Users and Groups on Brand Portal

AEM Brand Portal, being an Experience cloud product, gets its users and groups created and managed through Admin Console.

Admin Console with respect to AEM Brand Portal

  1. Once an organization is provisioned on AEM Brand portal, the administrator can create product profiles under product AEM Brand Portal. These product profiles are  user  to segregate users. AEM Brand portal reads these product profiles as Groups in Brand Portal. 
    Q. How and when these profiles get created on Brand Portal?
    A. Once the administrator creates product profiles in Admin Console, AEM Brand portal reads them using a sync job every 8 hours. So AEM Brand portal syncs any changes done in Admin Console to Brand portal's system every 8 hours. A Product Profile created in Admin Console will be visible in Brand portal latest by 8 hours under Tools→Users → Groups.
  2. To  on board  Users,  administrator  can configure federated ID which uses organization's SSO and identity management for authentication. In this case, Admin console authenticates users using organization's identity management system and doesn't require to register/enroll every user for AdobeID. One can achieve this using https://helpx.adobe.com/enterprise/using/set-up-identity.html.
  3. If the organization wants its users to use Adobe's authentication then  they  can use AdobeID. In this case, every  users  to whom the organization's administrator wants to give access should have a valid AdobeID. The administrator can then add the user to any one of the product profile he has created as mentioned above in point#1.
    Q. in what cases the users  doesn't  need to belong to a product profile, yet can access brand portal.
    A. If  administrator  adds a user with a system administrator privilege he doesn't need to add this user to any product profile. Since this use is system administrator he gets the administrative rights over the organization's every product.
    If  administrator  adds a user with product administrator of AEM Brand portal product, then also this user doesn't need to belong to a product profile in order to be able to access brand Portal. In all other cases,  user  can't access Brand Portal until he belongs to any one of the product profile (Group in AEM Brand Portal).
  4. User and Group Listing in AEM Brand portal
    1. When a valid user (who has access to  brand  portal product in admin console) logs in to AEM Brand portal  url , his user node is created in AEM Brand portal system. Until a user logins to Brand Portal,  Brand  portal doesn't have any information about this user. Brand portal creates this user in its repository only when the user logins for the first time. so it is quite possible that the user lists n number of users in admin console but Brand Portal lists only n-m users in its user listing because of the same reason.
    2. Groups listing in Brand Portal depends upon the UserGroupSyncJob which runs every 8 hours. This job updates the content on Brand Portal if 
      1. A new product profile is added/deleted from  admin  console
      2. Any user is added/deleted from any product profile in  admin  console.
    Q. I have "N" users in  admin  console, "m" out of the "N" users have logged into Brand Portal at least once but still I see less number of users (<m) in Brand portal's user listing, what might be the reason?
    A. If all the "m" users have logged into  Brand  portal at least once, then probably the users which are not listing might have been deactivated. refer to user deactivation/activation below. the User listing in brand portal lists only the  current  active users.
    Q. I have created some product profiles in admin console but those don't show up under groups listing in  brand  portal?
    A. Please wait for sometime, when the next userGroupSyncJob runs, the product profiles will be synced to AEM Brand portal as Groups. 
  5. User Activation/Deactivation in  Brand  portal :
    1. If  a user is removed from all the product profiles i.e. his access is revoked from the product in  admin  console, this use is marked inactive when any one of  these  event  is triggered first
      1. the user tries to  login  to Brand Portal
      2. The userGroupsSyncJob runs
    2. Inactive users though  remains  in the system but are not listed on users listing in Brand Portal. The same is true for all user personas admins and non-admins.
      1. If a system administrator doesn't have the administrator privilege in  adminconsole ,  and doesn't have a product profile associated also, then he is marked inactive.
      2. A product administrator doesn't have product administrator rights in admin console anymore and  doesnt  have a product profile associated, then he is marked inactive.
      3. any other user  if  doesn't have any product profile assigned to him  then  he is marked inactive in  brand  portal.
    3. Inactive Users can't  login  to Brand Portal and see a request access page when they try to  login . Using this page, they can submit an access request. this access request shoots an email and a pulse notification to all the administrators of that organization.
    4. To activate the user, administrator of the organization needs to do any one of the following
      1. assign him system administrator rights in  admin  console
      2. assign him product administrator right for product AEM Brand Portal in  adminconsole
      3. assign him to one or more product profiles.
    5. whenever the user logins to  Brand  portal, the user gets activated again. Once  activeuser starts to receive all emails and pulse notifications according to his current user persona.
    6. User count: shown on top of this page is the total number of active users in Brand Portal. so it excludes the users who have not yet logged in to  brand  portal at least once or are not active. the list below the count displays details of these users.
  6. User's Effective Role:
    1. In AEM Brand Portal a User can hold one of the following roles at a time
      1. admin :  all the capabilities 
      2. editor :  no admin tools
      3. viewer :  no sharing capability
    2. The effective Role of a user is listed on  Tools → Users→ users tab.  Similarly  a group also has one of the 2 roles Editor or Viewer.
    3. Role  is specific to AEM Brand Portal and doesn't have anything to do with  adminconsole . so Role is the upper layer of the persona a user has in  admin  console. 
    4. Role  is applicable to non-admin users only. All admins (system or product) have all capabilities available in  Brand  portal.
    5. A user gets his role from the group he belongs  to,  If a user is  member  of multiple groups he holds the highest role he has in any of those groups.
      1. Example1: user1 has editor role in group1 and has viewer role in group2 so user1's effective role will be  editor .
      2. Example2: user1 has viewer role in group1 and has viewer role in group2 so user1's effective role will be  viewer .
    6. Changing User's Role: If a User has viewer role, admin can change its role to  editor . But if the user has editor role admin can't always change its role to  viewer .
    7. If a user is  editor  in any one of the groups, admin can't change its role to  viewerwithout changing the group role to  viewer .
    8. User Role change is immediately effective and doesn't depend on the userGroupSyncJob to run.
  7. User Roles in collection settings: whenever a user shares a collection further, the effective role of the user always applies and not the role you mention while sharing the collection.
  8. Viewer  can create  collection  and hence becomes  owner  of that collection. But since he doesn't have rights to see what other users are there in his organization hence when he tries to share the collection he created he sees only his email and the groups which he belongs to. So he can share  collection  with his groups but not with individual members of the organization.
  9. Original Download Restriction on Group: If the  admin ,  restricts any group to download original rendition then irrespective of the user's role (editor or viewer) all users belonging to that group won't have access to original renditions of the images.
  10. Original download restriction is applied  on  group level for non-admin users and not on  folder  basis. 
    1. Example1: admin shares folder1 and folder2 with group1. group1 has restricted access to download originals. Now consider 3  users ,  user1, user2, user3 all belonging to  group1 ,  the behavior for images in both the folders will be like
      1. user1 :  viewer role: can't download original renditions of images in any of the folder. 
      2. user2: editor role: can't download original renditions of images in any of the folder. 
      3. user3:  admin :  can download original renditions of images in any of the  folder , since he is  admin .
Adobe-logo

Aanmelden bij je account