Managing Users

About User Management

You can use the User Management API to create client applications that can manage roles, permissions, and principals (which can be users or groups), as well as authenticate users. User Management API consists of the following LiveCycle APIs:

  • Directory Manager Service API

  • Authentication Manager Service API

  • Authorization Manager Service API

User Management enables you to assign, remove, and determine roles and permissions. It also enables you to assign, remove, and query domains, users, and groups. Finally, you can use User Management to authenticate users.

In Adding Users you will understand how to programmatically add users. This section uses the Directory Manager Service API.

In Deleting Users you will understand how to programmatically delete users. This section uses the Directory Manager Service API.

In Managing Users and Groups you will understand the difference between a local user and a directory user, and see examples of how to use the Java and web service APIs to programmatically manage users and groups. This section uses the Directory Manager Service API.

In Managing Roles and Permissions you will learn about the system roles and permissions and what you can do programmatically to augment them, and see examples of how to use the Java and web service APIs to programmatically manage roles and permissions. This section uses both the Directory Manager Service API and Authorization Manager Service API.

In Authenticating Users you will see examples of how to use the Java and web service APIs to programmatically authenticate users. This section uses the Authorization Manager Service API.

Understanding the authentication process

User Management provides built-in authentication functionality, and also provides you with the ability to connect it with your own authentication provider. When User Management receives an authentication request (for example, a user attempts to log in), it passes user information to the authentication provider to authenticate. User Management receives the results from the authentication provider after it authenticates the user.

The following diagram shows the interaction among an end user attempting to log in, User Management, and the authentication provider.

View full size graphic

The following table describes each step of the authentication process.

Step

Description

1

A user attempts to log into a service that invokes User Management. The user specifies a user name and password.

2

User Management sends the user name and password, as well as configuration information, to the authentication provider.

3

The authentication provider connects to the user store and authenticates the user.

4

The authentication provider returns the results to User Management.

5

User Management either lets the user log in or denies access to the product.

Note: If the server time zone is different from the client time zone, when consuming the WSDL for the LiveCycle Generate PDF service on a native SOAP stack using a .NET client on a WebSphere Application Server cluster, the following User Management authentication error may occur:

[com.adobe.idp.um.webservices.WSSecurityHandler] errorCode:12803 errorCodeHEX:0x3203 message:WSSecurityHandler: UM authenticate returns exception : An error was discovered processing the <wsse:Security> header. (WSSecurityEngine: Invalid timestamp The security semantics of message have expired).

Understanding directory management

User Management is packaged with a directory service provider (the DirectoryManagerService) that supports connections to LDAP directories. If your organization uses a non-LDAP repository to store user records, you can create your own directory service provider that works with your repository.

Directory service providers retrieve records from a user store at the request of User Management. User Management regularly caches user and group records in the database to improve performance.

The directory service provider can be used to synchronize the User Management database with the user store. This step ensures that all user directory information and all user and group records are up to date.

In addition, the DirectoryManagerService provides you with the ability to create and manage domains. Domains define different user bases. The boundary of a domain is usually defined according to the way your organization is structured or how your user store is set up. User Management domains provide configuration settings that authentication providers and directory service providers use.

In the configuration XML that User Management exports, the root node that has the attribute value of Domains contains an XML element for each domain defined for User Management. Each of these elements contain other elements that define aspects of the domain associated with specific service providers.

Understanding objectSID values

When using Active Directory, it is important to understand that an objectSID value is not a unique attribute across multiple domains. This value stores the security identifier of an object. In a multiple domain environment (for example, a tree of domains) the objectSID value can be different.

An objectSID value would change if an object is moved from one Active Directory domain to another domain. Some objects have the same objectSID value anywhere in the domain. For example, groups like BUILTIN\Administrators, BUILTIN\Power Users and so on would have the same objectSID value regardless of the domains. These objectSID values are well known.

// Ethnio survey code removed