--- title: Self-service end user UI description: This topic includes procedures to verify functionality from an end user point of view. Some options described can be used to help support compliance with the General Data Protection Regulation (GDPR). component: pingidm version: 7.5 page_id: pingidm:self-service-reference:end-user-ui canonical_url: https://docs.pingidentity.com/pingidm/7.5/self-service-reference/end-user-ui.html keywords: ["JSON", "Account", "User Interface", "Configuration", "Authentication", "Self-Service", "User Self-Service"] section_ids: uss-localization: Localize the end user UI ui-path: Change the end user UI path ui-external-logout: Provide a logout URL to external applications section-my-account: "Privacy: my account information in the End User UI" my-account-personal: Personal information my-account-signin: Sign-In & security my-account-preferences: Preferences my-account-devices: Trusted devices my-account-apps: Authorized applications my-account-privacy: Personal data sharing my-account-controls: Account controls --- # Self-service end user UI This topic includes procedures to verify functionality from an end user point of view. Some options described can be used to help support compliance with the General Data Protection Regulation (GDPR). For information about customizing the End User UI, refer to the Github repository: [ForgeRock/end-user-ui](https://github.com/ForgeRock/end-user-ui). ## Localize the end user UI The End User UI is configured in US English. For more information on how to localize and modify the messages in the End User UI, refer to [Translations and Text](https://github.com/ForgeRock/end-user-ui). ## Change the end user UI path By default, the End User UI is registered at the root context and is accessible at the URL `https://localhost:8443`. To specify a different URL, edit the `project-dir/conf/ui.context-enduser.json` file, setting the `urlContextRoot` property to the new URL. For example, to change the End User UI URL to `https://localhost:8443/exampleui`, edit the file as follows: ``` "urlContextRoot" : "/exampleui", ``` Alternatively, to change the End User UI URL in the admin UI, follow these steps: 1. Log in to the admin UI. 2. From the navigation bar, click Configure > System Preferences, and select the Self-Service UI tab. 3. Specify the new context route in the Relative URL field. 4. Click Save. ## Provide a logout URL to external applications By default, an End User UI session is invalidated when a user clicks on the Log out link. In certain situations, external applications might require a distinct logout URL to which users can be routed, to terminate their UI session. The logout URL is `#logout`, appended to the UI URL; for example, `https://localhost:8443/#logout/`. The logout URL effectively performs the same action as clicking on the Log out link of the UI. ## Privacy: my account information in the End User UI While end users can find their information in the End User UI, you can use REST calls and audit logs to find the same information. Some of the information in this section, such as Trusted Devices and UMA-based sharing, may require integration with PingAM (AM), as described in the [sample platform setup](https://backstage.forgerock.com/docs/platform/7.3/platform-setup-guide/preface.html) documentation. What the end user sees upon log in to the End User UI depends on which features are configured. * When you log in to the End User UI, you'll be taken to the IDM Profile page [icon: street-view, set=fas], with at least the following information under the Settings tab: * Account Security * Preferences * Account Controls * At a minimum, the left panel displays the Dashboard [icon: tachometer-alt, set=fas]and Profile [icon: street-view, set=fas]buttons. If you've configured UMA as described in [UMA, trusted devices, and privacy](uma-trusted-gdpr.html), you'll also refer to a Sharing [icon: share, set=fas]button. To see descriptions, click the Menu [icon: bars, set=fas]button: ![endUserIcons](_images/endUserIcons.png) * When you add features, additional options display on the profile page: **Information in the End User Profile Page** | Title | Description | Section | | ----------------------- | ------------------------------------------ | ----------------------------------------------------------------------------------- | | Account Security | Password and Security Questions, default | [Security questions](selfservice-questions.html) | | Social Sign-in | Links to Social Identity Provider Accounts | [Social registration](social-id.html) | | Authorized Applications | Applications that can access an account | [Authorized Applications](#my-account-apps) | | Trusted Devices | Based on system and browser | [Configuring Trusted Devices on IDM](uma-trusted-gdpr.html#section-trusted-devices) | | Preferences | Default | [User preferences](enduser-preferences.html) | | Personal Data Sharing | Provides control | [Personal Data Sharing](#my-account-privacy) | | Account Controls | Includes collected account data (Default) | [Account Controls](#my-account-controls) | ### Personal information To view account details in the End User UI, a user clicks the Profile [icon: street-view, set=fas]button > Edit Personal Info. By default, user information includes at least a Username, First Name, Last Name, and Email Address. Each user can modify this information as needed, as long as `"userEditable" : true` for the property in your project's `managed.json` file. For more information, refer to [Create and Modify Object Types](../objects-guide/managed-objects.html#creating-modifying-managed-objects). ### Sign-In & security Under this tab, end users can change their passwords. They can also add, delete, or modify security questions, and link or unlink supported social identity accounts. For more information, refer to [Security questions](selfservice-questions.html) and [Social registration](social-id.html). ### Preferences The preferences tab allows end users to modify marketing preferences, as defined in the `managed.json` file, and the Managed Object User property Preferences tab. For more information, refer to [Configure User Preferences](self-registration.html#enduser-preferences). End users can toggle marketing preferences. When IDM includes a mapping to a marketing database, these preferences are sent to that database. This can help administrators use IDM to target marketing campaigns and identify potential leads. ### Trusted devices A *trusted device* uses AM's Device ID (Match) and Device ID (Save) authentication modules, as described in AM [Authentication and SSO](https://docs.pingidentity.com/pingam/7.5/am-authentication/preface.html). When such modules are configured (see [Configuring Trusted Devices on IDM](uma-trusted-gdpr.html#section-trusted-devices)), end users can add such devices the first time they log in from a new location. During the login process, when an end user selects *Log In*, that user is prompted for a *Trusted Device Name*. Users refer to their added devices under the Trusted Devices tab. A trusted device entry is paired with a specific browser on a specific system. The next time the same end user logs in from the same browser and system, in the same location, that user should not be prompted to enter a trusted device again. End users can remove their trusted devices from the tab. ### Authorized applications The Authorized Applications section is specific to end users as OAuth 2 clients and reflects the corresponding section of the AM Self-Service dashboard, as described in the following section of the AM *OAuth 2.0 Guide on*: [User Consent Management](https://docs.pingidentity.com/pingam/7.5/am-oauth2/oauth2-manage-consent.html). ### Personal data sharing This section assumes that as an administrator, you've followed the instructions in [Privacy and consent](privacy-consent.html) to enable Privacy & Consent. End users who refer to a Personal Data Sharing section have control of whether personal data is shared with an external database, such as one that might contain marketing leads. The managed object record for end users who consent to sharing such data is shown in REST output and the audit activity log as one `consentedMappings` object: ```json "consentedMappings" : [ { "mapping" : "managedUser_systemLdapAccounts", "consentDate" : "2017-08-25T18:13:08.358Z" } ``` If enabled, end users will refer to a Personal Data Sharing section in their profiles. If they select the Allow link, they can see the data properties that would be shared with the external database. This option supports the right to restrict processing of user personal data. ### Account controls The Account Controls section allows end users to download their account data (in JSON format), and to delete their accounts from IDM. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When end users delete their accounts, the change is propagated to external systems by implicit sync. However, it is then up to the administrator of the external system to make sure that any additional user information is purged from that system. | To modify the message associated with the `Delete Your Account` option, refer to the section about [Translations](https://github.com/ForgeRock/end-user-ui) in the README of the public ForgeRock Identity Management (End User) Git repository. Find the `translation.json` file, search for the `deleteAccount` code block, and edit the information. The options shown in this section can help meet requirements related to data portability, as well as the right to be forgotten.