User Entity

Users of a Jmix application are defined by the User class that is automatically generated by Studio in a new project. It is a JPA entity implementing the JmixUserDetails interface which has a number of methods required by the framework:

  • getUsername() returns a unique user name.

  • getPassword() returns a hashed password.

  • isEnabled(), isAccountNonExpired(), isAccountNonLocked(), isCredentialsNonExpired() indicate whether the user can log in to the system.

  • getAuthorities(), setAuthorities() are used by the framework to associate the user with a set of permissions upon login.

Users are stored in the main database of your application. By default, the User entity and the corresponding database table have the following attributes:

  • id, version are the standard primary key and optimistic locking attributes.

  • username, password, enabled store values returned by the methods of the JmixUserDetails interface.

  • email, firstName, lastName store additional information about users.

You can define any number of additional attributes required for your application, for example, department or position.

User Management

A new project contains the 010-init-user.xml database migration script that creates a user with the admin/admin username/password and grants the user full access to the application by associating the entity with the system-full-access role.

A new project also contains the UI views for managing users, see ApplicationUsers. These views allow you to create, edit and remove users, change and reset their passwords. To assign roles to a user, click the Role assignments button in the user list view.

The framework provides the ui-minimal role that gives permissions to log in to UI and use some common UI elements. Assign this role to new users that will interact with the application through the UI, otherwise they won’t be able to log in.

Built-in Users

Any Jmix application with the standard security subsystem has two built-in user objects:

  • Anonymous user object corresponds to not authenticated users. It allows you to grant some permissions to users before they log in.

  • System user object is required for the system authentication mechanism. It is used when there is no real user interacting with the application, for example, when the application is starting up, or when a business method is called by a scheduler.

The built-in user objects are not stored in the database but created on the application startup by the DatabaseUserRepository class of your project. You can customize both users in the initAnonymousUser() and initSystemUser() methods of this class. By default, the system user is associated with the system-full-access role and hence has all permissions.

The anonymous user has no permissions by default.