Users¶
Users can perform a variety of actions in ThreatConnect depending on their user account type and their System and Organization role. In addition, users can be assigned to Workflow Cases, Workflow Tasks, and Task Groups.
Endpoint: /api/v3/security/users
Attention
Only API users with an Organization role of Organization Administrator can create, update, and delete users. API users with any other Organization role can only retrieve users.
Available Fields¶
You can retrieve a list of fields for the v3/security/users endpoint using the following query:
OPTIONS /v3/security/users?show=readonly
Alternatively, refer to the following table for a list of available fields that can be included in the body of a POST or PUT request for the users object:
| Field | Description | Type | Required for Creation? | Updatable? |
|---|---|---|---|---|
| disabled | Determines whether the user’s account is disabled | Boolean | FALSE | TRUE |
| firstName | The user’s first name | String | TRUE | TRUE |
| lastName | The user’s last name | String | TRUE | TRUE |
| locked | Determines whether the user’s account is locked | Boolean | FALSE | TRUE |
| logoutIntervalMinutes | The amount of time, in minutes, after which the user will be logged out of ThreatConnect | Integer | FALSE | TRUE |
| owner | The Organization to which the user belongs | String | TRUE | FALSE |
| ownerRoles | The user’s role within each Organization, Community, or Source to which they have access | String | TRUE | FALSE |
| password | The password for the user’s account | String | TRUE | TRUE |
| passwordResetRequired | Determines whether the user needs to reset their password the next time they log into ThreatConnect | Boolean | FALSE | TRUE |
| pseudonym | The user’s pseudonym | String | FALSE | TRUE |
| systemRole | The user’s System role (all System roles except API User may be used) | String | FALSE | TRUE |
| termsAccepted | Determines whether to present the user with ThreatConnect’s terms of service the next time they log into ThreatConnect | Boolean | FALSE | TRUE |
| twoFactorResetRequired | Determines whether to require the user to configure multi-factor authentication (MFA) for their account (or to reset MFA if the user already has it configured) | Boolean | FALSE | TRUE |
| uiTheme | Specifies whether to set the ThreatConnect user interface to a light or dark theme for the user (accepted values include “Light” and “Dark”) | String | FALSE | TRUE |
| userName | The username for the user’s account | String | TRUE | TRUE |
Create Users¶
Attention
Only API users with an Organization role of Organization Administrator can create users.
The basic format for creating a user is:
POST /v3/security/users
{
"firstName": "John",
"lastName": "Smith",
"userName": "[email protected]",
"password": "Password1!",
"owner": "Demo Organization",
"ownerRoles": {
"Demo Organization": "Organization Administrator"
},
"systemRole": "User"
}
For example, the following query will create a user account where the user will be required to reset their password and enroll in MFA after logging into ThreatConnect for the first time:
POST /v3/security/users
{
"firstName": "Herschel",
"lastName": "Hodges",
"userName": "[email protected]",
"password": "Password1!",
"owner": "Demo Organization",
"ownerRoles": {
"Demo Organization": "Organization Administrator"
},
"systemRole": "User",
"passwordResetRequired": true,
"twoFactorResetRequired": true
}
JSON Response
{
"data": {
"id": 12,
"userName": "[email protected]",
"firstName": "Herschel",
"lastName": "Hodges",
"owner": "Demo Organization",
"lastPasswordChange": "2022-09-07T12:11:13Z",
"uiTheme": "Light",
"termsAccepted": false,
"logoutIntervalMinutes": 0,
"systemRole": "User",
"disabled": false,
"locked": false,
"passwordResetRequired": true,
"twoFactorResetRequired": true
},
"message": "Created",
"status": "Success"
}
Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request for the users object.
Note
Creating users in bulk is not supported at this time.
Retrieve Users¶
When retrieving users, additional fields will be included in the response for API users with an Organization role of Organization Administrator. In the examples used in the following subsections, the response an API user with an Organization role of Organization Administrator will receive is labeled JSON Response (Organization Administrator):.
Retrieve All Users¶
To retrieve all users in the Organization in which your API user account resides, use the following query:
GET /v3/security/users
JSON Response:
{
"data": [
{
"id": 1,
"userName": "[email protected]",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "JMS",
"owner": "Demo Organization",
"systemRrole": "Administrator"
},
{
"id": 2,
"userName": "[email protected]",
"firstName": "Pat",
"lastName": "Jones",
"pseudonym": "patjones",
"owner": "Demo Organization",
"systemRrole": "User"
},
{
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization",
"systemRrole": "Api User"
},
{...}
],
"status": "Success"
}
JSON Response (Organization Administrator):
{
"data": [
{
"id": 1,
"userName": "[email protected]",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "JMS",
"owner": "Demo Organization",
"lastLogin": "2022-09-07T12:19:42Z",
"lastPasswordChange": "2022-08-04T16:24:25Z",
"uiTheme": "Light",
"jobFunction": "Threat Intelligence",
"jobRole": "Analyst",
"termsAccepted": true,
"logoutIntervalMinutes": 240,
"systemRole": "Administrator",
"ownerRoles": {
"Demo Organization": "Organization Administrator",
"Demo Community": "Director",
"Demo Source": "Director"
},
"disabled": false,
"locked": false,
"passwordResetRequired": false,
"twoFactorResetRequired": false
},
{
"id": 2,
"userName": "[email protected]",
"firstName": "Pat",
"lastName": "Jones",
"pseudonym": "patjones",
"owner": "Demo Organization",
"lastLogin": "2022-09-07T11:27:12Z",
"lastPasswordChange": "2022-09-02T09:13:02Z",
"uiTheme": "Dark",
"jobFunction": "Incident Response",
"jobRole": "Analyst",
"termsAccepted": true,
"logoutIntervalMinutes": 30,
"systemRole": "User",
"ownerRoles": {
"Demo Organization": "Standard User",
"Demo Community": "Director",
"Demo Source": "Director"
},
"disabled": false,
"locked": false,
"passwordResetRequired": false,
"twoFactorResetRequired": false
},
{
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization",
"lastPasswordChange": "2022-05-03T14:51:55Z",
"termsAccepted": false,
"logoutIntervalMinutes": 30,
"systemRole": "Administrator",
"ownerRoles": {
"Demo Organization": "Organization Administrator",
"Demo Community": "Director",
"Demo Source": "Director"
},
"disabled": false,
"locked": false,
"passwordResetRequired": false,
"twoFactorResetRequired": false
},
{...}
],
"status": "Success"
}
Retrieve a Single User¶
To retrieve a specific user in the Organization in which your API user account resides, use a query in the following format:
GET /v3/security/users/{userId}
For example, the following query will return information about the user with ID 3:
GET /v3/security/users/3
JSON Response:
{
"data": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization",
"systemRole": "Api User"
},
"status": "Success"
}
JSON Response (Organization Administrator):
{
"data": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization",
"lastPasswordChange": "2022-05-03T14:51:55Z",
"termsAccepted": false,
"logoutIntervalMinutes": 30,
"systemRole": "Administrator",
"ownerRoles": {
"Demo Organization": "Organization Administrator",
"Demo Community": "Director",
"Demo Source": "Director"
},
"disabled": false,
"locked": false,
"passwordResetRequired": false,
"twoFactorResetRequired": false
},
"status": "Success"
}
Request Additional Fields¶
To request additional fields not automatically included with each returned object, refer to Include Additional Fields for Returned Objects.
Filter Results¶
To filter returned objects using ThreatConnect Query Language (TQL), refer to Filter Results with TQL.
Update Users¶
Attention
Only API users with an Organization role of Organization Administrator can update users.
The basic format for updating a user is:
PUT /v3/security/users/{userId}
{
{updatedField}: {updatedValue}
}
For example, the following query will disable and lock the account for the user with ID 11:
PUT /v3/security/users/11
{
"disabled": true,
"locked": true
}
JSON Response
{
"data": {
"id": 11,
"userName": "[email protected]",
"firstName": "Donald",
"lastName": "Jefferson",
"owner": "Demo Organization",
"lastPasswordChange": "2022-08-30T12:45:17Z",
"uiTheme": "Light",
"termsAccepted": true,
"logoutIntervalMinutes": 30,
"systemRole": "User",
"ownerRoles": {
"Demo Organization": "Standard User",
"Demo Community": "Director",
"Demo Source": "Director"
},
"disabled": true,
"locked": true,
"passwordResetRequired": false,
"twoFactorResetRequired": false
},
"message": "Updated",
"status": "Success"
}
Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request for the users object.
Note
Updating users in bulk is not supported at this time.
Delete Users¶
Attention
Only API users with an Organization role of Organization Administrator can delete users.
The basic format to delete a user is:
DELETE /v3/security/users/{userId}
For example, the following query will delete the user with ID 10:
DELETE /v3/security/users/10
JSON Response
{
"message": "Deleted",
"status": "Success"
}
Note
Deleting users in bulk is not supported at this time.