Liferay DXP provides one of the most comprehensive user management systems in enterprise CMS platforms. Users are managed through the Control Panel, LDAP synchronization, or the headless REST API. Liferay distinguishes between portal-level users, organization users, and site members.
How Liferay User Management Works
Liferay stores users in its own database but can synchronize with external identity providers (LDAP, SAML, OpenID Connect). The user model includes:
- Regular Users -- Standard accounts with portal access
- Organization Users -- Users assigned to organizational hierarchies
- Site Members -- Users with access to specific sites within the portal
- Service Accounts -- Non-interactive accounts for API integrations
The Control Panel is accessible at https://your-portal.com/group/control_panel for administrators.
Adding Users via Control Panel
- Navigate to Control Panel > Users and Organizations
- Click the Add button (+ icon) in the top-right corner
- Fill in the required fields:
- Screen Name (unique identifier, auto-generated if blank)
- Email Address (required, must be unique)
- First Name and Last Name
- Job Title (optional but useful for organizational grouping)
- Click Save
- Liferay sends a password setup email to the new user
- Assign the user to Sites and Organizations as needed from their profile
Assigning Users to Sites
- Go to Control Panel > Sites
- Select the target site
- Click Memberships in the left menu
- Click New to add members
- Search for and select the user(s)
- Choose a Site Role (Site Administrator, Site Content Reviewer, Site Member)
- Click Done
Adding Users via Headless REST API
Liferay DXP 7.4+ provides a headless API for user management:
# Create a new user via REST API
curl -X POST "https://your-portal.com/o/headless-admin-user/v1.0/user-accounts" \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n 'admin@company.com:password' | base64)" \
-d '{
"alternateName": "jdeveloper",
"emailAddress": "jane@company.com",
"familyName": "Developer",
"givenName": "Jane",
"password": "TempPass123!",
"jobTitle": "Frontend Engineer"
}'
Assign user to a site:
curl -X POST "https://your-portal.com/o/headless-admin-user/v1.0/sites/{siteId}/user-accounts" \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n 'admin@company.com:password' | base64)" \
-d '{
"userAccountIds": [12345, 12346, 12347]
}'
Assign role to user:
curl -X POST "https://your-portal.com/o/headless-admin-user/v1.0/roles/{roleId}/association/user-account/{userId}" \
-H "Authorization: Basic $(echo -n 'admin@company.com:password' | base64)"
Bulk User Import
CSV Import via Control Panel
- Navigate to Control Panel > Users and Organizations
- Click the Options (gear) icon
- Select Export/Import
- Click the Import tab
- Upload a CSV file with columns:
screenName,emailAddress,firstName,lastName,jobTitle - Map columns in the import wizard
- Click Import
Scripting Console Bulk Import
Liferay's Groovy scripting console (Control Panel > Server Administration > Script) supports bulk operations:
import com.liferay.portal.kernel.service.UserLocalServiceUtil
import com.liferay.portal.kernel.service.ServiceContext
long companyId = com.liferay.portal.kernel.util.PortalUtil.getDefaultCompanyId()
long creatorUserId = UserLocalServiceUtil.getDefaultUserId(companyId)
def users = [
[screenName: "jdoe", email: "jdoe@company.com", first: "John", last: "Doe"],
[screenName: "asmith", email: "asmith@company.com", first: "Alice", last: "Smith"],
[screenName: "bwilson", email: "bwilson@company.com", first: "Bob", last: "Wilson"],
]
users.each { u ->
try {
UserLocalServiceUtil.addUser(
creatorUserId, // creatorUserId
companyId, // companyId
false, // autoPassword
"TempPass123!", // password1
"TempPass123!", // password2
false, // autoScreenName
u.screenName, // screenName
u.email, // emailAddress
java.util.Locale.US,
u.first, // firstName
"", // middleName
u.last, // lastName
0, // prefixId
0, // suffixId
true, // male
1, // birthdayMonth
1, // birthdayDay
1970, // birthdayYear
"", // jobTitle
new ServiceContext()
)
println("Created: ${u.email}")
} catch (Exception e) {
println("Failed: ${u.email} - ${e.message}")
}
}
Removing and Deactivating Users
Deactivation (Recommended)
Deactivating preserves all content, workflow history, and audit records:
- Navigate to Control Panel > Users and Organizations
- Find the user via search
- Click the user's name to open their profile
- Click Actions (three-dot menu) and select Deactivate
- Confirm the deactivation
Deactivated users cannot log in but their content (web content, documents, wiki articles) remains intact and attributed to them. Their assignments in workflows pause.
Reactivation
- In Users and Organizations, change the filter to show Inactive users
- Find the user
- Click Actions > Activate
Permanent Deletion
- First deactivate the user (required step)
- Switch to the Inactive user filter
- Select the user
- Click Actions > Delete
- Confirm permanent deletion
What happens to their content:
- Web content authored by the deleted user is reassigned to the default admin user
- Document library files remain but lose their uploader attribution
- Workflow tasks assigned to the deleted user become unassigned
- Message board posts and wiki contributions retain the deleted user's name as a string but lose the link to a live account
- Comments and ratings are permanently deleted with the user
Deactivation via API
# Deactivate user (set status to 5 = inactive)
curl -X PATCH "https://your-portal.com/o/headless-admin-user/v1.0/user-accounts/{userId}" \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n 'admin@company.com:password' | base64)" \
-d '{"status": 5}'
LDAP Integration
Liferay DXP integrates with LDAP directories for centralized user provisioning:
- Navigate to Control Panel > Instance Settings > Security > LDAP
- Click Add to configure an LDAP server
- Configure connection settings:
- Base Provider URL:
ldap://ldap.company.com:389 - Base DN:
dc=company,dc=com - Principal:
cn=admin,dc=company,dc=com - Credentials: LDAP admin password
- Base Provider URL:
- Map LDAP attributes to Liferay fields:
cnto Screen Namemailto Email AddressgivenNameto First Namesnto Last Name
- Configure Import/Export settings:
- Enable Import to sync LDAP users into Liferay
- Set import interval (e.g., every 10 minutes)
- Enable Export if Liferay should write changes back to LDAP
- Click Save and Test LDAP Connection
SAML Single Sign-On
Liferay DXP supports SAML 2.0 as both an Identity Provider (IdP) and Service Provider (SP):
- Install the Liferay SAML 2.0 app from the Marketplace (or use the bundled module in DXP)
- Navigate to Control Panel > SAML Admin
- Configure as Service Provider:
- Entity ID:
https://your-portal.com - Upload IdP metadata XML or configure manually
- Map IdP attributes to Liferay user fields
- Entity ID:
- Enable Auto-provisioning to create Liferay accounts on first SSO login
- Enable Auto-update to keep user attributes synced
Access Audit Checklist
- Review Control Panel > Users and Organizations quarterly, filter by last login date
- Run Control Panel > Server Administration > Data Cleanup to identify orphaned user data
- Audit site memberships: check each site's Memberships section for stale accounts
- Verify LDAP sync logs in Control Panel > Server Administration > Log Levels (set
com.liferay.portal.security.ldapto DEBUG) - Review Control Panel > Audit (requires Audit module) for recent user login and permission changes
- Document all role and organization changes in your change management system