IBM Web Content Manager (WCM) runs on HCL Digital Experience (formerly IBM WebSphere Portal). User management is handled through the WebSphere Integrated Solutions Console (ISC), the Portal Administration interface, the HCL DX REST API, or the underlying LDAP directory. WCM does not have its own user store -- it delegates to the portal's user registry.
Adding Users via the Portal Administration
Creating a User in the Portal
- Log in to the Portal Administration interface at
https://your-portal.com/wps/myportal - Navigate to Administration > Access > Users and Groups
- Click All Portal Users
- Click New User
- Fill in the required fields:
- User ID (unique login identifier)
- First Name and Last Name
- Password (and confirmation)
- Click OK to create the user
- Assign the user to appropriate Portal Groups for WCM access
WCM-Specific Groups
WCM access is controlled through Portal groups. Key built-in groups:
| Group | WCM Access |
|---|---|
wpsadmins |
Full WCM administration, all libraries, all content types |
wcmadmins |
WCM configuration, library management, syndicator/subscriber management |
ContentAuthors |
Create and edit content in assigned libraries |
ContentReviewers |
Review, approve, and reject content in workflows |
ContentEditors |
Edit and publish content, manage components |
ContentManagers |
All content operations plus library settings |
To add a user to a WCM group:
- Go to Administration > Access > Users and Groups
- Search for and select the user
- Click Group Membership
- Click Add and search for the target group (e.g.,
ContentAuthors) - Select the group and click OK
Adding Users via the WebSphere ISC
For direct user registry management:
- Open the ISC at
https://your-portal.com:9060/ibm/console - Navigate to Users and Groups > Manage Users
- Click Create
- Fill in the required fields (User ID, Name, Email, Password)
- Click Create
This creates the user in the federated user registry (often backed by LDAP).
Adding Users via the REST API
HCL DX provides a REST API for user management:
# Create a new user via the Portal REST API
curl -X POST "https://your-portal.com/wps/mycontenthandler/!ut/p/digest!user/um/users" \
-H "Content-Type: application/json" \
-u wasadmin:admin_password \
-d '{
"uid": "jsmith",
"cn": "John Smith",
"sn": "Smith",
"givenName": "John",
"mail": "jsmith@example.com",
"userPassword": "SecurePass123!"
}'
# List all users
curl -s "https://your-portal.com/wps/mycontenthandler/!ut/p/digest!user/um/users" \
-H "Accept: application/json" \
-u wasadmin:admin_password | python3 -m json.tool
# Add a user to a group
curl -X PUT \
"https://your-portal.com/wps/mycontenthandler/!ut/p/digest!user/um/groups/GROUPID/members" \
-H "Content-Type: application/json" \
-u wasadmin:admin_password \
-d '{"uid": "jsmith"}'
Using wsadmin (Jython)
For automation via the WebSphere administrative scripting tool:
# wsadmin Jython script -- create-wcm-user.py
# Run: wsadmin.sh -lang jython -f create-wcm-user.py
import sys
# Create user in VMM (Virtual Member Manager)
AdminTask.createUser('[-uid jsmith -cn "John Smith" -sn Smith '
'-givenName John -mail jsmith@example.com '
'-password SecurePass123!]')
# Add user to WCM content authors group
AdminTask.addMemberToGroup('[-memberUniqueName uid=jsmith,o=defaultWIMFileBasedRealm '
'-groupUniqueName cn=ContentAuthors,o=defaultWIMFileBasedRealm]')
AdminConfig.save()
print("User jsmith created and added to ContentAuthors group")
# Execute the wsadmin script
/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh \
-lang jython \
-user wasadmin \
-password admin_password \
-f create-wcm-user.py
WCM Library Access Control
Beyond portal group membership, WCM has its own library-level access control:
- Log in to the WCM Authoring Portlet
- Go to Library > Properties > Access
- Configure access for each library:
- User -- Read access to the library
- Contributor -- Create items within the library
- Editor -- Edit and approve items
- Manager -- Full control over library items and settings
- Administrator -- Library configuration and access management
Library Access Matrix:
User Contributor Editor Manager Administrator
Read content X X X X X
Create items X X X X
Edit own items X X X X
Edit all items X X X
Approve/reject X X X
Delete items X X
Manage access X
Configure library X
Removing and Deactivating Users
Deactivating via Portal Administration
- Go to Administration > Access > Users and Groups > All Portal Users
- Search for and select the user
- Click Deactivate
- Confirm the deactivation
Deactivated users cannot log in to the portal or WCM authoring interface. Their content and access history are preserved.
Deleting via Portal Administration
- Search for the user in All Portal Users
- Click Delete
- Confirm the deletion
What Happens to Their Content
When you remove a WCM user:
- Published content remains live -- all web pages, components, and content items are unaffected
- Content items retain the original creator and last modifier metadata
- Workflow items assigned to the deleted user become orphaned -- pending approvals need manual reassignment
- Personalization rules that target the user's profile attributes continue to function until profiles are cleaned up
- Syndicator/subscriber relationships configured by the user remain active
- Draft content in the user's authoring workspace is preserved but may require admin access to retrieve
Removing via REST API
# Deactivate a user
curl -X PUT "https://your-portal.com/wps/mycontenthandler/!ut/p/digest!user/um/users/USERID" \
-H "Content-Type: application/json" \
-u wasadmin:admin_password \
-d '{"active": false}'
# Delete a user
curl -X DELETE "https://your-portal.com/wps/mycontenthandler/!ut/p/digest!user/um/users/USERID" \
-u wasadmin:admin_password
# Remove a user from a group
curl -X DELETE \
"https://your-portal.com/wps/mycontenthandler/!ut/p/digest!user/um/groups/GROUPID/members/USERID" \
-u wasadmin:admin_password
Reassigning Workflow Items
# wsadmin Jython -- reassign-workflows.py
# Reassign all workflow items from departing user to a new approver
from com.ibm.workplace.wcm.api import WCMFactory
factory = WCMFactory.getWCMFactory()
workspace = factory.createWorkspace("wasadmin", "admin_password")
# Find all items in workflow assigned to the departing user
items = workspace.findByWorkflowStage("Review", "ContentLibrary")
for item in items:
approvers = item.getApprovers()
if "jsmith" in [a.getName() for a in approvers]:
item.removeApprover("jsmith")
item.addApprover("newreviewer")
workspace.save(item)
print("Reassigned: " + item.getName())
Bulk User Management
Bulk Import via LDIF
Since WCM delegates to the portal's LDAP-backed user registry, bulk imports use LDIF format:
# bulk-users.ldif -- LDAP Data Interchange Format
dn: uid=jsmith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: jsmith
cn: John Smith
sn: Smith
givenName: John
mail: jsmith@example.com
userPassword: {SSHA}base64_encoded_hash
dn: uid=jdoe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: jdoe
cn: Jane Doe
sn: Doe
givenName: Jane
mail: jdoe@example.com
userPassword: {SSHA}base64_encoded_hash
# Import users via ldapadd
ldapadd -x -H ldap://ldap.example.com \
-D "cn=admin,dc=example,dc=com" \
-w "$LDAP_ADMIN_PASSWORD" \
-f bulk-users.ldif
# Add users to WCM groups
ldapmodify -x -H ldap://ldap.example.com \
-D "cn=admin,dc=example,dc=com" \
-w "$LDAP_ADMIN_PASSWORD" << EOF
dn: cn=ContentAuthors,ou=groups,dc=example,dc=com
changetype: modify
add: member
member: uid=jsmith,ou=people,dc=example,dc=com
member: uid=jdoe,ou=people,dc=example,dc=com
EOF
LDAP and SSO Integration
IBM WCM is designed for enterprise LDAP integration. The portal's federated user registry supports:
- IBM Tivoli Directory Server (ITDS / IBM Security Directory Server)
- Microsoft Active Directory
- OpenLDAP
- Any LDAP v3 compliant directory
SAML SSO Configuration
Configure SAML SSO through the WebSphere ISC:
ISC > Security > Global security > Web and SIP security > Trust association
Trust Association Interceptor (TAI):
├── com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
├── SAML IdP metadata URL: https://idp.example.com/metadata
├── ACS URL: https://your-portal.com/samlsps/acs
├── SP Entity ID: https://your-portal.com
├── Attribute mapping:
│ ├── uid -> urn:oid:0.9.2342.19200300.100.1.1
│ ├── mail -> urn:oid:0.9.2342.19200300.100.1.3
│ └── cn -> urn:oid:2.5.4.3
└── Default group: ContentAuthors
Active Directory Integration
<!-- wimconfig.xml -- VMM configuration for AD integration -->
<config>
<repositories>
<ldapRepository
id="AD_LDAP"
host="ad.example.com"
port="636"
sslEnabled="true"
baseDN="dc=example,dc=com"
bindDN="cn=svc_portal,ou=service,dc=example,dc=com"
bindPassword="{xor}encrypted_password">
<loginProperties>
<loginProperty name="uid"/>
<loginProperty name="mail"/>
</loginProperties>
<groupMembershipAttributes>
<attribute name="memberOf" scope="direct"/>
</groupMembershipAttributes>
</ldapRepository>
</repositories>
</config>
Offboarding Checklist
- Remove from WCM library access -- Revoke library-level permissions first
- Reassign workflow items -- Check all libraries for content pending the user's approval
- Remove from portal groups -- Strip all group memberships
- Deactivate the portal account -- Do not delete to preserve audit trail
- Disable in LDAP -- If using an external directory, disable the account at the source
- Review personalization rules -- Check if any content targeting rules reference the departing user
- Audit syndicator/subscriber -- Verify syndication credentials do not use the departing user's account
- Check scheduled publications -- Ensure no content items are scheduled for publication under the user's workflow authority
- Update SAML/SSO -- Revoke the user in your identity provider