list. A maximum of 50 users is allowed.

Delete schema

{
  "tenantId": "string",
  "emails": [
    "string"
  ]
}

To remove users, you need to specify the tenant ID from where the users need to be removed (see below for available tenant IDs)

Per tenant, you can specify up to 50 emails as a comma separated string.

Update user Schema

{
	"usersDetails": [{
		"email": "string",
		"firstName": "string",
		"lastName": "string",
		"company": "string",
		"country": "string",
		"phone": "string",
		"state": "string",
		"extendedUserAttributes": {
			"reportsTo": "string",
			"department": "string",
			"jobTitle": "string",
			"description": "string",
			"communicationEmail": "string"
		}
	}]
}

 

The caller (i.e. the authenticated user) of the API must be an owner of the Organization for which the users details are being updated.

The users being updated must belong to the Organization owned by the caller of this API.

To update user details, you must provide the email of the user (must be the same as in TIBCO Cloud) and then specify the other details that need to be updated.

Only those fields that are passed as the part of payload are updated. The fields that are not specified in the payload are retained.

You can update a maximum of 50 users at a time.

 

Tenant IDs and roles

Nimbus

Tenant ID: NIMBUS

Role Logical name Description
ACCOUNT_ADMIN Account administrator Nimbus administrator
AUTHOR Author Authors new nimbus maps
CONTRIBUTOR Contributor Contributes to existing maps

LiveApps

Tenant ID: BPM

Role Logical name Description
Administrator Live Apps administrator Publishes Live Apps applications, and creates a custom group of the user in Live Apps
AllUsers Regular user Starts use cases in Live Apps
ApplicationDeveloper Developer Develops Live Apps applications

 

Integration

Tenant ID: TCI

Role Logical name Description
ADM TCI Administrator This is an elevated role that allows access to all functions except for team admin.
USR Regular user Developer user who can create, update, delete apps/solutions
RO Read only user User who can only view apps/solutions

 

Auditsafe

Tenant ID: TCTA

Role Logical name Description
ADM Administrator Auditsafe administrator
USR User Views and tracks transactions

 

Mashery

Tenant ID: MASHERY

Roles (https://docs.mashery.com/manage/GUID-BC63BAB0-7BFE-4F0E-887F-CF32342F8F9E.html)

Role Logical name Description
ADMIN Mashery administrator Performs all tasks that can be done in the Mashery control center
APIMGR API manager Creates and manages APIs, packages and plans
CIADMIN Call inspector administrator Manages and sets up call inspector
CIUSER Call inspector user Uses call inspector
CMMGR Community manager Manages the community
CTMGR Content manager Manages context for the portal
POMT Portal manager Manages the complete portal
PRMGT Program manager Manages API programs
REPMGT Reports user View API usage reports
SUPMGR Support user View only role
ORGUSER Organization user A user that can be used for DAPI

 

Events

Tenant ID: TCE

Role Logical name Description
ADM Adminstrator Events administrator
DEV Developer Develops Events applications

 

Messaging

Tenant ID: TCM

No roles needed

 

Spotfire

Tenant ID: SPOTFIRE

Roles (http://docs.spotfire.cloud.tibco.com/spotfire/GUID-481621C9-F133-4F3F-8A59-0B154B014BF0.html)

Role Logical name Description
CLOUD_ANALYST Analyst Uses the online environment, sets up connections, and uses the thick client
CLOUD_BUSINESS_AUTHOR Business Author Authors reports in the online environment
CLOUD_CONSUMER Consumer Reads reports in the online environment

 

Inviting members using curl

After you have the access token, pass it in the “Authorization” header as Bearer token while invoking Invite Users API.

This API allows you to invite users (at max 50 users per request) and update the roles of the existing members of the domain.  Inviting a new or existing user to a domain will normally send an email from TIBCO to user's email address with instructions how to sign in.  Such emails are not sent if Enterprise SSO is already configured and enabled.  Users will always get an email whenever their roles change.

curl -X PUT \
 "https://account.cloud.tibco.com/api/v1/members" \
 -H 'Content-Type: application/json' \
 -H 'Authorization: Bearer {{accessToken from step #2}}' \
 -d '{
	"tenantId": "string",
	"tenantUsersRolesInviteDetails": [{
		"firstName": "string",
		"lastName": "string",
		"company": "string",
		"state": "string",
		"country": "string",
		"phone": "string",
		"extendedUserAttributes": {
			"reportsTo": "string",
			"description": "string",
			"department": "string",
			"jobTitle": "string",
			"communicationEmail": "string"
		},
		"email": "string",
		"tenantRoleIds": [
			"someRole", "maybeAnotherRole"
		],
		"teamAdmin": false
	}]
}'

 

Note: The examples given above invoke the API in us-west-2 (Oregon) region. If you have subscriptions in other regions, the API domains will be as follows:

eu-west-1 (Ireland): eu.account.cloud.tibco.com

ap-southeast-2 (Sydney): au.account.cloud.tibco.com

 

So to add a user as an API manager and Support manager on Mashery, while allowing the user to also add team members the json will look as per below:

{
	"tenantId": "MASHERY",
	"tenantUsersRolesInviteDetails": [{
		"firstName": "Jane",
		"lastName": "Doe",
		"company": "Jane Doe Inc.",
		"state": "CA",
		"country": "US",
		"phone": "+1345678654",
		"extendedUserAttributes": {
			"reportsTo": "CEO",
			"description": "Executive VP",
			"department": "Sales",
			"jobTitle": "EVP",
			"communicationEmail": "jane@doe.com"
		},
		"email": "jane1@doe.com",
		"tenantRoleIds": [
			"APIMGR", "SUPMGR"
		],
		"teamAdmin": true
	}]
}



Removing members using curl

After you have the access token, pass it in the “Authorization” header as Bearer token while invoking Remove Users API.

This API allows you to remove users from domain or organization (at max 50 users per request) and remove the users whose status is “invited” and have not accepted the invitation yet.

curl -X DELETE \
 "https://account.cloud.tibco.com/api/v1/members" \
 -H 'Content-Type: application/json' \
 -H 'Authorization: Bearer {{accessToken from step #2}}' \
 -d '{
  "tenantId": "string",
  "emails": [
    "remove@example.com",
    "delete@example.com"
  ]
}'

 

Note: The examples given above invoke the API in us-west-2 (Oregon) region. If you have subscriptions in other regions, the API domains will be as follows:

eu-west-1 (Ireland): eu.account.cloud.tibco.com

ap-southeast-2 (Sydney): au.account.cloud.tibco.com

Retrieve member details using curl

After you have the access token, pass it in the “Authorization” header as Bearer token while invoking Retrieve Users API.

This API allows you to retrieve users details from domain teams. This is paginated API so you can specify the page and limit while retrieving user details.

curl -X GET \
 "https://account.cloud.tibco.com/api/v1/members?tenant-id=<tenantId>&region=<region>" \
 -H 'Content-Type: application/json' \
 -H 'Authorization: Bearer {{accessToken from step #2}}'

 

Note: The examples given above invoke the API in the us-west-2 (Oregon) region. If you have subscriptions in other regions, the API domains will be as follows:

eu-west-1 (Ireland): eu.account.cloud.tibco.com

ap-southeast-2 (Sydney): au.account.cloud.tibco.com

For the list of the tenantIds please refer back to the "TenantIds and Roles" section.

Update user details using curl

After you have the access token, pass it in the “Authorization” header as Bearer token while invoking Update Users API.

This API allows you to update user details. Please send only those fields that you wish to update for the user.

Only those fields that are passed as the part of payload are updated. The fields that are not specified in the payload are retained.

The email field is mandatory for the user whose details are to be updated.

curl -X PUT \
 "https://account.cloud.tibco.com/api/v1/users" \
 -H 'Content-Type: application/json' \
 -H 'Authorization: Bearer {{accessToken from step #2}}' \
 -d '{
	"usersDetails": [{
		"email": "jane1@doe.com",
		"firstName": "Jane",
		"lastName": "Doe",
		"company": "Jane Doe Inc.",
		"country": "US",
		"phone": "+1345678654",
		"state": "CA",
		"extendedUserAttributes": {
			"reportsTo": "CEO",
			"department": "Sales",
			"jobTitle": "EVP",
			"description": "Executive VP",
			"communicationEmail": "jane@doe.com"
		}
	}]
}'

 

Note: The examples given above invoke the API in the us-west-2 (Oregon) region. If you have subscriptions in other regions, the API domains will be as follows:

  • eu-west-1 (Ireland): eu.account.cloud.tibco.com

  • ap-southeast-2 (Sydney): au.account.cloud.tibco.com

Attachments