Question about the expected behaviour of a User Provider espace

We have a problem with an espace "XYZ" that is set as User Provider (is user provider=yes).
This user provider espace "XYZ" is used by another app "ABC" (with user provider espace=XYZ).
Now users can register via ABC in XYZ as a new user. This works and user can login to ABC and so on.

However, if I look in my user provider XYZ I not only see users created via this espace but ALL users (system wide). I would expect that I can see and use only my XYZ users and not all of them.

I know that working with a user provider creates a new tenant and that all users created via this user provider gets this tenant. So I would expect to see just the users of this tenant.

Is this expection correct?

Because we tried several things but see every time not a subset but the whole user database.

Hans -

It should be restricted not to the "tenant" but to the users within the user provider. Are you sure you are seeing "all users" including the users for Service Center/Lifetime? If you are making a multi tenant application things get slightly more complicated too.


The mulit tenant part is not a choice, this is how OS works with user providers 'under water'. We didn't set or do anything with multi tenancy (besides some test to see if it would make a difference. It didn't.).

And yes, I see users within my user provider that are not created with the user provider; that is the problem here.
We don't understand why we see all users and not only the users created within the user provider.
Hi Hans,

Can you check if you have the "Show Tenant Identifier" option selected in your Users entity advanced properties? (it will show as Red in he tree instead of he usual Blue)

That option allows seing entries from all the tenants and you are resposible from filtering it from your tenants, by joining with the Espace_Tenant entity.
Also that option should be avoided (/used carefully) and should only be used in modules that need to manage multitenant applications.

João Rosado
Hi João,

I understand that this is how you work with multitenancy however my big question is does this also always apply to User Provider espaces?

SInce SS makes a User Provider 
automatically under the hood a multitenant table we expected (logically) that SS would also automatically under the hood dealt with this. If this is not the case then this feels like a half-implemented solution to us.

We have no need for multitancy so we were hoping to avoid the 'treat it as a multitenancy application' scenario. 


Hi Hans,

No, it does not always apply to user provider espaces.
If you are using the Users entity (make sure it isn't the UsersMT entity) and it does not appear as red in the tree, then it's a bug and you should contact OutSystems Support on that.

João Rosado
In my "XYZ" user provider I use the User entity (from System). After setting the advanced setting it now appears as red in the tree. The Users aggregate in the UserProvider still gives all users.

In the MsSQL database we saw that "XYZ" should have tenant 135 and System has 22.
We now see in the aggregate that all users (including the ones created in "XYZ") have tenant 22; which is totally confusing...

"No, it does not always apply to user provider espaces."
Can you elaborate on that? Because this is the core question for me.
We just discovered that our Acception server has the expexted behavior while being the same app with the same source. We are now looking at the MsSql OS system data and see some difference between Dev en Acc. Maybe we have find the problem, will let you know.
Hi Hans,

What I meant in my previous reply is that as you expected it should work "automatically under the hood".
The correct color for the entities is blue. Having them in red means that you want to handle the TenantIds manually. So keep the "Show Tenant Identifier" set to false to keep it automatic.

João Rosado
Thank you, that was indeed the expected behaviour but since it worked differently there was some confusing.
We saw that the tenant entity has is_active=false for "XYZ" (UserProv) en "ABC". Therefore is seems to default to the user tenanty that is active. On our Accept server both "XYZ" and "ABC" related tenants are True.

We expect this to be the source of the problems but are not sure how to fix these without doiing it directly in the MsSql tabel.
Ok we fixed the problem and are thinking it's a kind of a bug in outsystems. 
The funny thing is it worked at our Acceptance server without a problem, just on dev its a problem. I did a compare of both environments and found out in the espace system table the tenant was still on the users espace. Searching a bit more turned out the espace_version system table did show the correct tenant name and key on our app. After changing the tenant name and key in the espace system table, republish both apps and testing again it now worked correctly. the user is now generated with the correct tenant in the user table. We also fixed all the users by updating the tenants for the correct users the our userprovider tenant id and now everything works. 
Now the why .. I suspect OutSystems will not change the tenant on a running system because then all data will be invissible if you don't change all tenant id's .. maybe it's not working by design. But would be nice if this was displayed in a message when you change the tenant. 
The script to correctly set the espace provider and user : 
update [dbo].[ossys_Espace] set USER_PROVIDER_NAME = '', USER_PROVIDER_KEY = '' where id = 141 and name = 'XYZ'
update [dbo].[ossys_Espace] set USER_PROVIDER_NAME = 'XYZ', USER_PROVIDER_KEY = '4d0e0b5a-2104-404c-a87c-7b83eca89268' where id = 137 and name = 'ABC'

next update the user table to the correct tenant:
select id from ossys_Tenant where name = 'XYZ'
update ossys_User set TENANT_ID = [previously found tenantid] where CHARINDEX('@',username,0) > 0 and tenant_id = 22 (22 = tenantid of users)

Our users generated by our own user provider are stored with an email adress as username so easily distinguishable from the normal users.


Yes I would say you can consider it a bug.
Didn't test it, but I think that what happened was that when you changed your non-user provider espace to be a user provider it kept that value set in the Name/Key. I'm pretty sure that it is used for the "Effective User Provider" Setting that can be configured in Service Center.

What happened is that the Platform tought you had a Effective User Provider set, instead of understanding that you were actually making your eSpace a User Provider.
So you could have fixed it directly in Service Center (and republishing both eSpaces) instead of the first 2 queries.

As for the last part, that one is the expected behavior. users created previously in the tenants of one User Provider and not automatically moved to the new ones.
Not sure if you had the users in the wrong tenant because of the first problem, of if you already had users created previous to creating your new User Provider espace.
Either way that must be a manual process to transfer the users, like you did.

João Rosado