To create a user in a Sandbox I need my username, password, and security token.
I also need to point to test.salesforce.com, instead of login.salesforce.com.
However, I am not clear on the privileges required for creating a user through the APIs.
If I can create a user in the Sandbox through the Setup/Admin/Users/Create New, should I also be able to create a user through the APIs?
Do I need to be an admin of the Prod account to be able to create user through the API in the Sandbox, or is it enough for me to be a sys admin in the sandbox?
I ask that because I am trying to create a user in a sandbox and I am getting a
Caused by: [LoginFault [ApiFault exceptionCode='INVALID_LOGIN'
exceptionMessage='Invalid username, password, security token; or user locked out.'
I know the user is not locked out, and I know the other credentials are correct, so that makes me think this is about rights.
If you have permissions to create a user, you can do this by using enterprise api.
It is working for me.
User u = new User();
u.setUsername(Username);
u.setFirstName(FirstName);
u.setLastName(LastName);
u.setEmail(Email);
SaveResult[] results = connection.create(new SObject[] { u });
Regards,
Naveen
autorabit
The problem was solved by creating a Sandbox in a different account. Instead of creating a Sandbox of our production account, we created a different partner account, which didn't have SSO enabled. That solved the issue. We don't know what settings would require an SSO to be able to use the APIs, but the SSO was in the way of calling the APIs.
Related
I have tried multiple times to get this to work, but I haven't figured it out yet, so I'm asking in here, hoping that someone will be able to help me out.
I am using Atlassian's Bitbucket, Jira and Bamboo and they're all synced with an AD. At the moment I am using my AD user to retrieve all the other users. It works, but it's not optimal, as the password expires every three months, and I have to change the LDAP user login info on all three applications. We have ordered a Service User, where the password doesn't expire, but the problem is that the Service User is in another group.
The picture below shows how the AD is set up. My Service User is in a group called Special Users. I would like to use this user as the login user in the settings. This way I would never have to think about changing password, when my AD password expires.
I would then like to retrieve all the users from the "Normal Users" group.
Let me know if more information is needed.
Thanks.
You could also add multiple user directories pointing to different parts of your Active Directory.
Jira has an internal Crowd out of the box.
You may let Jira connect to User directory and let all other application use Jira for authintication.
This would save time by only updating your LDAP password every 3 months on 1 application and reflected on all 3 applications
We are removing User, User Group and Permission models from our backend in favor of Auth0.
Our first idea was to just delete User, Group and Permission tables from DB and replace related foreign keys with varchar field. In this field we would then enter IDs that we get from Auth0 in JWT (pointing to something not present in our DB).
Is this good approach? I somehow feel that there must be more "relational" way of doing this.
Generally OAuth will not do all of the permission checks for you. Instead it gives you general mechanisms to sign the user in and issue + validate tokens.
In most real world architectures you also need to manage a second level of authorization in your back end - using domain specific user data for roles, permissions etc.
A couple of write ups of mine may help:
User Data Management
API Authorization
Auth0 Community Manager Dan here,
In this scenario you may be able to leverage the RBAC to replace your existing users/groups/permissions setup.
You would register a user's roles and the associated permissions of each role in the Auth0 dashboard or programmatically via the management API. Then you can setup a rule to add user roles to the token.
To connect this user to your existing user data store you can store the Auth0 id, similarly to how you have described.
This allows you to lookup the user when the token is received, and to associate any permissions or roles the user has. You can make roles API-specific by adding a prefix to the role, or have roles be general depending on your needs.
I am added to project collection administrator group in VSTS. Still not able to add a new user. I am added using my official email ID i.e. Microsoft work account.
Its says
Guest users are not allowed to perform this action.
I saw the reason on this link
I believe the primary reason for this error is because when a co-admin
with Microsoft account is added to a subscription, it gets added into
the subscription AD as Guest user type.
but since it is very old thread i like to know if there is an easy way to get myself ability to add new user or basically manage VSTS on behalf of client. I hate requesting client to add a new user in team. Also he is not tech savvy so I would like suggest him a simple solution (running Powershell might be annoying for him).
You are inviting users from outside directory. The user will be able to access the account and its resources, so you need the enough permission to add new user to the AD, but you are the Guest user, so it throws Guest Users are not allowed to perform this action.
You need to contact to the corresponding user (e.g. AD admin) to add users to AD or grant the enough role and permission to you to add user to AD.
No easy way to do this, because it is related to security.
In AAD, one could
add new Users to the same Domain
add Guests:
from other AAD Tenancies, passing through credential verification to the other Tenancy
from Microsoft Account users, passing through credential checking to live.com
But I'm noticing today although it still accepts to invite MA users, when they sign in, they are asked to create a Password.
From then on, they are shown the usual "Do you want to use your personal account or org/school account".
Is this a new change?
Should be no longer be inviting personal accounts, and stick to only inviting users within other Tenancies (so they don't get asked whether to use Pers/Work account when signing in)?
What happens when they create a company around their own email...will they be able to wrest back resolution of the credentials -- or will it always stay with the first tenant that imported a personal account!?
Thanks for help understanding how this aspect of Azure AD works.
How can i login without logout from current user to another Active Directory user with C#. ;
1-Getting new user's access
2- doing my work and than logout with c# same way.
For example i am a user at blabla.com domain.I have logged in a Power User.But i need Admin Rights for something so i need to logout and change user to Administrator do my job and relogin with Power User again.I wanna do it with C#.
I heard something like that Impersonate User but i think this is not what i want.
Edited : I want login with another user and get this user's permissions without logout from my current user in c#.
Your question is not very clear. If what you want to be doing is querying/modifying AD, then t4zsan's answer is correct.
If you just need the other user's groups/security permissions, then Impersonation is the way to go. This article will give you a good foundation on it.
Caveats: The user you wish to impersonate must be able to logon to the machine you are running the code on. You can't impersonate a user in another domain if that domain is not trusted. Nor can you impersonate a local user on another machine, obviously.
When using the classes in System.DirectoryServices to connect to AD you have the option of specifying user credentials. For example when using DirectoryEntry there is a constructor overload taking username and password that lets you connect as a different user.