New accounts can be created in Claromentis in various ways.
Usually, one method of user account creation is implemented and controlled by administrators, but it is possible to have multiple in use at once.
e.g. A user sync is live and updating synced accounts, but there are a few local accounts being managed by administrators as well.
- Manually by People administrators
Creating the users directly in the People application (either individually or en masse via CSV)
This results in local accounts and passwords wholly managed by People administrators in the Intranet.
- Using a sync
Accounts are created and updated through a connection with an external repoistory, e.g. Okta, Azure.
The accounts created are synced accounts (not local) with account state and password controlled in your external repository by those responsible for managing this.
Claromentis has the LDAP tool (free) or the User sync custom module (cost associated) available to facilitate the sync between the external repository and the Intranet.
One of these modules has to be configured for a sync to work.
User profile information can also be mapped from the external repository to the Intranet, which means field entries are controlled by the sync and cannot be edited in Claromentis.
The team that manages the external repository your sync is using (most likely IT) should be made People application administrators in the Intranet so they can manage the accounts in the Intranet and in your external repository.
- Using our People API
This requires configuration by a team member at your company with API knowledge.
The latest information about our People API v2 can be found here.
This method results in local accounts that can be managed externally (wherever the API is connecting) or completely internally after creation (by People administrators), e.g. the password is controlled in Claromentis but can be updated using the API if necessary.
Any user who will be working with the API will need to be made a People administrator for their API requests to work.
- Through successful login with SSO credentials
This method requires the login handler custom module (cost associated) to be installed on your site and configured by your team, most likely the IT department.
This results in local accounts managed in both your IDP and Claromentis. The password for SSO accounts is managed by your IDP and not Claromentis.
In the login handler module, there is an option to allow accounts to be created on login with SSO details:
If this is set to 'yes', new accounts will be created when users log in with the correct credentials in your chosen identity provider (e.g. Okta, Azure, etc)
If 'no', then new accounts will not be created even if the correct credentials are used and account creation is managed a different way (likely manually) by your team, creating accounts with usernames that match what is in SSO.
We recommend that the team responsible for managing SSO for your company be made application administrators of the login handler module and the People application so they can manage any changes needed to the configuration or user profiles.
