Open topic with navigation
This page aims to collect and centralize any useful information on the Identity business domain which deals with authentication and user accounts.
Relativity uses several industry-standard technologies, enabling versatile authentication options. It supports local (such as password related) or external (such as smart cards, or external identification providers) authentication methods. You can add and enable each type individually, as well as assigning at least one, and in some instances multiple methods, for each user.
Note: Update your IIS settings by changing the Web API to Anonymous Authentication rather than Windows Authentication. You must update this setting in order to publish documents to a workspace or process data to Data Grid.
This page contains the following information:
The table below specifies the changes made in each version of the Identity business domain.
OAuth2 Client Manager, Group Manager, Login Profile Manager, Federated Instance Manager, Authentication Provider type, User Manager, and Client Manager documentation has been updated to use versioned paths.
|v1.0||Identity APIs (Identity.SDK) updated to use versioned paths|
These represent the different protocols for authenticating against Relativity, for example, Password, Integrated Authentication, and OpenID Connect. Using the API you can inspect enabled protocols for a particular environment. You can also enable or disable specific protocols. Disabling an authentication provider type completely disables that login workflow for the entire Relativity instance .
The Login Profile Manager is use to configure Relativity's authentication profile and user login profiles.
This section outlines the steps required to configure authentication in your Relativity environment.
Step 1: Configure authentication provider types
The API allows you to enable or disable authentication protocols on an environment level. As a best practice, you should only enable the protocols that you actually want to use in the environment. Relativity currently ships with all Provider Types enabled by default, and you can disable the ones you do not want to use.
See Authentication provider type (.NET) for additional information and code samples.
Note: In a future release we expect to ship with all authentication provider types disabled by default except for Password. You should write your update logic to explicitly enable or disable Provider Types based on your individual requirements.
Step 2: Configure the global profile
The Global Profile defines the environment-wide configuration options for each Authentication Provider (that is, Password, RSA, OpenID Connect). Some Providers have many options (such as Password) whereas some have just a few. The Global Profile has properties for each of the Provider Types. See Login Profile Manager (.NET) for additional information and code samples.
Note: In the current implementation of the authentication API, there is a single global authentication profile. This single entity is called the Global Profile. Admins currently do not have the ability to create multiple profiles.
Note: If you change any OpenID Connect or SAML 2.0 Providers on the authentication profile, you must perform an IIS reset on every web server in your environment. An upcoming release will correct this so that authentication profile dynamically updates on each server.
Step 3: Configure the login profile
See Login Profile Manager (.NET) for additional information and code samples.
In Relativity, a client is a company or organization, which is associated with users, matters, groups, and workspaces.
The Client Manager API exposes methods that provide the following functionality:
Federated instances provide a way for administrators to manage a list of user displayed links to other Relativity instances. In the Relativity UI, links to federated instances appear in the User dropdown.
Federated instances in combination with an SSO configurations can enable users to seamlessly switch between multiple Relativity instances without the need to reenter their credentials.
The Group Manager service exposes the API to create, read, update, and delete groups. Sample use cases for Group Manager API include:
In Relativity, you can manage varying levels of security for users, system admins, and individual objects, such as views, tabs, and fields, across your instance of Relativity and in each workspace. You can also define custom permissions for Relativity Dynamic Objects (RDOs).
The Permissions manager API supports a set of operations for assigning system-defined permissions on the admin, workspace, and item level. You can manipulate either arbitrary sets of individual permissions, or entire admin, workspace, or item permission sets. Note that the logic for working with entire permission sets closely follows the logic of the Relativity permissions UI.
While you can't modify the system-defined permissions, you can programmatically create, update, and delete custom permissions for RDOs. You can perform read and query operations on both system-defined permissions and custom permissions. All operations on permissions are performed asynchronously.
Users are individuals who have access to the Relativity environment. For general information, see Users on the Relativity Documentation site. The User Manager API exposes multiple operations that you can use to programmatically manage users in your Relativity environment. It includes the following features:
Sample use cases