7.1. Objects

The user repository manages User objects and Group objects. A Group can contain an arbitrary number of Member objects, which may be users or groups. The Unified API distinguishes between membership and direct membership. Only the latter is directly stored, the former is computed dynamically. A Member object is a member of a certain group, if there is a chain of direct member associations that ultimately leads from the group to the member.

Every member has a name and a domain. There are typically only very few domains in any given CoreMedia CMS installation, leaving the name as the main identifying feature of a member. A user is often designated in the <name>@<domain> format, for example, joe@mydomain or admin@. As you can see, for built-in users, the domain part is left empty.

The domain that is represented by the empty string provides access to the built-in user management of the Content Server. For members of this domain this is also indicated by the method isBuiltIn(). Only members of the built-in user management may be changed under direct control of the Unified API. Users of other, external domains are mapped into the system from external servers by means of the LDAP protocol. Only read access is allowed for external domains. You can access the distinguished name of an external user through the Unified API in case you need to connect back to the LDAP repository.

For users of external domains, the getter methods of CapObject, which is a super interface of Member, may be used to access custom string attributes stored in the LDAP server. The built-in user management does not support member attributes. Note that there is no fixed set of CapType objects for members, because LDAP does not enforce a strict typing. Instead, there is one artificial type per member that describes the available properties for these objects.

Class Diagram: Users and Groups

Figure 7.1. Class Diagram: Users and Groups


In Figure 7.1, “Class Diagram: Users and Groups” you can see an overview of all classes involved in the representation of users and groups.

A group is called administrative, if its direct and indirect members are supposed to gain special privileges while working in the CoreMedia CMS. A user is called administrative, if at least one of its direct or indirect groups is administrative.

For the purposes of assigning rights to users, groups may be designated as content groups or live groups or both. Only rules of content groups affect the computation of rights on the Content Management Server. Only read rights rules that are defined for live groups are published to the Live Servers.

For users, the home folders can be retrieved as a content object. As already explained, setting the home folder is only possible for built-in users.