User management

User accounts are required to access the Xperience administration. After signing in, users can work with the available features – manage website content, set up digital marketing and data protection functionality, design forms.

Table of contents:

Default user accounts

The system contains the following user accounts by default:

  • Administrator – the initial administrator account that can perform any action.
  • Public – represents an anonymous visitor. Present in the system but not visible or editable in user management UIs.

Manage users

Users are classified into two groups:

  • Live site users – regular visitors that register on a live site managed by Xperience. See Registration and authentication to learn how to work with these users.
  • Admin UI users – users that have access to the administration UI and directly interface with Xperience (e.g., content creators, administrators, marketers).

You can invite new admin UI users and manage user accounts via the Users application.

Select New user to add a new user, or select an existing user in the list to edit their details.

The user listing also allows you to perform the following actions:

  • Delete ( ) user accounts.
  • Enable/Disable user accounts. Account status can be seen in the Status column.
  • Resend invitation emails. Only available for users with the Invited or Invitation expired status.

Invite users

When inviting new users, you need to enter the user’s email address and assign them a system role.

Invited users receive an email containing a URL that allows them to finish the registration process. The email message content and metadata can be customized to better suit your desired language and tone. See RegistrationEmailMessageProvider on Administration - Forms authentication to learn more.

Edit users

To edit a user, select the row that represents them in the listing. When editing users, you can modify the following properties:

  • User name – the name used when signing in. Cannot contain white space or special characters. The user name must be unique across all users in the system.
  • First, Last name – the names of the person using the account.
  • Email – the email address connected with the account.
  • Role – one of the two predefined system roles associated with the account.
  • Enabled – indicates if the user account is active, allowing the user to sign in.

User passwords

Passwords are a critical part of any authentication process. Users must set their password when they finalize their registration into the system.

Password policy

The system can be configured to use a password policy, which means that new passwords entered by users are validated according to a certain set of requirements. Passwords that do not meet the specified conditions are rejected. See Administration - Forms authentication to learn how to set password policies.

Default admin UI password policy

By default, Xperience sets the following requirements for passwords:

  • At least 8 characters
  • At least one uppercase character, lowercase character, a digit, and non-alphanumeric character

The policy is applied:

  • In all parts of the administration interface where a new password can be entered. Most commonly, this is the AccountPassword tab opened when selecting your account icon in the admin UI.
  • When reseting user passwords via Forgotten password on the Xperience administration sign in page.

Password storage format

The system stores user passwords in the database in an encrypted format, using the PBKDF2 key derivation standard. A cryptographic function is applied to the original password input (with a salt).

Change password

After signing in to the administration, any user can change their own account’s password. Editing passwords is not possible for other users.

  1. Select your account menu and open the Account page.
  2. Switch to the Password tab.
  3. Enter your current password and the new one.
  4. Select Save.

You now need to use the new password when signing in.

Reset password

If editors or other administration interface users forget their password, they may reset it, provided they have access to the email address specified for their account. They can do so via the Forgotten password link on the administration sign-in page.

Password reset requires email approval from the affected user. When submitting a password reset request, users must enter their email address. The request affects only the user account with the corresponding email address. If the entered email address does not match any registered user, no email gets sent. The email message content and metadata can be customized to better suit your desired language and tone. See ResetPasswordEmailMessageProvider on Administration - Forms authentication to learn more.

The main security benefits of this approach are:

  • Passwords are not directly included in the email, so they cannot be read by potential attackers.
  • The reset links are only valid temporarily. The validity period can be set via AdminIdentityOptions.EmailOptions.LinkExpiration. See Administration - Forms authentication.
  • After someone uses a password reset link and completes the password reset, it becomes invalid and cannot be accessed again.