Set User Account Password

[roxburn]

Is there a method to set a user's account password using the API? I'm scripting a user account creation process and this is the one aspect I haven't managed to figure out. Looking at the schemas, there's no property that looks like it would do it. Sending an invitation email seems like the best route but it's not our current manual method and I'd rather not change it if possible.

I'm working with the rest api endpoint using powershell if that's relevant. I don't believe it leaves me without any features of the api clients.

[Patrick Boucher ftrack]

Hi, @roxburn!

Unfortunately, you can't currently set a user's password via the API. You can invite a user^[1], or reset their password (they get a reset email and get to choose their new password), but you can't provide the password yourself.

Alternatively, depending on your ftrack license, you can also configure Single Sign-On via SAML^[2]. This would allow you to entirely bypass the need to have your own custom user synchronization tools.

In the short term I can share your use case with our product team but the above are your current options.

Cheers,
Patrick

[1] https://ftrack-python-api.readthedocs.io/en/latest/example/invite_user.html
[2] https://help.ftrack.com/en/articles/1430063-single-sign-on-via-saml

[roxburn]

Thank you very much for the answer Patrick. We're not quite at the point where we can implement SSO so that's where I'm left trying to automate old manual processes.

Is the reset password action the same as invite user? I don't see a different one in the docs. I think it could be useful in the future for me.

[Patrick Boucher ftrack]

I understand the situation you're in. Sorry I don't have better news for you.

In regards to the password reset, here's how you can initiate that from the API:
https://ftrack-python-api.readthedocs.io/en/stable/working_with_entities.html?highlight=status#server-side-reset-of-entity-attributes-or-settings

Just change `api_key` in that example to `password` and it should initiate the password reset for you.

[Patrick Boucher ftrack]

My above statement was incomplete.

The backend currently supports _changing_ a password, not initiating a password reset flow.

The process of changing a password requires the previous password. Here is how you would proceed:

payload = {
    'action': 'reset_remote',
    'reset_type': 'password',
    'entity_type': 'User',
    'entity_key': some_user_id,
    'entity_data': {
        'old_password': current_password,
        'new_password': new_password
    }
}
session.call([payload])

The above is currently undocumented and not officially supported. Your mileage may vary. I'll be seeing with colleagues if we want to edit the Python API to better support this in the API or extend this to initiating a reset flow.

[roxburn]

Thanks a lot Patrick, I can see where this would be useful. It would satisfy my requirements if I could find out what the default password is for new accounts that haven't set one yet. I assumed it would be null or an empty string but they both returned as the wrong password. Unless you happen to know what it is it looks like I'll still have to go with the invitation route.

[Patrick Boucher ftrack]

For security purposes, when a user is newly created and the invite flow has been initiated (i.e. the password was not manually set for them via the UI), the password is randomly generated and nobody knows it. This means only the user can log in after having gone through the invite flow and having reset their password.

I've submitted a request for feature enhancement regarding programmatic management of passwords and user provisioning to our product team on your behalf.

Edited January 27, 2022 by Patrick Boucher
Added the feature request after this reply.