UserProfile

Audience: Programmer

Represents a comprehensive user profile containing authentication information, tenant associations, and role assignments. UserProfile provides a consolidated view of user data across the identity provider and internal system, supporting multi-tenant access patterns.

Fields

Usage Example

query {
  me {
    UserID
    Username
    Email
    FirstName
    LastName
    TenantID
    TenantName
    # Use Tenants for multi-tenant access
    Tenants {
      ID
      Name
      Role
    }
  }
}

Authentication Context

UserProfile is typically used to retrieve the current authenticated user's information:

Role-Based Access

The Tenants field provides tenant-specific role assignments, replacing the deprecated AssignedRoles field:

• Multi-Tenant Support: Users can have different roles in different tenants

• Authorization Decisions: Role-based access control within tenant context

• UI Customization: Adapt interface based on tenant-specific permissions

• Feature Availability: Enable/disable features based on role and tenant

• Audit Logging: Track actions with full tenant and role context

Migration from AssignedRoles

The AssignedRoles field is deprecated. Applications should migrate to using the Tenants field:

Tenant Association

UserProfile establishes the connection between users and their tenants (companies/organizations):

• TenantID: Primary tenant identifier for the user

• TenantName: Human-readable name of the primary tenant

• Tenants: Complete list of accessible tenants with role assignments

Primary vs. Multiple Tenants

• The TenantID and TenantName fields represent the user's primary tenant

• The Tenants array contains all tenants the user has access to

• Users can switch between tenants while maintaining appropriate role-based access

Identity Provider Integration

UserProfile bridges internal user management with external identity providers:

• UserID: Internal pyck user identifier

• External identity provider integration is handled transparently

• Tenant associations are synchronized with the identity provider

Common Use Cases

• User Authentication: Verifying user identity and retrieving basic profile information

• Authorization: Checking user roles and permissions for access control

• User Interface Personalization: Customizing the UI based on user preferences and roles

• Audit Logging: Recording user actions with complete profile context

• Multi-Tenant Operations: Managing access across multiple tenants with appropriate role-based permissions

• Role Management: Displaying and managing user role assignments

Security Considerations

• UserProfile contains sensitive information and should only be accessible to authenticated users

• Role information should be used for authorization decisions throughout the application

• Tenant isolation must be enforced based on the active tenant context from the Tenants list

• Identity provider integration requires secure token validation

Integration with Identity Providers

UserProfile is designed to work with external identity providers like Zitadel:

• Synchronizes user information from the identity provider

• Maintains mapping between internal and external user identifiers

• Supports single sign-on (SSO) workflows

• Handles role synchronization from external systems

Best Practices

• Always validate user authentication before returning profile information

• Use role information consistently across the application for access control

• Implement proper tenant isolation using the selected tenant from the Tenants list

• Keep user profile information synchronized with the identity provider

• Log user profile access for security auditing

• Consider caching profile information for performance while maintaining security