Documentation Center

Provisioning users through the API

Automating user provisioning using the API.

Authentication happens through a central/3rd party system such as Active Directory. Once authenticated as an external user, SDL LiveContent Architect maps it to a SDL LiveContent Architect user profile for authorization and application data. These SDL LiveContent Architect user profiles need to be provisioned. There are two types of user profiles:

Internal users pass business logic that matches the incoming user name to a SDL LiveContent Architect user, and validates the password to authenticate the user before authorization happens. Internal users require a password maintained by SDL LiveContent Architect (for storage, complexity rules, expiration, lost passwords,...).
  • The incoming user name and password are passed to, and validated by Application.Login to be matched to a unique SDL LiveContent Architect user profile.
  • User profile creation happens through User.Create where the field FISHUSERTYPE should contain Internal, and you have to specify the PASSWORD field.

External users are authenticated by standardized systems before getting matched to a SDL LiveContent Architect user profile for authorization. There is no password management for these users.
  • The incoming authenticated identity is matched to a unique SDL LiveContent Architect user profile using the field, FISHEXTERNALID.
  • User profile creation happens through User.Create where field FISHUSERTYPE should hold External, and FISHEXTERNALID should contain a match for an incoming IIdentity.Name call (e.g. MYDOMAIN\username). You are not allowed to specify the PASSWORD field.
The API allows you CRUD and Disabling of user profiles. The following algorithm can guide you in sync'ing your user systems.
  1. Delete or Disable SDL LiveContent Architect User Profiles that no longer exist in the central system.
    1. List all SDL LiveContent Architect user profiles that have FISHUSERTYPE set to External and FISHUSERDISABLED set to No
    2. For every user in the SDL LiveContent Architect user list, find the external user profile by FISHEXTERNALID
      • If none exist, delete the SDL LiveContent Architect user profile if not referenced, otherwise disable the SDL LiveContent Architect user profile.
      • If one or more exist; check if disabled, possibly disable the SDL LiveContent Architect user profile.
  2. Create or Update SDL LiveContent Architect User Profiles in the SDL LiveContent Architect system.
    1. List all external users required to have a matching profile in SDL LiveContent Architect (e.g. limited by a role,…)
    2. For every user in the external-user-list find the SDL LiveContent Architect User Profile by FISHEXTERNALID
      • If multiple hits; throw exception as multiple profile hits never grant a login
      • If none exists; create the user profile with required roles and user groups
      • If one exists; enable, skip or possibly update the user profile