Create Service Accounts to send agreements under a functional entity

Adobe Acrobat Sign Service Accounts

Service Accounts are a vehicle to enable users in an enterprise-level account to send agreements under the authority of a userID explicitly generated for that purpose (vs. using their personal userID).

For example, a Service Account can be created to send legal documents. The user's profile can be designed to provide a functional name and email address that identify the Legal department and not an individual sender. All users that need to send NDA agreements (for example) can switch to the Legal Service Account and send under that profile, affording the transaction a more consistent and authoritative look. Additionally, agreements of a specific nature can be limited to the Service Account's group, constraining all agreements of a functional type to that one user instead of being distributed throughout the user base.

Service Accounts are available to enterprise customers that have enabled advanced sharing and manage their accounts through the Adobe Admin Console.

Tech Account product cards

Märkus.

The below process describes the use of Service Accounts accessed by users manually from the Acrobat Sign environment. Organizations that want to enable the API to send agreements on behalf of a centralized party should refer to the Technical Accounts for the API documentation.

Prerequisites

To enable a Service Account, your Acrobat Sign account must:

  • Have enterprise tier ETLA service
  • Manage users on the Adobe Admin Console*
  • Have Advanced Account Sharing enabled with Sending permissions enabled.
    • Users in Multiple Groups (strongly recommended).

* A note on the Adobe Admin Console

The Adobe Admin Console provides a framework for user management and license allocation. Most customers have only one Admin Console.

However, some customers with complex user/licensing requirements can have multiple Admin Consoles, which may become confusing in a process like Service Account creation, where one Admin Console may govern the federated user management, and another manages the Acrobat Sign licensing.

If you know you have multiple accounts or aren't sure, please read the below:

The difficulty with multiple Admin Consoles is ensuring that you are in the correct console for the actions you are trying to perform.

To determine if you have multiple Admin Consoles:

1. Log in to the Admin Console.

2. In the upper-right corner of the console, click on the organization name.

If you have a drop-down menu with multiple organizations, you have multiple Admin Consoles.

Admin Console organization drop down

If you only have one Admin Console, user creation and licensing operations occur in the same organization, and you don't need to worry about switching between consoles.

If you have multiple Admin Consoles, take a moment to determine which organization manages federated user creation and which governs the Acrobat Sign license provisioning.

Companies with multiple Admin Consoles may deploy Acrobat Sign from more than one. You must identify the correct Admin Console where you want to establish the Service Account.

You should inspect each organization to determine which should contain the Service Account.

  1. Select the organization.
  2. Select Products from the top rail of options.
  3. Look for the Adobe Sign - Enterprise product card

For the purpose of this document, we will call this your Licensing Admin Console. This is the organization where your Service Account is created and managed.

Tech Account product cards

Organizations that use federated user management must de-sync the federated solution to create the Service Account outside of the federated environment.

To do this, you must inspect each organization to find which one controls the domains that enable the federated trust relationship. Multiple Admin Consoles can Trust a domain, but only one actively controls it.

  1. Select the orgnaization
  2. Select Settings from the top rail of options.
  3. Select Identity from the left rail of options.
  4. If there are directories listed with the Type being Federated ID and the Status is Trusted, click the row the directory is on to expose the Owning Organization.
Navigate to Identity

The Owning Organization is the correct Admin Console to manipulate your federated ID synchronization controls.

  • An email is provided for the console admin if you do not currently have access.

If the Type is Federated ID and the Status is Active, click the Name of the directory to open the directory settings.

Active domain

On the settings page, select the Sync tab, which opens the IDP sync information.

For the purpose of this document, we will call this your Federated Sync Admin Console.  

Directory settings - sync tab

Märkus.

If you do not see a Sync tab, your account may have a Global Admin Console that you do not have access to.

You will need to contact your internal Adobe administrators to gain access.

Organizations that

  • utilize the User Sync Tool (UST) to automatically sync users between Adobe and their Active Directory
  • do not allow users to be manually added or created in Acrobat Sign  

must create an "exception" group for all Service Account userIDs. All Service Account userIDs must be created in this exempt group to ensure they are not deactivated and do not have their license removed by the automatic user sync.

The exception group must be configured as exempt from the sync within the UST configuration.

In cases where Adobe hosts the UST on behalf of the customer's organization, the customer admin must communicate the Group Name to their Success Manager, Technical Account Manager, or account representative so they can work with the Adobe Customer Solutions team to ensure this group is exempt from the sync.

Overview

Creating a Service Account is a multi-step process that requires administrator-level access to the Adobe Acrobat Console and account-level administrator authority in Acrobat Sign.

The process requires the admin to:

  1. (Optional) Create a new Group in the Acrobat Sign system.
    • Creating a dedicated group for the Service Account allows a very tight configuration of the agreement properties that may be too strict or different from other group configurations.
  2. Create a new Service Account in the Adobe Admin Console.
    • This creates a Service Account that other users can switch to (via advanced account sharing) and send agreements.
  3. Share the Service Account's account with the users and groups that should be allowed to use the Service Account.
    • Sharing the Service Account with other users and groups allows those users to switch to the Service Account and generate new agreements that will be sent under that userIDs profile.

Consider generating a unique group in Acrobat Sign for the application

Adding a Service Account to a unique group allows the function of the Service Account to dictate the sending and signing parameters of the group, as well as the available workflows, templates, and reporting features.

In the example of a Service Account designed for Legal transactions, the group can define the default authentication requirement, expiration date, automatic CC parties, and PDF attachment rules, all of which would likely not be suitable for Sales transactions.

Additionally, constraining specific library templates to the Service Account's group ensures that all agreements using that template are associated with only the Service Account and not distributed throughout your user base.

To create a discrete group:

  1. Log in to Acrobat Sign as an account-level administrator.

  2. Navigate to the Groups tab in the admin menu.

  3. Click the plus icon to create a new group.

  4. Enter an intuitive name for the group (i.e., the name of the function for which the Service Account is created).

  5. Save the group.

    Create a group

  6. (Optional) Open the new group and configure the default settings needed for the type of agreements to be sent.

    1. Select the new group from the list of groups to expose the action bar at the top of the list.
    2. Select Group Settings action to open the group-level configuration.
    Access gorup level settings

Märkus.

If your organization is

  • using the User Sync Tool (UST) to automatically sync users between Adobe and your Active Directory
  • not permitting users to be manually added or created in Acrobat Sign

you must create an exception group to be the primary group for all Service Account userIDs.

The name of the group is added to your UST configuration to ensure the sync process does not impact the userIDs, causing them to be deactivated or to have their entitlement removed.

Create the new Service Account

Märkus.

Before creating the new Service Account, you must identify an email address that can be used for inbound replies/questions from your recipients. (e.g., legal_agreements@my_domain.dom)

To create the new Service Account:

  1. Log in to your (Federated Sync) Admin Console as an administrator.

  2. Navigate to:  Settings → Identity

    Select a directory to create the new user.

    Active domain

  3. Select the Sync tab.

  4. Select Go to Settings

    Directory settings - sync tab

  5. Select Enable Editing.

    When editing is enabled, the Adobe Admin Console allows edits to the user data within the Admin Console only. Your IdP is not updated with the edits.

    Tech Account

    Märkus.

    Editing will remain enabled for one hour only, or until manually disabled.

  6. Log in to your Licensing Admin Console (if you are working with multiple Admin Consoles).

  7. Navigate to: Users → Add user.

  8. Configure your new Service Account with:

    • Email or username: Use the email address that you want to capture any reply-to eamils from your recipients.
    • ID Type: Federated ID
    • First/Last name: this value is used in the Acrobat Sign system and is reflected in the audit report. Use a value that provides context. e.g.: Legal Department
    • SSO username: Use the same email value.
    • Country/Region: Select the appropriate country or region for your company.
    • Select the Acrobat Sign product profile.
    • Set the users role to User.

    Click Save when done.

    Tech Account

  9. Log back into the Federated Sync Admin Console to enable the synching of your IdP data.

  10. Navigate back to Settings → Identity → {Directory} → Sync → Go to Settings.

    Click Disable editing to re-enable the syncing of data with your IdP.

  11. Your new Service Account will automatically be generated in the Acrobat Sign system.

Share the Service Account with the groups or users that are authorized to use the Service Account

Creating a share to a group establishes a sharing connection with all users in the group, thereby allowing the group's users to switch into the Service Account interface and create agreements.

Sharing directly to one user establishes a connection to just that user.

  1. Log in to Acrobat Sign as an account administrator.

  2. Navigate to the Users tab in the admin menu.

  3. Select the Service Account from the user list, and then select Edit User Details from the actions at the top of the list.

    Edit User Details

  4. Select Sharing Status in the left rail menu.

    • Ensure the User's Account Shared With tab is selected.
    • Select the plus icon  to create a new share relationship.
    User's account shared with

  5. Select the group or user to share the Service Account account with:

    1. Click the three lines icon to the right of the search box..
    2. Click the plus icon  next to the group or user to select it.
      • Individual users can be added by expanding a group and then selecting an individual user form that group.
    3. Enable Sending unser the Additional Permission beyond Viewing options.
    4. Click Save.
    Tech Account

Test your new Service Account

To test that your users can access the Service Account:

  1. Log in to any user with which the Service Account has shared their account.

  2. Select your name in the upper-right corner to expose users sub-menu.

  3. Select Switch Account from the menu.

    An overlay displays the list of user accounts shared.  Select the Service Account and click OK.

    Switch Accounts

  4. The user view is refreshed to show the Service Account interface.

    • This can be identified by the blue banner.

    Navigate to the Send page and send an agreement to yourself.

    • Note that any templates assigned directly to the group the Service Account is in are available for sending.
    Shared user account

  5. The email you recieve will be properly formatted to show the Service Account's name and eamil address.

    Proxy email

 Adobe

Saage abi kiiremini ja hõlpsamalt

Uus kasutaja?