Forms user management | Handling user data

Last update: May 22, 2024

CREATED FOR:

  • Admin
  • User

User management is an AEM Forms JEE component that allows creating, managing, and authorizing AEM Forms users to access AEM Forms. User management uses domains as directories for obtaining user information. The following domain types are supported:

Local domains: This type of domain is not connected to a third-party storage system. Instead, users and groups are created locally and reside in the User Management database. Passwords are stored locally, and authentication is done using a local database.

Hybrid domains: This type of domain is not connected to a third-party storage system. Instead, users and groups are created locally and reside in the User Management database. Unlike local domains, hybrid domains use an external authentication provider, which can be LDAP, Kerberos, SAML, or a custom authentication provider.

Enterprise domains: Consist of users and groups that reside in a third-party storage system, such as an LDAP directory. User Management does not write to the third-party storage system. Instead, User Management synchronizes the user and group information with the User Management database. Enterprise domains also use an external authentication provider, which can be LDAP, Kerberos, SAML, or a custom authentication provider.

User data and data stores

User management stores user data in a database, such as My Sql, Oracle, MS® SQL Server, and IBM® DB2®. In addition, any user who has logged in at least once in Forms applications on AEM author at https://'[server]:[port]'lc, the user gets created in AEM repository. Therefore, user management is stored in the following data stores:

  • Database
  • AEM repository
  • Third-party storage like LDAP directory
NOTE
Data stored in third-party storages is out of scope for this document. Contact the third-party vendor directly to manage user data in such storages.

Database

User management stores user data in the following database tables:

Database tableDescription
EdcPrincipalEntityStores information about principal entities. A principal can be a user, a group, or a role.
EdcPrincipalUserEntityStores personally identifiable information (PII) of users. It contains an entry for every user from local, enterprise, and hybrid domains.

EdcPrincipalLocalAccountEntity

EdcPrincipalLocalAccount

(Oracle and MS® SQL databases)

Stores data only for local users.

EdcPrincipalEmailAliasEntity

EdcPrincipalEmailAliasEn

(Oracle and MS® SQL databases)

Contains entries of all users from local, enterprise, and hybrid domains. It contains user email IDs.

EdcPrincipalGrpCtmntEntity

EdcPrincipalGrpCtmntEnti
(Oracle and MS® SQL databases)

Stores the mapping between users and groups.
EdcPrincipalRoleEntityStores the mapping between roles and principals for both users and groups.
EdcPriResPrmEntityStores the mapping between principal and permissions for both users and groups.

EdcPrincipalMappingEntity

EdcPrincipalMappingEntit
(Oracle and MS® SQL databases)

Stores old and new attribute values corresponding to a principal.

AEM repository

User management data for users who have at least once accessed the Forms applications under https://'[server]:[port]'lc is stored in AEM repository as well.

Access and delete user data

You can access and export user management data for users in the user management databases and AEM repository, and if necessary, delete it permanently.

Database

To export or delete user data from user management database, you must connect to the database using a database client and find out the principal ID based on some PII of the user. For example, to retrieve the principal ID of a user using a login ID, run the following select command on the database.

In the select command, replace the <user_login_id> with the login ID of the user whose principal ID you want to retrieve.

select refprincipalid from EdcPrincipalUserEntity where uidstring = <user_login_id>

Once you know the principal ID, you can export or delete the user data.

Export user data

Run the following database commands so you can export user management data for a principal ID from database tables. In the select command, replace <principal_id> with the principal ID of the user whose data you want to export.

NOTE
The following commands use database table names in My SQL and IBM® DB2® databases. When running these commands on Oracle and MS® SQL databases, replace the following table names in the commands:

  • Replace EdcPrincipalLocalAccountEntity with EdcPrincipalLocalAccount

  • Replace EdcPrincipalEmailAliasEntity with EdcPrincipalEmailAliasEn

  • Replace EdcPrincipalMappingEntity with EdcPrincipalMappingEntit

  • Replace EdcPrincipalGrpCtmntEntity with EdcPrincipalGrpCtmntEnti

Select * from EdcPrincipalLocalAccountEntity where refuserprincipalid in (Select id from EdcPrincipalUserEntity where refprincipalid in (Select id from EDCPRINCIPALENTITY where id='<principal_id>'));

Select * from EdcPrincipalEmailAliasEntity where refprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Select * from EdcPrincipalRoleEntity where refprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Select * from EdcPriResPrmEntity where refprinid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Select * from EdcPrincipalUserEntity where refprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Select * from EdcPrincipalMappingEntity where refprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Select * from EdcPrincipalGrpCtmntEntity where refchildprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Select * from EdcPrincipalEntity where id='<principal_id>';

Delete user data

Do the following to delete user management data for a principal ID from database tables.

  1. Delete user data from AEM repository, if applicable, as described in Delete user data.

  2. Shut down the AEM Forms Server.

  3. Run the following database commands so you can delete user management data for a principal ID from database tables. In the Delete command, replace <principal_id> with the principal ID of the user whose data you want to delete.

    Delete from EdcPrincipalLocalAccountEntity where refuserprincipalid in (Select id from EdcPrincipalUserEntity where refprincipalid in (select id from EdcPrincipalEntity where id='<principal_id>'));

Delete from EdcPrincipalEmailAliasEntity where refprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Delete from EdcPrincipalRoleEntity where refprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Delete from EdcPriResPrmEntity where refprinid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Delete from EdcPrincipalUserEntity where refprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Delete from EdcPrincipalMappingEntity where refprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Delete from EdcPrincipalGrpCtmntEntity where refchildprincipalid in (Select id from EdcPrincipalEntity where id='<principal_id>');

Delete from EdcPrincipalEntity where id='<principal_id>';

  4. Start the AEM Forms Server.