Adding & Removing Users on Liferay

Adding & Removing Users on Liferay — setup, configuration, and best practices for Liferay.

Liferay DXP provides one of the most comprehensive user management systems in enterprise CMS platforms. Users are managed through the Control Panel, LDAP synchronization, or the headless REST API. Liferay distinguishes between portal-level users, organization users, and site members.

How Liferay User Management Works

Liferay stores users in its own database but can synchronize with external identity providers (LDAP, SAML, OpenID Connect). The user model includes:

Regular Users -- Standard accounts with portal access
Organization Users -- Users assigned to organizational hierarchies
Site Members -- Users with access to specific sites within the portal
Service Accounts -- Non-interactive accounts for API integrations

The Control Panel is accessible at https://your-portal.com/group/control_panel for administrators.

Adding Users via Control Panel

Navigate to Control Panel > Users and Organizations
Click the Add button (+ icon) in the top-right corner
Fill in the required fields:
- Screen Name (unique identifier, auto-generated if blank)
- Email Address (required, must be unique)
- First Name and Last Name
- Job Title (optional but useful for organizational grouping)
Click Save
Liferay sends a password setup email to the new user
Assign the user to Sites and Organizations as needed from their profile

Assigning Users to Sites

Go to Control Panel > Sites
Select the target site
Click Memberships in the left menu
Click New to add members
Search for and select the user(s)
Choose a Site Role (Site Administrator, Site Content Reviewer, Site Member)
Click Done

Adding Users via Headless REST API

Liferay DXP 7.4+ provides a headless API for user management:

# Create a new user via REST API
curl -X POST "https://your-portal.com/o/headless-admin-user/v1.0/user-accounts" \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic $(echo -n 'admin@company.com:password' | base64)" \
  -d '{
    "alternateName": "jdeveloper",
    "emailAddress": "jane@company.com",
    "familyName": "Developer",
    "givenName": "Jane",
    "password": "TempPass123!",
    "jobTitle": "Frontend Engineer"
  }'

Assign user to a site:

curl -X POST "https://your-portal.com/o/headless-admin-user/v1.0/sites/{siteId}/user-accounts" \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic $(echo -n 'admin@company.com:password' | base64)" \
  -d '{
    "userAccountIds": [12345, 12346, 12347]
  }'

Assign role to user:

curl -X POST "https://your-portal.com/o/headless-admin-user/v1.0/roles/{roleId}/association/user-account/{userId}" \
  -H "Authorization: Basic $(echo -n 'admin@company.com:password' | base64)"

Bulk User Import

CSV Import via Control Panel

Navigate to Control Panel > Users and Organizations
Click the Options (gear) icon
Select Export/Import
Click the Import tab
Upload a CSV file with columns: screenName, emailAddress, firstName, lastName, jobTitle
Map columns in the import wizard
Click Import

Scripting Console Bulk Import

Liferay's Groovy scripting console (Control Panel > Server Administration > Script) supports bulk operations:

import com.liferay.portal.kernel.service.UserLocalServiceUtil
import com.liferay.portal.kernel.service.ServiceContext

long companyId = com.liferay.portal.kernel.util.PortalUtil.getDefaultCompanyId()
long creatorUserId = UserLocalServiceUtil.getDefaultUserId(companyId)

def users = [
    [screenName: "jdoe", email: "jdoe@company.com", first: "John", last: "Doe"],
    [screenName: "asmith", email: "asmith@company.com", first: "Alice", last: "Smith"],
    [screenName: "bwilson", email: "bwilson@company.com", first: "Bob", last: "Wilson"],
]

users.each { u ->
    try {
        UserLocalServiceUtil.addUser(
            creatorUserId,    // creatorUserId
            companyId,        // companyId
            false,            // autoPassword
            "TempPass123!",   // password1
            "TempPass123!",   // password2
            false,            // autoScreenName
            u.screenName,     // screenName
            u.email,          // emailAddress
            java.util.Locale.US,
            u.first,          // firstName
            "",               // middleName
            u.last,           // lastName
            0,                // prefixId
            0,                // suffixId
            true,             // male
            1,                // birthdayMonth
            1,                // birthdayDay
            1970,             // birthdayYear
            "",               // jobTitle
            new ServiceContext()
        )
        println("Created: ${u.email}")
    } catch (Exception e) {
        println("Failed: ${u.email} - ${e.message}")
    }
}

Removing and Deactivating Users

Deactivation (Recommended)

Deactivating preserves all content, workflow history, and audit records:

Navigate to Control Panel > Users and Organizations
Find the user via search
Click the user's name to open their profile
Click Actions (three-dot menu) and select Deactivate
Confirm the deactivation

Deactivated users cannot log in but their content (web content, documents, wiki articles) remains intact and attributed to them. Their assignments in workflows pause.

Reactivation

In Users and Organizations, change the filter to show Inactive users
Find the user
Click Actions > Activate

Permanent Deletion

First deactivate the user (required step)
Switch to the Inactive user filter
Select the user
Click Actions > Delete
Confirm permanent deletion

What happens to their content:

Web content authored by the deleted user is reassigned to the default admin user
Document library files remain but lose their uploader attribution
Workflow tasks assigned to the deleted user become unassigned
Message board posts and wiki contributions retain the deleted user's name as a string but lose the link to a live account
Comments and ratings are permanently deleted with the user

Deactivation via API

# Deactivate user (set status to 5 = inactive)
curl -X PATCH "https://your-portal.com/o/headless-admin-user/v1.0/user-accounts/{userId}" \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic $(echo -n 'admin@company.com:password' | base64)" \
  -d '{"status": 5}'

LDAP Integration

Liferay DXP integrates with LDAP directories for centralized user provisioning:

Navigate to Control Panel > Instance Settings > Security > LDAP
Click Add to configure an LDAP server
Configure connection settings:
- Base Provider URL: ldap://ldap.company.com:389
- Base DN: dc=company,dc=com
- Principal: cn=admin,dc=company,dc=com
- Credentials: LDAP admin password
Map LDAP attributes to Liferay fields:
- cn to Screen Name
- mail to Email Address
- givenName to First Name
- sn to Last Name
Configure Import/Export settings:
- Enable Import to sync LDAP users into Liferay
- Set import interval (e.g., every 10 minutes)
- Enable Export if Liferay should write changes back to LDAP
Click Save and Test LDAP Connection

SAML Single Sign-On

Liferay DXP supports SAML 2.0 as both an Identity Provider (IdP) and Service Provider (SP):

Install the Liferay SAML 2.0 app from the Marketplace (or use the bundled module in DXP)
Navigate to Control Panel > SAML Admin
Configure as Service Provider:
- Entity ID: https://your-portal.com
- Upload IdP metadata XML or configure manually
- Map IdP attributes to Liferay user fields
Enable Auto-provisioning to create Liferay accounts on first SSO login
Enable Auto-update to keep user attributes synced

Access Audit Checklist

Review Control Panel > Users and Organizations quarterly, filter by last login date
Run Control Panel > Server Administration > Data Cleanup to identify orphaned user data
Audit site memberships: check each site's Memberships section for stale accounts
Verify LDAP sync logs in Control Panel > Server Administration > Log Levels (set com.liferay.portal.security.ldap to DEBUG)
Review Control Panel > Audit (requires Audit module) for recent user login and permission changes
Document all role and organization changes in your change management system

Nach oben