Adding & Removing Users on Bloomreach Experience Manager

Bloomreach Experience Manager (brXM, formerly Hippo CMS) uses a repository-based user system backed by Apache Jackrabbit. Users and groups are stored in the JCR content repository under /hippo:configuration/hippo:users and managed through the CMS admin console, the Repository REST API, or YAML configuration-as-code.

Adding Users via the CMS Console

Creating a Local User

1. Log in to the CMS at https://your-site.com/cms
2. Navigate to the Admin perspective (gear icon in the top bar)
3. Select User Management in the left panel
4. Click Add User
5. Fill in the required fields:
   • Username (lowercase, no spaces -- used for login)
   • First Name and Last Name
   • Email
   • Password (minimum 8 characters by default)
6. Assign the user to one or more Groups (e.g., editor, author, admin, webmaster)
7. Click Save

The user can immediately log in at /cms with their credentials.

Assigning Groups

Groups in brXM control access to CMS functionality. Key built-in groups:

To add a user to a group:

1. In Admin > Group Management, select the group
2. Click Add Member
3. Search for and select the user
4. Click Save

Adding Users via Configuration-as-Code (YAML)

brXM supports bootstrapping users through YAML files in your project repository. This is the recommended approach for reproducible environments:

# repository-data/application/src/main/resources/hcm-config/configuration/users/jsmith.yaml
definitions:
  config:
    /hippo:configuration/hippo:users/jsmith:
      jcr:primaryType: hipposys:user
      hipposys:active: true
      hipposys:firstname: John
      hipposys:lastname: Smith
      hipposys:email: jsmith@example.com
      hipposys:password: $2a$10$hashed_password_here
      hipposys:securityprovider: internal

# Add user to the editor group
# repository-data/application/src/main/resources/hcm-config/configuration/groups/editor.yaml
definitions:
  config:
    /hippo:configuration/hippo:groups/editor:
      jcr:primaryType: hipposys:group
      hipposys:members:
        - jsmith
        - existinguser1

Apply configuration changes by rebuilding and redeploying, or use the Console document to force a reload.

Adding Users via the REST API

brXM exposes a Repository REST API for programmatic user management:

# Create a new user via the REST API
curl -X POST "https://your-site.com/cms/ws/users" \
  -H "Content-Type: application/json" \
  -u admin:admin_password \
  -d '{
    "username": "jsmith",
    "firstName": "John",
    "lastName": "Smith",
    "email": "jsmith@example.com",
    "password": "SecurePass123!",
    "active": true,
    "groups": ["editor", "xm-sitemenu-editor"]
  }'

# List all users
curl -s "https://your-site.com/cms/ws/users" \
  -u admin:admin_password | python3 -m json.tool

# Get specific user details
curl -s "https://your-site.com/cms/ws/users/jsmith" \
  -u admin:admin_password

Removing and Deactivating Users

Deactivating a User (Recommended)

Deactivation preserves the user record and all content attribution:

1. Go to Admin > User Management
2. Select the user
3. Uncheck the Active checkbox
4. Click Save

Deactivated users cannot log in but their name appears correctly on all authored content. Their workflow tasks are preserved and can be reassigned.

Deleting a User

1. Go to Admin > User Management
2. Select the user
3. Click Delete
4. Confirm the deletion

What happens to their content:

• Published content remains published and accessible
• Content attribution shows the username string but links to a nonexistent profile
• Workflow items assigned to the deleted user become orphaned -- reassign these before deletion
• Draft content in their personal workspace is lost
• Version history records retain the original username

Programmatic Deactivation

# Deactivate a user via REST API
curl -X PUT "https://your-site.com/cms/ws/users/jsmith" \
  -H "Content-Type: application/json" \
  -u admin:admin_password \
  -d '{"active": false}'

# Delete a user via REST API
curl -X DELETE "https://your-site.com/cms/ws/users/jsmith" \
  -u admin:admin_password

Bulk User Management

Scripting with Groovy Console

brXM includes a Groovy scripting console for bulk operations:

// Bulk deactivate users who haven't logged in for 90 days
// Run in CMS Console > Groovy Scripts

import javax.jcr.query.Query

def cutoffDate = Calendar.getInstance()
cutoffDate.add(Calendar.DAY_OF_YEAR, -90)

def query = session.workspace.queryManager.createQuery(
  "//hippo:configuration/hippo:users/element(*, hipposys:user)" +
  "[@hipposys:active='true']",
  Query.XPATH
)

def results = query.execute().nodes
results.each { userNode ->
  def lastLogin = userNode.hasProperty("hipposys:lastlogin") ?
    userNode.getProperty("hipposys:lastlogin").date : null
  if (lastLogin == null || lastLogin.before(cutoffDate)) {
    userNode.setProperty("hipposys:active", false)
    println "Deactivated: ${userNode.name}"
  }
}
session.save()

CSV Import Script

#!/bin/bash
# bulk-add-users.sh -- Import users from CSV via REST API
# CSV format: username,firstname,lastname,email,group

API_URL="https://your-site.com/cms/ws/users"
ADMIN_CREDS="admin:admin_password"

while IFS=',' read -r username firstname lastname email group; do
  curl -s -X POST "$API_URL" \
    -H "Content-Type: application/json" \
    -u "$ADMIN_CREDS" \
    -d "{
      \"username\": \"$username\",
      \"firstName\": \"$firstname\",
      \"lastName\": \"$lastname\",
      \"email\": \"$email\",
      \"password\": \"ChangeMe123!\",
      \"active\": true,
      \"groups\": [\"$group\"]
    }"
  echo "Created: $username ($group)"
done < users.csv

LDAP and SSO Integration

LDAP Configuration

brXM supports LDAP authentication through Spring Security. Configure in platform/src/main/resources/:

# platform/src/main/resources/application.yaml
spring:
  security:
    ldap:
      enabled: true
      urls: ldap://ldap.example.com:389
      base: dc=example,dc=com
      username: cn=admin,dc=example,dc=com
      password: ${LDAP_BIND_PASSWORD}
      user-search:
        base: ou=people
        filter: (uid={0})
      group-search:
        base: ou=groups
        filter: (member={0})
        role-attribute: cn

SAML SSO Configuration

For enterprise SAML SSO (Okta, Azure AD, etc.):

# hippo-cms/src/main/webapp/WEB-INF/saml-config.properties
saml.idp.metadata.url=https://idp.example.com/metadata
saml.sp.entity-id=https://your-site.com/cms
saml.sp.acs-url=https://your-site.com/cms/saml/acs
saml.attribute.username=urn:oid:0.9.2342.19200300.100.1.1
saml.attribute.email=urn:oid:0.9.2342.19200300.100.1.3
saml.attribute.firstname=urn:oid:2.5.4.42
saml.attribute.lastname=urn:oid:2.5.4.4
saml.group-mapping.CMS_EDITORS=editor
saml.group-mapping.CMS_ADMINS=admin

When LDAP or SAML is enabled, user provisioning happens automatically on first login. The user record is created in the JCR repository with the hipposys:securityprovider set to ldap or saml instead of internal.

Offboarding Checklist

1. Reassign workflow tasks -- Check the user's pending review and publication tasks
2. Transfer document locks -- Unlock any documents the user has checked out
3. Deactivate (don't delete) -- Preserve content attribution and audit history
4. Remove from groups -- Strip all group memberships before deactivation
5. Revoke API tokens -- If the user had personal API tokens, rotate them
6. Update LDAP/SSO -- Disable the account in your identity provider to prevent re-authentication
7. Audit channel access -- Verify the user is removed from all channel-specific permission sets