Authentication
Authentication is the foundation of the ADManager Plus API. To protect your Active Directory environment, every API request must be verified before it is processed. Instead of traditional username or password credentials, ADManager Plus uses authtokens to authenticate and authorize API calls.
An authtoken functions like a digital pass:
- Verifies the identity of the technician or admin making the request.
- Ensures the account has the required permissions for the requested operation.
- Can be configured with a scope and an expiry time, limiting its usage to specific actions and duration.
This approach provides a balance of flexibility and security: technicians can manage their own tokens, while the built-in admin has centralized visibility and control over all tokens in the system. For auditing purposes, every token carries details about who generated it and when.
All API requests must include an authtoken in the request header. Without a valid token, resources cannot be retrieved or modified through the API.
Generating an authtoken:
Technicians can generate tokens for their accounts directly in the ADManager Plus console.
Steps to generate an authtoken:
- Log in to ADManager Plus with a technician account that has the required delegation.
- Navigate to My Account > Active Authtokens.
- Click +Generate Authtoken.
- In the pop-up window, provide the following details:
- Select Technician: Select the ADManager Plus technician for whom you'd like to generate an authtoken from the drop-down menu.
- Authtoken Name: Provide an appropriate name for this authtoken.
- Scope: Select the scope of this authtoken over the delegated actions from this drop-down list.
- Expiry Time: Specify the time period after which this authtoken will expire. Enter the time in minutes, hours, days, or schedule a custom date.
- Click Generate Authtoken.
My Account window showing the Active Authtokens tab in ADManager Plus, where technicians can view, generate, or manage their authentication tokens.
Once generated, the token will appear in the Active Authtokens list, where it can be viewed and managed.
Managing technicians’ authtokens
The built-in admin has extended privileges to create, view, and manage tokens for all technicians.
- Log in to ADManager Plus console as a built-in admin
- Navigate to Delegation > Configuration > Technician Authtokens.
- The resulting window displays a detailed list of all active authtokens that are mapped to different technicians.
- To generate a new authtoken for a specific technician, select the desired technician from the dropdown menu and click the Generate Authtoken button.
- For auditing purposes, details of each time the built-in admin generates authtokens for other technicians will be mentioned in the Generated by column of Authtoken Details.
- To delete different authtokens at once, select the authtokens via the checkbox and click the delete icon available at the top of the Technician Authtokens window.
Technician Authtokens page under the Delegation < Configuration section in ADManager Plus, displaying authtokens for multiple technicians with details like scope and expiry date.
Using authtoken in API calls
Tokens must always be passed in the request header. They cannot be sent as query parameters.
- Header name should be
Authorization - Header value should be
{auth_token}
Scopes:
Authtokens can be restricted with scopes, which limit the operations a token can perform. Scopes provide fine-grained control, ensuring tokens are only as powerful as needed. The table below lists the available scopes, their operation codes, and the corresponding actions.
| Scope | Operation | Action |
|---|---|---|
| user | All user management actions | Perform all available actions related to user accounts, including creation, modification, and deletion |
| Read user action | Retrieve detailed information about a user | |
| Create user action | Create a new user account in Active Directory | |
| Modify user action | Update details of an existing user account | |
| Delete user action | Remove a user account from Active Directory | |
| group | All group management actions | Perform all available actions related to groups, including creation, modification, and deletion |
| Read group action | Retrieve details of a group | |
| Create group action | Create a new group in Active Directory | |
| Modify group action | Update details of an existing group | |
| Delete group action | Remove a group from Active Directory | |
| computer | All computer management actions | Perform all available actions related to computer accounts |
| Read computer action | Retrieve details of a computer account | |
| Create computer action | Add a new computer account in Active Directory | |
| Modify computer action | Update details of an existing computer account | |
| Delete computer action | Remove a computer account from Active Directory | |
| contact | All contact management actions | Perform all available actions related to contact objects |
| Read contact action | Retrieve details of a contact | |
| Create contact action | Add a new contact object in Active Directory | |
| Modify contact action | Update details of an existing contact | |
| Delete contact action | Remove a contact object from Active Directory | |
| organizational-unit | All OU management actions | Perform all available actions related to organizational units |
| Read OU action | Retrieve details of an organizational unit | |
| Create OU action | Create a new organizational unit in Active Directory | |
| Modify OU action | Update details of an existing organizational unit | |
| Delete OU action | Remove an organizational unit from Active Directory | |
| orchestration | All orchestration template actions | Perform all available orchestration-related actions |
| Read orchestration template action | Retrieve details of orchestration templates | |
| Run orchestration template action | Execute orchestration templates | |
| admin-settings | All admin settings actions | Perform all actions related to admin settings |
| Read environment variables action | Retrieve details of configured environment variables | |
| Add environment variables action | Add a new environment variable | |
| Update environment variables action | Modify existing environment variables | |
| Read organization attributes action | Retrieve details of organization attributes | |
| Add organization attributes action | Add a new organization attribute | |
| Delete organization attributes action | Remove an organization attribute | |
| directory-data | All directory actions | Perform all actions related to directory resource data (available only to the built-in admin) |
| Read directory data | Retrieve directory-level data from the resource tables |