For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Open sourceSupportFAQsDocs Home
DocumentationAPI referenceRelease notes
DocumentationAPI referenceRelease notes
  • Platform On-Prem
    • Overview
    • Navigate
        • Reference user accounts
        • Reference groups
    • Search resources
  • Apps
    • FlowAI
    • Itential Automation Gateway
  • Resources
    • Itential Academy
    • Version lifecycle
    • Itential MCP
    • Accessibility conformance
    • Get support
    • FAQs
LogoLogo
Open sourceSupportFAQsDocs Home
On this page
  • Best practices
  • Account references in database documents
  • Accounts in the UI
  • Account references in APIs
  • Query, filter, and sort account documents
  • Example account document
  • Query documents with referenced accounts
  • Example workflow document
  • Example API response with inline account data
  • Aggregation pipeline query
  • Filter and sort documents by referenced account fields
Platform On-PremControl accessUsers, groups, roles

Reference user accounts

Was this page helpful?
Previous

How to reference groups

Next
Built with

User accounts are uniquely identified in Itential Platform by a database ID, or by a username and provenance pair where provenance is the name of the AAA adapter from which the account originated. This page covers best practices for user account representation, including how to reference accounts in documents, return account data from APIs, and query and sort documents with referenced accounts.

Best practices

Account references in database documents

Reference user accounts via database ID. In MongoDB, accounts are keyed with ObjectId, and references should use that type as well. This allows the application to use $lookup in the MongoDB aggregation pipeline for sorting, filtering, and efficient querying when account data needs to be retrieved.

Accounts in the UI

Do not present users with a list of account IDs. Display user lists and references using the username and provenance fields. Username alone is no longer sufficient — users may need to distinguish between similarly named accounts in different systems.

Account references in APIs

Based on how existing APIs and documents are structured, APIs should accept and return both account IDs and username/provenance pairs. Where account IDs are exposed, they should appear as strings in JSON. APIs must take on the burden of validating IDs, converting them to ObjectId where appropriate, and testing for equality using the appropriate methods.

Query, filter, and sort account documents

Example account document

The examples below use the following account document:

1{
2  "_id": ObjectId("5aebd2fae2c5b5614927362b"),
3  "provenance": "Local AAA",
4  "username": "admin@pronghorn",
5  "firstname": "admin",
6  "memberOf": [...],
7  "assignedRoles": [...],
8  "lastLogin": ISODate("2018-05-30T16:29:39.944Z")
9}

Query documents with referenced accounts

Denormalizing user account data — for example, storing a copy of the username alongside the account ID — creates a maintenance problem when the account data changes but the copy does not. Instead, load account data at query time to include it in the API response.

Example workflow document

1{
2  "_id": "b6517ac9-a8fc-4621-902b-174458005c90",
3  "name": "Example Workflow",
4  "tasks": {},
5  "transitions": {},
6  "created": "5/18/2018, 9:32:50 AM",
7  "created_by": {
8    "id": ObjectId("5aebd2fae2c5b5614927362b")
9  },
10  "last_updated": "5/18/2018, 9:33:31 AM",
11  "last_updated_by": {
12    "id": ObjectId("5aebd2fae2c5b5614927362b")
13  },
14  "groups": [
15    ObjectId("5aebd2ffe2c5b5614927362d")
16  ]
17}

Example API response with inline account data

This response includes the human-readable username and provenance fields alongside the account ID:

1[
2  {
3    "id": "b6517ac9-a8fc-4621-902b-174458005c90",
4    "name": "Example Workflow",
5    "created": "5/18/2018, 9:32:50 AM",
6    "created_by": {
7      "id": "5aebd2fae2c5b5614927362b",
8      "username": "admin@pronghorn",
9      "provenance": "Local AAA"
10    },
11    "last_updated": "5/18/2018, 9:33:31 AM",
12    "last_updated_by": {
13      "id": "5aebd2fae2c5b5614927362b",
14      "username": "admin@pronghorn",
15      "provenance": "Local AAA"
16    }
17  }
18]

Aggregation pipeline query

This query produces the desired data set in a single request to MongoDB:

1const workflowListWithInlineAccountsPipeline = [
2  {
3    $lookup: {
4      from: 'accounts',
5      localField: 'created_by.id',
6      foreignField: '_id',
7      as: 'created_by_accounts'
8    }
9  },
10  {
11    $lookup: {
12      from: 'accounts',
13      localField: 'last_updated_by.id',
14      foreignField: '_id',
15      as: 'last_updated_by_accounts'
16    }
17  },
18  {
19    $project: {
20      name: 1,
21      created: 1,
22      created_by_account: { $arrayElemAt: ['$created_by_accounts', 0] },
23      last_updated: 1,
24      last_updated_by_account: { $arrayElemAt: ['$created_by_accounts', 0] }
25    }
26  }
27];
28
29const workflowList = await workflowsCollection.aggregate(workflowListWithInlineAccountsPipeline).toArray();

Filter and sort documents by referenced account fields

You can extend the pipeline above to filter and sort by account fields:

1const filteredAndSortedByCreatorPipeline = [
2  { $match: { name: /^Exa/ } },
3  ...workflowListWithInlineAccountsPipeline,
4  { $sort: { 'created_by_account.username': 1 } },
5];
6
7const workflowList = await workflowsCollection.aggregate(filteredAndSortedByCreatorPipeline).toArray();