How to manage users and roles?


The goal of this how-to is to explain how you can manage your application's users with the Users management application.

Managing Users

  1. Type the following URL in your web browser: "http://<SERVERNAME>/Users" where <SERVERNAME> is the host  name of the server you're working on. The login page should be displayed.
  2. Fill in the credentials of an administrator user and press the 'Login' button.

    By default, a user “admin” with the password “admin” is created for you. If you haven't changed them yet, use those to fill the credentials inputs.
  3. And you're in! Welcome to the Users management console.

Adding Users

  1. Select the 'Users' tab and click on 'Create new User';

  2. Fill in the user data as depicted;

  3. Press the 'Save' button, a success feedback message should be displayed;

  4. And you're done! This user is ready to login in any application.

Using Roles And Groups

Users can be assigned with a Role to be granted access to specific screens. In addition you'll also be able to use Roles to enable/disable access to other application elements like buttons, containers, etc. or to condition your application's logic.

Roles are defined at development time in Service Studio and are automatically made available in the Users application.

  1. To create a Role, go to Service Studio and under Logic, right click the roles folder and pick 'Add Role'. You'll have to publish your application, for the role to be made available in the Users application.

  2. To assign a Role to a user, you'll need to access the Users application at "http://<SERVERNAME>/Users" (where <SERVERNAME> is the host  name of the server you're working on):

    Learn more about using Roles to restrict access to screens or condition your appliction's logic go to OutSystems Service Studio Online Help at    
  3. You may need to group users to simplify mangement of large sets of users. You can do this by Using Groups to aggregate users or roles:

Integrating with Active Directory

  1. Make sure the Platform Server is inside the Active Directory Domain you want to your users to authenticate with.

  2. Type the following URL in your web browser: "http://<SERVERNAME>/Users" where <SERVERNAME> is the host  name of the server you're working on. The login page should be displayed

  3. Click the 'Configure Authentication'  link on the right

  4. Fill in the form as depicted below and click 'Save'

  5. And you're done!

Hi Mario

Nice piece of work :-)

Can you explain what's happening is het User : User_Login action ?
I can not access this action because it seems to be protected... :-(

How to use authenticated users which are already loggined in via Windows. 
Previously we (re)used Login_WithDomainAccount.

Hi Joop,

The User_Login action has the following behavior:
- if found local user with password,
     - login with local user;
- if active directory is on
     - if Authentication.ValidateLogin(username,password) is ok
         - create or update user

The Authentication.ValidateLogin API uses the server domain controler to validate the login. 

If you turn on Windows Integrated Authentication, the login flow is redirected to a custom url  (as defined by the User_GetUnifiedLoginUrl), and the User_Login action is not used.

Let me know if you need more details.
Is it possible to customize the Users application (to add new attributes, for instance) ? Service Studio doesn´t let me open it, because it is a "System" eSpace. Can I clone it and build my own ?
Hi Ricardo,

How are you?

One way I've done it in past projects - not with 6.0, of course :) - is to create a second entity, let's say UserExtended, and then create the new attributes there, and have a UserId to relate each User's record to the UserExtended ones. Would this do the trick?


Paulo Tavares
Hi Paulo,

Yes, thanks, that´s exactly what I intend to do. The problem is that I would like to use the new "Users" application to update those new attributes also, but since I can´t open it in Service Studio (don´t know why !), I would have to build a whole new application from scratch to maintain both my entities and system ones (if the platform allows a user application to update system entities, I don´t know yet).

Has anyone gone through this ?


I see the issue. Still, it might be a good idea to craete a new entity that extends the original one, with the new attributes, and then create new Actions which will encapsulate the Create, Read, Delete and Edit users, updating what needs to be updated in the Users eSpace entities as well as in the new attributes in the extended entity. 

Afterwards, you should use these actions at all times. Does this make sense?

You probably can't open the eSpace because it is a system eSpace. 

Let us know if this helps!


Paulo Tavares

i am new in using the platform. it seems that the users in logging in the server is set in the platform. what if i have an existing database? and the users for logging in are in my database? how can i use my database and not the users in the platform itself? having a hard time on this one.. thank you in advance.

Is there a way to convert existing user data from 5.1 (Enterprise Manager, USER_MASTER) to 6.0 (Users user provider)?

Basically, we want to migrate our 5.1 applications from EM to 6.0 with Users, without having to recreate all our existing users.
I've found out how to change the User Provider per eSpace, so new users are not the problem.
What is the process of onboarding users into the system for the first time and ongoing.
If I have a very large user base and is very volatile in nature. Is there a way to add the users into the system as they login for the first time?
This way I do not need to seed the user database with all the users on my first deployment.
Please advise.
One of the things I used to do through Enterprise manager is maintain my groups and group/user associations in Active Directory. For each user I would synchronize their group membership from AD into permission areas in EM, and then use these permission areas in my applications. That way I could handle the Role management completely in AD, not having to touch the platform. Is that still an option?
How in the world do I get my application to show up as an application under "Users"? I have it using "Users" as the user provider, what else do I need to do to get it into the list?

Out of my head:
in 6.0? I assume you simply set the property "Application" to yes in the espace?
Joost - My mistake for not being clearer, I'm using 7.0. In 6.0, that's how it worked.

I figured it out, need to set a "Front Office" and a "Back Office" eSpace for the application.

Unfortunately, if your roles aren't in your front and back office eSpaces, they don't show in the v7 Users app. We have our roles in another eSpace so they can be shared to multiple front ends e.g. web and mobile web apps, but these are ignored by the system.
Hi Iain,

If you try to add a Role to a user (on the User show/edit screen), from an eSpace that belongs to an Application that is either a Front Office or a Back office, doesn't this appear to be selected as well?

Best regards,
Renato Gonçalves
Hi Renato, sorry I wasn't specific enough. If, in the Users app, I go into the Applications page, it shows my app as having no active users. If I then click on the app in that list, it says there are 'No roles to show'. The app does use roles, but the roles are not contained in the front office or back office applications - they are in a dedicated eSpace just for the roles - this eSpace is then referred to by the f/o and b/o applications.

The roles themselves are available to add to users directly, but it's the integration with the applications that seems faulty.

Cheers, Iain
Never paid attention to it, but you are right.
referenced roles are not taken into account in the users-espace
Hi there,

Is it possible with the new Users eSpace, to define wich is the user entry point, for Role? Like we did in the EM.


Best Reggards,
Nuno Mendes wrote:
Hi there,

Is it possible with the new Users eSpace, to define wich is the user entry point, for Role? Like we did in the EM.


Best Reggards,
 Hi Nuno,

I confirm we don't have the user entry point concept in the Users espace. You need to code it directly in your application login flow.

Thanks Lucio,

That is what I'm doing. But I think It was a cool feature that we have lost. Maybe many people doesn't use it... But sometimes It helps.

Best Reggards,
Hello can someone help with a question.

My application doesn't show up in the applications tab in the users...

But strangely enough the roles appear to be selected and to be added to the users .  
Can someone give me some pointers on this question? 
Nuno -

In your application, make sure that you have an eSpace marked as "Front Office" and another marked as "Back Office", that seems to make a difference, I have found.

Hello Guy,

I change the configuration in my server, and after access  my server show this message of erro:

Erro de Servidor no Aplicativo '/Users'.

Acesso negado.

Descrição: Erro ao acessar os recursos necessários para atender esta solicitação. Talvez o servidor não esteja configurado para acessar o URL necessário. 

Mensagem de erro 401.2.: Não autorizado: falha no logon devido à configuração do servidor. Verifique se você tem permissão para exibir esse diretório ou página com base nas credenciais fornecidas e nos métodos de autenticação habilitados no servidor Web. Contate o administrador do servidor Web para obter assistência adicional.
Hi all,

We have 2 diferent AD's one for each companie. With Company A everythig works great but with Company B we can't log in. We have Authentication = Active Directory and Windows Integrated Authentication = True. We've tested with Default Domain = COMPANY_A and also empty Default Domain. 
Can anyone help me with this problem?

Ricardo Brito
Edge Innovation
Ricardo, you mean two AD's in the same application?

First, Company B is not in Company A domain. Second, "both the client and front-end server must be in the same domain and must have an Active Directory that stores information about the end-users and their credentials" can be read at the end of help page. Integrated Authentication is meant to be used inside an organization. Not inside two!

What you can do is create a timer to copy login credentials from both AD to your user database and then ask for username/password that will be the same as in AD and easier to remember, but that isn't in any way an integrated authentication.
Hi Nuno,
Yes, two different AD's in different domains because we have two companies inside our organization.
We have in Users the data from both companies and turning off Integrated Authetication we can't successfully login with any company. It's suppose to work for both with this feature turned off.
In ../Users/Login.aspx we never can login with both companies.

We solve our problem with the AD's. It's not necessary that both AD have de same parent. It was just a connection that was necessary to configure in the server so both AD can interact.
Hi team,
         I have an 'Userextension' module to add more attributes to the user. But i doesnt work for the existing user. I have to  create a module , which helps me to add some more attributes to the user which is already existing in 'User/roles'. How it is possible?
what do you mean it does not work?

it would be just a join on users with your table ?

Hi j, Thanks for your response. yes.I have to do that. can i do that in sources? or i have to add a query to join two different tables in different modules?
Here's my guess at the issue.  You have the normal User entity which has at least one user, the administrator (whoever that is) possibly more.  You then created the UserExtension entity and the apporpraite web screens to manage this.  Normally, the administrator isn't really using the application so not having a related record is not an issue.  If you really need that or you created other Users, you need to create an action that uses an aggregate to find the mismatches and create UserExtension records for each of them.  Alternatively, just delete and recreate those users.  DON'T DELETE THE ADMINISTRATOR!!!

You probably know this but the standard 'out of the box' user screens shown in this thread know nothing of your extension.  You need to create new screens to handle the additional data.

Hope this helps,
Thanks Curt.. It helps..!


Can someone explain to me the relationship between http://<SERVERNAME>/Users and the "Users & Roles" page in http://<SERVERNAME>/Lifetime? It seems that users created in the Lifetime environment do not have access to apps in Outsystems Now. Does one need to add a separate user-id in the Users environment for that? How does app authorization in Outsystem Now work?

Hi Frans,

In http://<SERVERNAME>/Users you have all the Runtime users (your application end users)

In http://<SERVERNAME>/Lifetime you have all your developers.


Renato Gonçalves

Renato Gonçalves wrote:

Hi Frans,

In http://<SERVERNAME>/Users you have all the Runtime users (your application end users)

In http://<SERVERNAME>/Lifetime you have all your developers.


Renato Gonçalves

Hi Renato,

So, a developer does not have access to an app unless he/she also has a seperate account in the users environment?


Imagine, for example, a Production environment where you want your developers/consultants to be able to publish and correct the applications, but you don't want them to access the application itself has it has sensitive data. This way you can control this.


Some clarification is needed here.

* All user records are associated with an eSpace.

* Every eSpace has a property that chooses which eSpace is its "User Provider".

* The only users that an eSpace can "see" are users that are associated with the "User Provider" eSpace.

* BY DEFAULT your new eSpaces are created with the "Users" eSpace as the "User Provider". This may be changed at any time.

This means that 1) you do not NEED to use "Users" and 2) applications can completely separate their user groups simply by having different User Providers and 3) all eSpaces in an Application (and related Applications) should share the same User Provider, or else they won't know what's going on.


I guess this is an appropriate place to ask my question:

What to do if you lost access to /Users? I only have one administrator as far as i know, and we don't know the password anymore. admin/admin doesn't work.

How can I reset the password or any other means to regain access?

Kilian Croese wrote:

I guess this is an appropriate place to ask my question:

What to do if you lost access to /Users? I only have one administrator as far as i know, and we don't know the password anymore. admin/admin doesn't work.

How can I reset the password or any other means to regain access?

Hi Kilian,

You should contact OutSystems Support, they can help you recover the Admin user password.

Renato Gonçalves

I am using Outsystems platform 10. 

It is configured to use active directory authentication for application login

How do i add an existing user in active directory into the application users list

http://<my environment>/Users/