About User Management
You
can use the User Management API to create client applications that
can manage roles, permissions, and principals (which can be users
or groups), as well as authenticate users. User Management API consists
of the following LiveCycle APIs:
Directory
Manager Service API
Authentication Manager Service API
Authorization Manager Service API
User
Management enables you to assign, remove, and determine roles and permissions.
It also enables you to assign, remove, and query domains, users,
and groups. Finally, you can use User Management to authenticate
users.
In Adding Users you will understand how to programmatically add users.
This section uses the Directory Manager Service API.
In Deleting Users you will understand how to programmatically delete
users. This section uses the Directory Manager Service API.
In Managing Users and Groups you will understand the difference between
a local user and a directory user, and see examples of how to use
the Java and web service APIs to programmatically manage users and
groups. This section uses the Directory Manager Service API.
In Managing Roles and Permissions you will learn about the system roles
and permissions and what you can do programmatically to augment
them, and see examples of how to use the Java and web service APIs
to programmatically manage roles and permissions. This section uses
both the Directory Manager Service API and Authorization Manager
Service API.
In Authenticating Users you will see examples of how to use the Java and web service
APIs to programmatically authenticate users. This section uses the
Authorization Manager Service API.
Understanding the authentication process
User Management provides built-in authentication
functionality, and also provides you with the ability to connect
it with your own authentication provider. When User Management receives
an authentication request (for example, a user attempts to log in),
it passes user information to the authentication provider to authenticate.
User Management receives the results from the authentication provider
after it authenticates the user.
The following diagram shows
the interaction among an end user attempting to log in, User Management,
and the authentication provider.
The
following table describes each step of the authentication process.
Step
|
Description
|
1
|
A user attempts to log into a service that
invokes User Management. The user specifies a user name and password.
|
2
|
User Management sends the user name and
password, as well as configuration information, to the authentication
provider.
|
3
|
The authentication provider connects to
the user store and authenticates the user.
|
4
|
The authentication provider returns the
results to User Management.
|
5
|
User Management either lets the user log
in or denies access to the product.
|
Note: If the server time zone
is different from the client time zone, when consuming the WSDL
for the LiveCycle Generate PDF service on a native SOAP
stack using a .NET client on a WebSphere Application Server cluster,
the following User Management authentication error may occur:
[com.adobe.idp.um.webservices.WSSecurityHandler] errorCode:12803 errorCodeHEX:0x3203 message:WSSecurityHandler: UM authenticate returns exception : An error was discovered processing the <wsse:Security> header. (WSSecurityEngine: Invalid timestamp The security semantics of message have expired).
Understanding directory management
User Management is packaged with
a directory service provider (the DirectoryManagerService) that
supports connections to LDAP directories. If your organization uses
a non-LDAP repository to store user records, you can create your
own directory service provider that works with your repository.
Directory
service providers retrieve records from a user store at the request
of User Management. User Management regularly caches user and group
records in the database to improve performance.
The directory
service provider can be used to synchronize the User Management database
with the user store. This step ensures that all user directory information and
all user and group records are up to date.
In
addition, the DirectoryManagerService provides you with the ability
to create and manage domains. Domains define different user bases.
The boundary of a domain is usually defined according to the way
your organization is structured or how your user store is set up.
User Management domains provide configuration settings that authentication
providers and directory service providers use.
In the configuration
XML that User Management exports, the root node that has the attribute
value of Domains contains an XML element for each
domain defined for User Management. Each of these elements contain
other elements that define aspects of the domain associated with
specific service providers.
Understanding objectSID values
When using
Active Directory, it is important to understand that an objectSID value
is not a unique attribute across multiple domains. This value stores
the security identifier of an object. In a multiple domain environment
(for example, a tree of domains) the objectSID value
can be different.
An objectSID value would
change if an object is moved from one Active Directory domain to
another domain. Some objects have the same objectSID value
anywhere in the domain. For example, groups like BUILTIN\Administrators, BUILTIN\Power
Users and so on would have the same objectSID value regardless
of the domains. These objectSID values are well
known.