From 39a8eb393532c10d4dbd55cc5ae087a029599c83 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Fri, 8 Aug 2025 10:54:47 +0530 Subject: [PATCH 01/12] Additional ways of assigning user types --- .../deployment/general/populate-user-type.md | 49 ++++++++++++------- 1 file changed, 31 insertions(+), 18 deletions(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index 0da00603ef6..6840dcb14ce 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -28,24 +28,6 @@ The *Mendix Metering* module relies on this attribute to ascertain the end-user {{< figure src="/attachments/deployment/general/populate-user-type/user-type-enumeration.png" class="no-border" >}} -## Assigning UserType for Existing Users of IAM Modules - -The simplest method to set the user type is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. Mendix offers you the following IAM modules: - -* [OIDC](https://docs.mendix.com/appstore/modules/oidc/) -* [SCIM](https://docs.mendix.com/appstore/modules/scim/) -* [SAML](https://docs.mendix.com/appstore/modules/saml/) - -Alternatively, you can build a custom microflow as described in the [Populating UserType for Existing Users of an App](#using-microflow) section below. - -When connecting your app with an IdP, set up the user type through the capabilities of the OIDC SSO, SCIM, or SAML module. The user type is now configured in the User Provisioning, which is integrated into the OIDC SSO, SCIM, and SAML modules. This means you can directly configure end-users of your application as `internal` or `external` in the **User Provisioning** tab of your app. Based on this configuration, users are updated each time they log in. These modules allow you to set the user type per IdP as the source of your end-users, assuming that separate IdPs are used for `internal` and `external` users. - -For more information, refer to the User Provisioning section of the following modules: - -* [OIDC SSO](/appstore/modules/oidc/#custom-provisioning-rt) -* [SCIM](/appstore/modules/scim/#user-provisioning) -* [SAML](/appstore/modules/saml/#custom-provisioning-rt) - ## Assigning UserType Using a Microflow {{% alert color="info" %}} @@ -97,3 +79,34 @@ Therefore, the approach we take is to create a new non-persistable entity, `User {{< figure src="/attachments/deployment/general/populate-user-type/user-type-report.png" class="no-border" >}} 7. The report can be exported into an Excel file. + +## Assigning User Type based on User roles + +Instead of checking email domains or writing microflows, you can classify users as Internal or External using roles in the User Classification module. To do this: + +1. Define roles like InternalRole (for employees) and ExternalRole (for partners/customers). +2. Use the [User Classification]() module to map these roles to the UserType field in UserReportInfo. +3. When a role is assigned to a user, the UserType updates automatically. +4. This approach is simpler, more consistent, and easier to maintain than attribute-based logic. + +## Assigning UserType for Existing Users of IAM Modules + +The simplest method to set the user type is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. Mendix offers you the following IAM modules: + +* [OIDC](https://docs.mendix.com/appstore/modules/oidc/) +* [SCIM](https://docs.mendix.com/appstore/modules/scim/) +* [SAML](https://docs.mendix.com/appstore/modules/saml/) + +Alternatively, you can build a custom microflow as described in the [Populating UserType for Existing Users of an App](#using-microflow) section below. + +When connecting your app with an IdP, set up the user type through the capabilities of the OIDC SSO, SCIM, or SAML module. The user type is now configured in the User Provisioning, which is integrated into the OIDC SSO, SCIM, and SAML modules. This means you can directly configure end-users of your application as `internal` or `external` in the **User Provisioning** tab of your app. Based on this configuration, users are updated each time they log in. These modules allow you to set the user type per IdP as the source of your end-users, assuming that separate IdPs are used for `internal` and `external` users. + +For more information, refer to the User Provisioning section of the following modules: + +* [OIDC SSO](/appstore/modules/oidc/#custom-provisioning-rt) +* [SCIM](/appstore/modules/scim/#user-provisioning) +* [SAML](/appstore/modules/saml/#custom-provisioning-rt) + +## Assigning user types using Custom logic + +You can classify users as Internal or External using your own business rules instead of only roles or IAM settings. With the User Classification module and a microflow, you can combine conditions like email domains, roles, SSO/IAM attributes, or contract status. This gives maximum flexibility to handle complex or unique scenarios and ensures accurate Mendix user metering. \ No newline at end of file From cc560503b270fd48ca471a91ce8078afb3cc5d71 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Fri, 8 Aug 2025 16:31:55 +0530 Subject: [PATCH 02/12] Proofreading --- .../deployment/general/populate-user-type.md | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index 1c53d76b1fe..a2427c90f3c 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -22,7 +22,7 @@ In your Mendix Pricing Plan there is a distinction between Internal and External ## Background -Every Mendix app has a system module containing an entity `UserReportInfo`. This entity has an attribute `UserType` that is used to classify end-users as External or Internal Users. This attribute needs to be maintained for all existing and new end-users of a Mendix app. If this attribute is not set, the end-user is classified as an Internal User. +Every Mendix app has a system module containing an entity `UserReportInfo`. This entity has an attribute `UserType` that is used to classify end-users as `External` or `Internal` Users. This attribute needs to be maintained for all existing and new end-users of a Mendix app. If this attribute is not set, the end-user is classified as an Internal User. The *Mendix Metering* module relies on this attribute to ascertain the end-user type and report it back to us. @@ -45,7 +45,7 @@ Therefore, the approach we take is to create a new non-persistable entity, `User {{< figure src="/attachments/deployment/general/populate-user-type/usertypereport-properties.png" class="no-border" >}} -### Populating **UserType** for Existing Users of an App {#using-microflow} +### Populating `UserType` for Existing Users of an App {#using-microflow} 1. Create a microflow `User_RetrieveOrCreateUserReportInfo` which will ensure that a `UserReportInfo` object exists for a given `User`. @@ -80,16 +80,18 @@ Therefore, the approach we take is to create a new non-persistable entity, `User 7. The report can be exported into an Excel file. -## Assigning User Type based on User roles +## Assigning `UserType` based on User roles -Instead of checking email domains or writing microflows, you can classify users as Internal or External using roles in the User Classification module. To do this: +Instead of writing microflows, you can classify users as Internal or External using roles in the User Classification module. To do this: -1. Define roles like InternalRole (for employees) and ExternalRole (for partners/customers). -2. Use the [User Classification]() module to map these roles to the UserType field in UserReportInfo. +1. Define roles like `ExternalRole` or other custom roles. +2. Use the [User Classification](/appstore/modules/user-classification/) module to map these roles to the `UserType` field in the `UserReportInfo`. 3. When a role is assigned to a user, the UserType updates automatically. 4. This approach is simpler, more consistent, and easier to maintain than attribute-based logic. -## Assigning UserType for Existing Users of IAM Modules +For more information, see the [Role-based Classification](/appstore/modules/user-classification/#role-based-classification) section of *User Classification*. + +## Assigning `UserType` for Existing Users of IAM Modules The simplest method to set the user type is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. Mendix offers you the following IAM modules: @@ -99,7 +101,7 @@ The simplest method to set the user type is by using the Identity and Access Man Alternatively, you can build a custom microflow as described in the [Populating UserType for Existing Users of an App](#using-microflow) section below. -When connecting your app with an IdP, set up the user type through the capabilities of the OIDC SSO, SCIM, or SAML module. The user type is now configured in the User Provisioning, which is integrated into the OIDC SSO, SCIM, and SAML modules. This means you can directly configure end-users of your application as `internal` or `external` in the **User Provisioning** tab of your app. Based on this configuration, users are updated each time they log in. These modules allow you to set the user type per IdP as the source of your end-users, assuming that separate IdPs are used for `internal` and `external` users. +When connecting your app with an IdP, set up the user type through the capabilities of the OIDC SSO, SCIM, or SAML module. The user type is now configured in the User Provisioning, which is integrated into the OIDC SSO, SCIM, and SAML modules. This means you can directly configure end-users of your application as `Internal` or `External` in the **User Provisioning** tab of your app. Based on this configuration, users are updated each time they log in. These modules allow you to set the user type per IdP as the source of your end-users, assuming that separate IdPs are used for `internal` and `external` users. For more information, refer to the User Provisioning section of the following modules: @@ -107,11 +109,10 @@ For more information, refer to the User Provisioning section of the following mo * [SCIM](/appstore/modules/scim/#user-provisioning) * [SAML](/appstore/modules/saml/#custom-provisioning-rt) -## Assigning user types using Custom logic +## Assigning `UserTypes` Using Custom logic -You can classify users as Internal or External using your own business rules instead of only roles or IAM settings. With the User Classification module and a microflow, you can combine conditions like email domains, roles, SSO/IAM attributes, or contract status. This gives maximum flexibility to handle complex or unique scenarios and ensures accurate Mendix user metering. +You can classify users as `Internal` or `External` using your own business rules instead of only roles or IAM settings. With the User Classification module and a microflow, you can combine conditions like email domains. This gives maximum flexibility to handle complex or unique scenarios and ensures accurate Mendix user metering. For more information, see the [Custom Classification](/appstore/modules/user-classification/#custom-classification) section of *User Classification*. ## Read More * [User Classification Module](/appstore/modules/user-classification/) - From d46242a37db8a6c98f2dc41ac2ec929a10b3e0be Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Tue, 12 Aug 2025 11:36:10 +0530 Subject: [PATCH 03/12] Proofreading --- content/en/docs/deployment/general/populate-user-type.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index a2427c90f3c..4027c0add62 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -74,7 +74,7 @@ Therefore, the approach we take is to create a new non-persistable entity, `User {{< figure src="/attachments/deployment/general/populate-user-type/grid-data-source.png" class="no-border" >}} 5. Add the page to the **Navigation**. -6. When you go to that page it will set the `UserType` as per your logic and show you the UserType report. +6. When you go to that page it will set the `UserType` as per your logic and show you the user type report. {{< figure src="/attachments/deployment/general/populate-user-type/user-type-report.png" class="no-border" >}} @@ -82,12 +82,13 @@ Therefore, the approach we take is to create a new non-persistable entity, `User ## Assigning `UserType` based on User roles -Instead of writing microflows, you can classify users as Internal or External using roles in the User Classification module. To do this: +Instead of writing microflows, you can classify users as `Internal` or `External` using roles in the [User Classification](https://marketplace.mendix.com/link/component/245015) module. To do this: 1. Define roles like `ExternalRole` or other custom roles. 2. Use the [User Classification](/appstore/modules/user-classification/) module to map these roles to the `UserType` field in the `UserReportInfo`. -3. When a role is assigned to a user, the UserType updates automatically. -4. This approach is simpler, more consistent, and easier to maintain than attribute-based logic. +3. When a role is assigned to a user in your Mendix app, the User Classification module automatically updates the `UserType` field in the `UserReportInfo` entity for that user. + +This approach is simpler, more consistent, and easier to maintain than attribute-based logic. For more information, see the [Role-based Classification](/appstore/modules/user-classification/#role-based-classification) section of *User Classification*. From d0535167f7d51bcdaf4c39a9e6e3eece45562c13 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Tue, 12 Aug 2025 11:41:59 +0530 Subject: [PATCH 04/12] cross-link User type --- .../platform-supported-content/modules/user-classification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/marketplace/platform-supported-content/modules/user-classification.md b/content/en/docs/marketplace/platform-supported-content/modules/user-classification.md index f40827d234d..93a0b624fa3 100644 --- a/content/en/docs/marketplace/platform-supported-content/modules/user-classification.md +++ b/content/en/docs/marketplace/platform-supported-content/modules/user-classification.md @@ -6,7 +6,7 @@ description: "Describes the configuration and usage of the User Classification m ## Introduction -The [User Classification](https://marketplace.mendix.com/link/component/245015) module allows your Mendix application to accurately classify end-users—an essential capability for ensuring compliance with the [Mendix Pricing Plan](/developerportal/deploy/mendix-cloud-deploy/#plans). The module provides logic to set the user type as external or internal based on the user roles in your app. If needed, you can implement custom logic instead. Keep in mind that Mendix’s user metering processes will count users as internal unless their user type is explicitly set to external, which may impact licensing calculations. +The [User Classification](https://marketplace.mendix.com/link/component/245015) module allows your Mendix application to accurately classify end-users—an essential capability for ensuring compliance with the [Mendix Pricing Plan](/developerportal/deploy/mendix-cloud-deploy/#plans). The module provides logic to set the [user type](/developerportal/deploy/populate-user-type/) as external or internal based on the user roles in your app. If needed, you can implement custom logic instead. Keep in mind that Mendix’s user metering processes will count users as internal unless their user type is explicitly set to external, which may impact licensing calculations. This document guides you in implementing the classification logic and configuring the required elements within your Mendix application. For details on the available classification logic options, see the [Configuring Classification Logic](#configure-classification-logic) section below. Using this module, organizations can ensure reliable user classification and maintain accurate metering within their Mendix environment. From f09051df1142129d79333d5d4ead5b3535cde0a4 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Mon, 18 Aug 2025 19:05:54 +0530 Subject: [PATCH 05/12] Introduction as per feedback --- content/en/docs/deployment/general/populate-user-type.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index 4027c0add62..5292cd2c73b 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -8,7 +8,9 @@ aliases: ## Introduction -In your Mendix Pricing Plan there is a distinction between Internal and External Named Users of a Mendix App. This document helps you to set up your apps to meter External Users correctly. It describes a sample solution that can help you in External User classification for existing users of your apps. +In the Mendix Pricing Plan, a distinction is made between Internal and External Named Users of a Mendix app. As a customer, you purchase a license for a specific number of Internal users and, optionally, for External users (which are typically cheaper). For accurate user metering, External users must be correctly classified. If they are not, your company may exceed the licensed capacity for Internal users, and Mendix may require you to acquire additional Internal user licenses. + +This document helps you to set up your apps to meter External users correctly. It describes different sample solutions that can help you in External User classification for existing users of your apps. {{% alert color="info" %}} **Definitions** From a71b28fcb14deb7c5f812a8b92bebc5d737eaef2 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Fri, 22 Aug 2025 11:30:54 +0530 Subject: [PATCH 06/12] refined Introduction and background --- content/en/docs/deployment/general/populate-user-type.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index 5292cd2c73b..2c739124fd4 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -10,7 +10,7 @@ aliases: In the Mendix Pricing Plan, a distinction is made between Internal and External Named Users of a Mendix app. As a customer, you purchase a license for a specific number of Internal users and, optionally, for External users (which are typically cheaper). For accurate user metering, External users must be correctly classified. If they are not, your company may exceed the licensed capacity for Internal users, and Mendix may require you to acquire additional Internal user licenses. -This document helps you to set up your apps to meter External users correctly. It describes different sample solutions that can help you in External User classification for existing users of your apps. +This document helps you set up your apps to ensure accurate metering for your External users. It describes different sample solutions that can help you in External User classification for existing users of your apps. {{% alert color="info" %}} **Definitions** @@ -24,9 +24,9 @@ This document helps you to set up your apps to meter External users correctly. I ## Background -Every Mendix app has a system module containing an entity `UserReportInfo`. This entity has an attribute `UserType` that is used to classify end-users as `External` or `Internal` Users. This attribute needs to be maintained for all existing and new end-users of a Mendix app. If this attribute is not set, the end-user is classified as an Internal User. +Every Mendix app has a system module containing an entity `UserReportInfo`. This entity has an attribute `UserType` that is used to classify end-users as `External` or `Internal` Users. Your application must set the attribute for all existing and new (external) end users. If it does not, Mendix will classify those users as Internal. -The *Mendix Metering* module relies on this attribute to ascertain the end-user type and report it back to us. +The metering relies on this attribute to ascertain the end-user type and report it back to us. {{< figure src="/attachments/deployment/general/populate-user-type/user-type-enumeration.png" class="no-border" >}} From dcea02ca04732171c53442ea88aac0573140d4f5 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Fri, 22 Aug 2025 17:27:42 +0530 Subject: [PATCH 07/12] Reorganizing the sections --- .../deployment/general/populate-user-type.md | 100 ++++++++++-------- 1 file changed, 57 insertions(+), 43 deletions(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index 2c739124fd4..7fd1dbb4caf 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -30,24 +30,72 @@ The metering relies on this attribute to ascertain the end-user type and report {{< figure src="/attachments/deployment/general/populate-user-type/user-type-enumeration.png" class="no-border" >}} -## Assigning UserType Using a Microflow +## Classification Options + +There are several approaches to classify users as `Internal` or `External`, ranging from configuration-only to custom development. These options are listed below: + +### IdP-Based User Classification + +The simplest method to set the `UserType` is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. This approach leverages an existing Identity Provider (IdP) to classify users. The primary benefit of IdP-based classification is its efficiency, as it often only requires configuration within the IAM modules already in use. Mendix offers you the following IAM modules: + +* [OIDC](https://docs.mendix.com/appstore/modules/oidc/) +* [SCIM](https://docs.mendix.com/appstore/modules/scim/) +* [SAML](https://docs.mendix.com/appstore/modules/saml/) + +Alternatively, you can build a custom microflow described in the [Populating UserType for Existing Users of an App](#using-microflow) section below. + +When connecting your app with an IdP, set up the `UserType` through the capabilities of the OIDC SSO, SCIM, or SAML module. The `UserType` is now configured in the User Provisioning, which is integrated into the OIDC SSO, SCIM, and SAML modules. This means you can directly configure end-users of your application as `Internal` or `External` in the **UserProvisioning** tab of your app. Based on this configuration, users are updated each time they log in. These modules allow you to set the `UserType` per IdP as the source of your end-users, assuming that separate IdPs are used for `internal` and `external` users. + +For more information, refer to the User Provisioning section of the following modules: + +* [OIDC SSO](/appstore/modules/oidc/#custom-provisioning-rt) +* [SCIM](/appstore/modules/scim/#user-provisioning) +* [SAML](/appstore/modules/saml/#custom-provisioning-rt) + +### Role-Based User Classification + +Role-based classification relies on the distinct user roles defined within the application itself. This method is particularly effective for scenarios where an application needs to differentiate between user types, such as internal employees versus external users, by assigning them specific roles. Mendix offers the [User Classification](https://marketplace.mendix.com/link/component/245015) module, which aims to streamline the implementation of user role-based classification, thereby minimizing the development effort required within the application. + +Instead of writing microflows, you can classify users as `Internal` or `External` using roles in the User Classification module. To do this: + +1. Define roles like `ExternalRole` or other custom roles. +2. Use the [User Classification](/appstore/modules/user-classification/) module to map these roles to the `UserType` field in the `UserReportInfo`. +3. When a role is assigned to a user in your Mendix app, the User Classification module automatically updates the `UserType` field in the `UserReportInfo` entity for that user. + +This approach is simpler, more consistent, and easier to maintain than attribute-based logic. + +For more information, see the [Role-based Classification](/appstore/modules/user-classification/#role-based-classification) section of *User Classification*. + +### Custom Classification + +When user classification extends beyond what IdP-based or role-based methods can handle, custom classification offers more flexibility. It lets you create specific rules tailored to the unique needs of your application. + +#### Custom Classification Using the User Classification Module + +This option lets you build custom logic while still using the framework from the [User Classification](/appstore/modules/user-classification/) module. It reduces development effort by giving you a structured way to add custom classification rules. + +You can classify users as `Internal` or `External` using your own business rules instead of only roles or IAM settings. With the User Classification module and a microflow, you can combine conditions like email domains. This gives maximum flexibility to handle complex or unique scenarios and ensures accurate Mendix user metering. For more information, see the [Custom Classification](/appstore/modules/user-classification/#custom-classification) section of *User Classification*. + +#### Custom Classification Using Your Own Microflows + +For maximum control, developers can create user classification entirely from scratch using custom microflows. This gives full flexibility to define any classification rules and processes, making it the most customized approach. {{% alert color="info" %}} -This approach is for end-users who are already set up in your app. For new end-users who onboard into your app, you can implement a similar logic to set the UserType attribute during initial end-user creation. +This approach is for end-users who are already set up in your app. For new end-users who onboard into your app, you can implement a similar logic to set the `UserType` attribute during initial end-user creation. {{% /alert %}} -Outlined below is an example of a module that can be used to update UserType attribute. You will need to adapt the module logic for classifying your own internal and external end-users. +Outlined below is an example of a module that can be used to update the `UserType` attribute. You will need to adapt the module logic for classifying your own internal and external end-users. -### Domain model +##### Domain Model -In the example below, our aim is to update UserType attribute of `UserReportInfo` entity. However, the entity `UserReportInfo` is protected in the System module and has no access rules. As a result, it cannot be exposed directly in the UI pages. +In the example below, our aim is to update the `UserType` attribute of the `UserReportInfo` entity. However, the entity `UserReportInfo` is protected in the System module and has no access rules. As a result, it cannot be exposed directly in the UI pages. Therefore, the approach we take is to create a new non-persistable entity, `UserTypeReport`, which we will populate based on the values of `UserReportInfo` to show in the UI. {{< figure src="/attachments/deployment/general/populate-user-type/usertypereport.png" class="no-border" >}} {{< figure src="/attachments/deployment/general/populate-user-type/usertypereport-properties.png" class="no-border" >}} -### Populating `UserType` for Existing Users of an App {#using-microflow} +##### Populating `UserType` for Existing Users of an App {#using-microflow} 1. Create a microflow `User_RetrieveOrCreateUserReportInfo` which will ensure that a `UserReportInfo` object exists for a given `User`. @@ -55,9 +103,9 @@ Therefore, the approach we take is to create a new non-persistable entity, `User 2. Create a microflow `User_EvaluateAndSetUserType` which will populate the `UserType` attribute on the `UserReportInfo` entity for a given `User`. - In this example, we decide whether a user is `Internal` or `External` based on the email address of the user. To do that, we need to retrieve the email address of each user from the database. Note that the `System.User` entity itself does not have the email address. The email address is stored in specializations of `System.User`. + In this example, we decide whether a user is `Internal` or `External` based on the email address of the user. To do that, we need to retrieve the email address of each user from the database. Note that the `System.User` entity itself does not have the email address. The email address is stored in the specializations of `System.User`. - Here, we show how to do it for two specializations of the `System.User` entity, namely `Administration.Account` and `MendixSSO.MendixSSOUser`. In the `Administration.Account` entity, the email is in attribute named `Email`. And in the `MendixSSO.MendixSSOUser` entity, it’s in an attribute named `EmailAddress`. Hence we need to use an [Object Type Decision](/refguide/object-type-decision/) activity to split the `System.User` into `Administration.Account` and `MendixSSO.MendixSSOUser` and then fetch the email address according to the name of the attribute. + Here, we show how to do it for two specializations of the `System.User` entity, namely `Administration.Account` and `MendixSSO.MendixSSOUser`. In the `Administration.Account` entity, the email is in an attribute named `Email`. And in the `MendixSSO.MendixSSOUser` entity, it’s in an attribute named `EmailAddress`. Hence, we need to use an [Object Type Decision](/refguide/object-type-decision/) activity to split the `System.User` into `Administration.Account` and `MendixSSO.MendixSSOUser` and then fetch the email address according to the name of the attribute. {{< figure src="/attachments/deployment/general/populate-user-type/set-user-type.png" alt="Microflow: User_EvaluateAndSetUserType" class="no-border" >}} @@ -76,46 +124,12 @@ Therefore, the approach we take is to create a new non-persistable entity, `User {{< figure src="/attachments/deployment/general/populate-user-type/grid-data-source.png" class="no-border" >}} 5. Add the page to the **Navigation**. -6. When you go to that page it will set the `UserType` as per your logic and show you the user type report. +6. When you go to that page, it will set the `UserType` as per your logic and show you the user type report. {{< figure src="/attachments/deployment/general/populate-user-type/user-type-report.png" class="no-border" >}} 7. The report can be exported into an Excel file. -## Assigning `UserType` based on User roles - -Instead of writing microflows, you can classify users as `Internal` or `External` using roles in the [User Classification](https://marketplace.mendix.com/link/component/245015) module. To do this: - -1. Define roles like `ExternalRole` or other custom roles. -2. Use the [User Classification](/appstore/modules/user-classification/) module to map these roles to the `UserType` field in the `UserReportInfo`. -3. When a role is assigned to a user in your Mendix app, the User Classification module automatically updates the `UserType` field in the `UserReportInfo` entity for that user. - -This approach is simpler, more consistent, and easier to maintain than attribute-based logic. - -For more information, see the [Role-based Classification](/appstore/modules/user-classification/#role-based-classification) section of *User Classification*. - -## Assigning `UserType` for Existing Users of IAM Modules - -The simplest method to set the user type is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. Mendix offers you the following IAM modules: - -* [OIDC](https://docs.mendix.com/appstore/modules/oidc/) -* [SCIM](https://docs.mendix.com/appstore/modules/scim/) -* [SAML](https://docs.mendix.com/appstore/modules/saml/) - -Alternatively, you can build a custom microflow as described in the [Populating UserType for Existing Users of an App](#using-microflow) section below. - -When connecting your app with an IdP, set up the user type through the capabilities of the OIDC SSO, SCIM, or SAML module. The user type is now configured in the User Provisioning, which is integrated into the OIDC SSO, SCIM, and SAML modules. This means you can directly configure end-users of your application as `Internal` or `External` in the **User Provisioning** tab of your app. Based on this configuration, users are updated each time they log in. These modules allow you to set the user type per IdP as the source of your end-users, assuming that separate IdPs are used for `internal` and `external` users. - -For more information, refer to the User Provisioning section of the following modules: - -* [OIDC SSO](/appstore/modules/oidc/#custom-provisioning-rt) -* [SCIM](/appstore/modules/scim/#user-provisioning) -* [SAML](/appstore/modules/saml/#custom-provisioning-rt) - -## Assigning `UserTypes` Using Custom logic - -You can classify users as `Internal` or `External` using your own business rules instead of only roles or IAM settings. With the User Classification module and a microflow, you can combine conditions like email domains. This gives maximum flexibility to handle complex or unique scenarios and ensures accurate Mendix user metering. For more information, see the [Custom Classification](/appstore/modules/user-classification/#custom-classification) section of *User Classification*. - ## Read More * [User Classification Module](/appstore/modules/user-classification/) From ad8006e135e2583456ecccd62251615e5d1fcd7c Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Mon, 25 Aug 2025 12:09:46 +0530 Subject: [PATCH 08/12] Prerequisites for IdP-based classification --- .../deployment/general/populate-user-type.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index 7fd1dbb4caf..08180227f96 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -52,6 +52,23 @@ For more information, refer to the User Provisioning section of the following mo * [SCIM](/appstore/modules/scim/#user-provisioning) * [SAML](/appstore/modules/saml/#custom-provisioning-rt) +#### Prerequisites for IdP-Based User Classification + +1. Mendix version: this method requires Mendix version 9.24.2 and above. + +2. Module versions: ensure you are using the following minimum module versions: + + * OIDC SSO: v3.0.0 or above + * SCIM: v1.0.2 or above + * SAML: v4.0.0 or above + +3. IdP Setup: use separate IdPs for `Internal` and `External` users. + + {{% alert color="info" %}}It is possible to set up two separate connections between your app and your IdP. In this scenario, the IdP sees your app as two distinct clients/services. The Mendix app sees them as two distinct IdPs, each with its own provisioning configuration. This allows assigning different `UserType` values per IdP connection. + {{% /alert %}} + +4. Classification on login: classification of user happens when they login. If your application has limited user buckets (for example, license restrictions for internal/external users), and timely classification is critical, ensure all external users log in before the limits are evaluated. + ### Role-Based User Classification Role-based classification relies on the distinct user roles defined within the application itself. This method is particularly effective for scenarios where an application needs to differentiate between user types, such as internal employees versus external users, by assigning them specific roles. Mendix offers the [User Classification](https://marketplace.mendix.com/link/component/245015) module, which aims to streamline the implementation of user role-based classification, thereby minimizing the development effort required within the application. @@ -76,7 +93,7 @@ This option lets you build custom logic while still using the framework from the You can classify users as `Internal` or `External` using your own business rules instead of only roles or IAM settings. With the User Classification module and a microflow, you can combine conditions like email domains. This gives maximum flexibility to handle complex or unique scenarios and ensures accurate Mendix user metering. For more information, see the [Custom Classification](/appstore/modules/user-classification/#custom-classification) section of *User Classification*. -#### Custom Classification Using Your Own Microflows +#### Custom Classification Using Your Own Microflow For maximum control, developers can create user classification entirely from scratch using custom microflows. This gives full flexibility to define any classification rules and processes, making it the most customized approach. From 9c4d68ade407de72f2b38a52247afb923a8083ab Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Mon, 25 Aug 2025 13:38:10 +0530 Subject: [PATCH 09/12] Prerequisites for Role-Based Classification --- .../en/docs/deployment/general/populate-user-type.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index 08180227f96..23d304a2ce8 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -55,13 +55,11 @@ For more information, refer to the User Provisioning section of the following mo #### Prerequisites for IdP-Based User Classification 1. Mendix version: this method requires Mendix version 9.24.2 and above. - 2. Module versions: ensure you are using the following minimum module versions: * OIDC SSO: v3.0.0 or above * SCIM: v1.0.2 or above * SAML: v4.0.0 or above - 3. IdP Setup: use separate IdPs for `Internal` and `External` users. {{% alert color="info" %}}It is possible to set up two separate connections between your app and your IdP. In this scenario, the IdP sees your app as two distinct clients/services. The Mendix app sees them as two distinct IdPs, each with its own provisioning configuration. This allows assigning different `UserType` values per IdP connection. @@ -83,6 +81,15 @@ This approach is simpler, more consistent, and easier to maintain than attribute For more information, see the [Role-based Classification](/appstore/modules/user-classification/#role-based-classification) section of *User Classification*. +#### Prerequisites for Role-Based Classification + +1. Use distinct user roles for external and internal users. +2. Include the User Classification module in your app model. To use it, your app must be running on one of the following Mendix versions: + + * Mx9 LTS + * Mx10 LTS + * Mx11 and above + ### Custom Classification When user classification extends beyond what IdP-based or role-based methods can handle, custom classification offers more flexibility. It lets you create specific rules tailored to the unique needs of your application. From 7f2611f9e4305117554fd923624a22729768549c Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Mon, 25 Aug 2025 14:52:07 +0530 Subject: [PATCH 10/12] small fixes --- .../en/docs/deployment/general/populate-user-type.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index 23d304a2ce8..e10385678e0 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -36,13 +36,13 @@ There are several approaches to classify users as `Internal` or `External`, rang ### IdP-Based User Classification -The simplest method to set the `UserType` is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. This approach leverages an existing Identity Provider (IdP) to classify users. The primary benefit of IdP-based classification is its efficiency, as it often only requires configuration within the IAM modules already in use. Mendix offers you the following IAM modules: +The simplest method to set the `UserType` is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. This approach leverages an existing Identity Provider (IdP) to classify users. The primary benefit of IdP-based classification is its efficiency, as it typically only requires configuration within the existing IAM modules. Mendix offers you the following IAM modules: * [OIDC](https://docs.mendix.com/appstore/modules/oidc/) * [SCIM](https://docs.mendix.com/appstore/modules/scim/) * [SAML](https://docs.mendix.com/appstore/modules/saml/) -Alternatively, you can build a custom microflow described in the [Populating UserType for Existing Users of an App](#using-microflow) section below. +Alternatively, you can build a custom microflow as described in the [Populating UserType for Existing Users of an App](#using-microflow) section below. When connecting your app with an IdP, set up the `UserType` through the capabilities of the OIDC SSO, SCIM, or SAML module. The `UserType` is now configured in the User Provisioning, which is integrated into the OIDC SSO, SCIM, and SAML modules. This means you can directly configure end-users of your application as `Internal` or `External` in the **UserProvisioning** tab of your app. Based on this configuration, users are updated each time they log in. These modules allow you to set the `UserType` per IdP as the source of your end-users, assuming that separate IdPs are used for `internal` and `external` users. @@ -54,18 +54,18 @@ For more information, refer to the User Provisioning section of the following mo #### Prerequisites for IdP-Based User Classification -1. Mendix version: this method requires Mendix version 9.24.2 and above. -2. Module versions: ensure you are using the following minimum module versions: +1. Mendix version: This method requires Mendix version 9.24.2 and above. +2. Module versions: Ensure you are using the following minimum module versions: * OIDC SSO: v3.0.0 or above * SCIM: v1.0.2 or above * SAML: v4.0.0 or above -3. IdP Setup: use separate IdPs for `Internal` and `External` users. +3. IdP Setup: Use separate IdPs for `Internal` and `External` users. {{% alert color="info" %}}It is possible to set up two separate connections between your app and your IdP. In this scenario, the IdP sees your app as two distinct clients/services. The Mendix app sees them as two distinct IdPs, each with its own provisioning configuration. This allows assigning different `UserType` values per IdP connection. {{% /alert %}} -4. Classification on login: classification of user happens when they login. If your application has limited user buckets (for example, license restrictions for internal/external users), and timely classification is critical, ensure all external users log in before the limits are evaluated. +4. Classification on login: Classification of users happens when they log in. If your application has limited user buckets (for example, license restrictions for internal/external users), and timely classification is critical, ensure all external users log in before the limits are evaluated. ### Role-Based User Classification From c8805dc4d31c6bb11d3ff5ffb84eb2268912ac63 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Mon, 25 Aug 2025 16:46:43 +0530 Subject: [PATCH 11/12] additional changes --- .../deployment/general/populate-user-type.md | 37 +++++++++++-------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index e10385678e0..cce4d23023d 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -36,7 +36,7 @@ There are several approaches to classify users as `Internal` or `External`, rang ### IdP-Based User Classification -The simplest method to set the `UserType` is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. This approach leverages an existing Identity Provider (IdP) to classify users. The primary benefit of IdP-based classification is its efficiency, as it typically only requires configuration within the existing IAM modules. Mendix offers you the following IAM modules: +The simplest method to set the `UserType` is by using the Identity and Access Management (IAM) modules, which require only configuration without the need to develop a microflow. This approach leverages a connection with an Identity Provider (IdP) to classify users. The primary benefit of IdP-based classification is its efficiency, as it typically only requires configuration within the existing IAM modules. Mendix offers you the following IAM modules: * [OIDC](https://docs.mendix.com/appstore/modules/oidc/) * [SCIM](https://docs.mendix.com/appstore/modules/scim/) @@ -54,20 +54,27 @@ For more information, refer to the User Provisioning section of the following mo #### Prerequisites for IdP-Based User Classification -1. Mendix version: This method requires Mendix version 9.24.2 and above. -2. Module versions: Ensure you are using the following minimum module versions: - - * OIDC SSO: v3.0.0 or above - * SCIM: v1.0.2 or above - * SAML: v4.0.0 or above -3. IdP Setup: Use separate IdPs for `Internal` and `External` users. - - {{% alert color="info" %}}It is possible to set up two separate connections between your app and your IdP. In this scenario, the IdP sees your app as two distinct clients/services. The Mendix app sees them as two distinct IdPs, each with its own provisioning configuration. This allows assigning different `UserType` values per IdP connection. +1. Mendix and module versions: + * Mx9 + * OIDC SSO: v3.0.0 or above + * SCIM: v1.0.0 or above + * Mx10 + * OIDC SSO: v4.0.0 or above + * SAML: v4.0.0 or above + * SCIM: v2.0.0 or above + * Mx11 + * OIDC SSO: v4.0.0 or above + * SAML: v4.0.0 or above + * SCIM: v2.0.0 or above + +2. IdP Setup: Use separate IdPs for `Internal` and `External` users. + + {{% alert color="info" %}}It may be possible to enhance configurations in your IdP by settting-up two separate connections between your app and your IdP. In this scenario, the IdP sees your app as two distinct clients/services. The Mendix app sees them as two distinct IdPs, each with its own provisioning configuration. This allows assigning different `UserType` values per IdP connection. Configurations in your IdP have to ensure that each client only addresses internal or exetrnal users. {{% /alert %}} -4. Classification on login: Classification of users happens when they log in. If your application has limited user buckets (for example, license restrictions for internal/external users), and timely classification is critical, ensure all external users log in before the limits are evaluated. +3. Classification on login: Classification of users happens when they log in. If your application has limited user buckets (for example, license restrictions for internal/external users), and timely classification is critical, ensure all (external) users log in before your limit on internal users is reached, as external users have not been classified as `External` users yet. -### Role-Based User Classification +### User Role-Based User Classification Role-based classification relies on the distinct user roles defined within the application itself. This method is particularly effective for scenarios where an application needs to differentiate between user types, such as internal employees versus external users, by assigning them specific roles. Mendix offers the [User Classification](https://marketplace.mendix.com/link/component/245015) module, which aims to streamline the implementation of user role-based classification, thereby minimizing the development effort required within the application. @@ -83,7 +90,7 @@ For more information, see the [Role-based Classification](/appstore/modules/user #### Prerequisites for Role-Based Classification -1. Use distinct user roles for external and internal users. +1. Your app model uses distinct user roles for external and internal users. 2. Include the User Classification module in your app model. To use it, your app must be running on one of the following Mendix versions: * Mx9 LTS @@ -92,13 +99,13 @@ For more information, see the [Role-based Classification](/appstore/modules/user ### Custom Classification -When user classification extends beyond what IdP-based or role-based methods can handle, custom classification offers more flexibility. It lets you create specific rules tailored to the unique needs of your application. +When the logic of your application does not allow for IdP-based or user role-based user classification, you need to build your own custom user classification logic in your app. It lets you create specific rules tailored to the unique needs of your application. #### Custom Classification Using the User Classification Module This option lets you build custom logic while still using the framework from the [User Classification](/appstore/modules/user-classification/) module. It reduces development effort by giving you a structured way to add custom classification rules. -You can classify users as `Internal` or `External` using your own business rules instead of only roles or IAM settings. With the User Classification module and a microflow, you can combine conditions like email domains. This gives maximum flexibility to handle complex or unique scenarios and ensures accurate Mendix user metering. For more information, see the [Custom Classification](/appstore/modules/user-classification/#custom-classification) section of *User Classification*. +You can classify users as `Internal` or `External` using your own business rules instead of only user roles or IAM settings. With the User Classification module and a microflow, you can evaluate conditions, for example, email domain of end-users. The User Classification module makes it easy for you to implement custom logic to classify existing users as well as new users. This gives maximum flexibility to handle complex or unique scenarios and ensures accurate Mendix user metering. For more information, see the [Custom Classification](/appstore/modules/user-classification/#custom-classification) section of *User Classification*. #### Custom Classification Using Your Own Microflow From 85d5f542858d386d34927243157eba23e5131884 Mon Sep 17 00:00:00 2001 From: Karuna-Mendix Date: Mon, 25 Aug 2025 17:53:21 +0530 Subject: [PATCH 12/12] typo --- content/en/docs/deployment/general/populate-user-type.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/deployment/general/populate-user-type.md b/content/en/docs/deployment/general/populate-user-type.md index cce4d23023d..d3d083b044a 100644 --- a/content/en/docs/deployment/general/populate-user-type.md +++ b/content/en/docs/deployment/general/populate-user-type.md @@ -69,7 +69,7 @@ For more information, refer to the User Provisioning section of the following mo 2. IdP Setup: Use separate IdPs for `Internal` and `External` users. - {{% alert color="info" %}}It may be possible to enhance configurations in your IdP by settting-up two separate connections between your app and your IdP. In this scenario, the IdP sees your app as two distinct clients/services. The Mendix app sees them as two distinct IdPs, each with its own provisioning configuration. This allows assigning different `UserType` values per IdP connection. Configurations in your IdP have to ensure that each client only addresses internal or exetrnal users. + {{% alert color="info" %}}It may be possible to enhance configurations in your IdP by settting-up two separate connections between your app and your IdP. In this scenario, the IdP sees your app as two distinct clients/services. The Mendix app sees them as two distinct IdPs, each with its own provisioning configuration. This allows assigning different `UserType` values per IdP connection. Configurations in your IdP have to ensure that each client only addresses internal or external users. {{% /alert %}} 3. Classification on login: Classification of users happens when they log in. If your application has limited user buckets (for example, license restrictions for internal/external users), and timely classification is critical, ensure all (external) users log in before your limit on internal users is reached, as external users have not been classified as `External` users yet.