Hello Himanshu-
I believe this concern is now understood, but for historical reference here I'd like to explain the findings and details in case other users come across this question.
For Engines configured in Data Control Tower to leverage the Users + Groups feature, this feature by design moves all user management to the DCT interface. This is mentioned on the Docs page
https://docs.delphix.com/dctsaas/users-and-groups.Once U+G feature is enabled, the intention is that user API access is now controlled through DCT, though "legacy" API access (user/pass authentication on Engine) is maintained for those users on-engine that existed at the time of enablement. Therefore, any users with
apiUser=true will retain this setting; any new users added through DCT will have
apiUser=false.
"...
users with legacy API (password-based authentication to the engine API or CLI) access using name/password will retain this access. Future API access should be configured using API Keys. "
Engine administrators will find that a local / legacy user can toggle the apiUser flag to false to remove the local (Engine) user/pass authentication, but it is not intended to allow users to be toggled back to true.------------------------------
Sean Nothdurft
Senior Principal Technical Support Engineer
Delphix
------------------------------
Original Message:
Sent: 09-29-2021 08:51:55 AM
From: Himanshu Sangwan
Subject: Unable to connect with API session and set apiUser=true for the user (manually or Cli)
Hi
I am trying to connect an API session for application but its getting failed for a user then i tried to update the set apiUser=true for the user and it doesn not allow me and though this error
in central mangement i don't see any option where i can set the apiuser set to true nor it allow me from cli?
steps followed :
Error: Management of users on this engine has been locked down.
Action: Use Central Management to manage users on this engine. If Central Management is not available, ask a
system administrator to disconnect the Engine from Central Management.
localhost> user
localhost user> select foo
localhost user 'foo'> ls
Properties
type: User
name: foo
apiUser: false
authenticationType: NATIVE
emailAddress: asd@asd.com
enabled: true
firstName: (unset)
homePhoneNumber: (unset)
isDefault: false
lastName: (unset)
locale: en-US
mobilePhoneNumber: (unset)
passwordUpdateRequest: FIRST_LOGIN
principal: foo
publicKey: (empty)
reference: USER-3
sessionTimeout: 30min
userType: DOMAIN
workPhoneNumber: (unset)
Operations
delete
update
disable
enable
updateCredential
localhost user 'foo'> update
localhost user 'foo' update *> set apiUser=true
localhost user 'foo' update *> commmit
Thanks
Himanshu
------------------------------
Himanshu Sangwan
DevOps Lead
Ontario Teachers' Pension Plan Board
------------------------------