Migrate user management to the Adobe Admin Console

As an administrator of an Adobe product, you may have traditionally managed your users and controlled their access to various product capabilities through the product's administrative interface. Now you can achieve the same through Adobe's Admin Console. This document explains the benefits of doing so, and also guides you through the process.

The document provides an overview of the steps that are required to transition user management from your current in-product interface to the Adobe Admin Console. It links to other documents that cover the specific how-tos in full detail.

This document is targeted at the following administrative roles.

Administrators of the current product who are responsible for user management. This role involves tasks such as:

• Adding and inviting users to the product 
  
• Editing user properties
• Removing users

Administrators of the current product who are responsible for assigning product permissions to users for access to various product capabilities. This role involves tasks such as:

• Enabling and revoking permissions to a specific product functionality
  
• Assigning a product-specific role to a user

The Adobe Admin Console provides a centralized location to manage the administrators, users, user groups, product permissions, and product roles across all the Adobe products that your organization has purchased.

You can delegate system administrative tasks by creating other system administrators. You can also designate product-specific administrators to manage Adobe products that your organization has purchased. For details, see Administrative roles.

As Adobe introduces new products and services, you can quickly provide your users access to these products from within the Admin Console. You can also manage product-specific permissions and roles by using product profiles.

You can also create user groups to collectively manage product permissions and product roles. Simply create groups of users based on your needs and then assign these user groups to the product profiles that you define.

For more details, see the Admin Console.

If you are a system administrator, the Admin Console provides you with a single interface to manage all the users in your organization, irrespective of which Adobe products they use. You can add new users to the Admin Console using their Adobe ID or their enterprise credentials.

For the steps to add users, see Invite Users. You can also add multiple users using a .csv file. The console also provides various bulk operations for managing users.

If you are a product administrator, the Admin Console provides you with a single interface to manage the product-specific permissions and roles for the users in your organization. When Adobe adds new capabilities to the products that your organization uses, you can manage any new permissions for your existing users from within the same interface. When your organization purchases new products from Adobe, you can use the same Admin Console to provide your users access to and manage their permissions and roles for these new products.

For details on how to manage product permissions and roles, see Manage products and profiles.

Your end users have one set of user credentials that they use across all existing and new Adobe products available to your organization.

You will receive an in-product notification to get you started with the migration.

If your organization is not already using the Admin Console, you will be designated the primary system administrator and will receive an email invitation from Adobe to the Admin Console. To log in, use your Adobe ID credentials.

Following is an overview of the steps to migrate your user management to the Admin Console.

The first step is to decide the identity type for your users. Adobe’s identity management system helps admins create and manage user access to applications and services. Adobe offers three varying types of identities or accounts to authenticate and authorize users. They use an email address as the user name. You can choose between any of the following identity types supported by the Admin Console.

• Federated ID: Created, owned, and managed by an organization and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 Identity Provider (IdP).
• Enterprise ID: Created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID.
• Adobe ID: Created, owned, and managed by the end user. Adobe performs the authentication, and the end user manages the identity.

Based on your organizational needs, you can select the most appropriate identity model to implement and use.

Important: You can either choose to use Federated IDs or  Enterprise IDs (and not both). However, you can choose only one of these identity types with the Adobe IDs. Like, if some of your users are logging into your product with your enterprise credentials (such as johndoe@example.com) and some users are using emails that are from outside your enterprise (such as janedoe@gmail.com).

For details, see the supported identity types.

Adobe ID is only recommended if your users are currently logging into your product with an email address that does not belong to your organization's domain. If some of your users are using Adobe ID identity types, request each of them to create an Adobe ID at http://www.adobe.com.

For details, see Set up identity.

Your end users are authenticated against domains that you set up in the Admin Console. If your email address is john@example.com, your domain is example.com. A claimed domain can be used either with Enterprise IDs or Federated IDs, but not both. You can however claim multiple domains.

Your organization must demonstrate its control over a domain to claim it. And, a domain can be claimed only once.

If the domain has already been claimed, like, by another department of the same company, one can request access to it by the domain claim process. The first department to claim the domain (owner) is responsible for approving any requests for access by other departments (trustees). For details, see Directory trusting.

If you’ve set up Federated IDs, Single Sign-On can be configured. When organizations configure and enable Single Sign-On (SSO), users in that organization are able to use their corporate credentials to access Adobe software.

After your users have created their Adobe IDs and / or you have claimed the domain for your enterprise, you can now initiate the migration process from within your Adobe product.

All users that are set up to be managed via the Admin Console receive an email that explains what they have been given access to.

System and product administrators will be able to access to the Admin Console.

End users will be able to log into the product using their credentials.

After the migration is complete, the following changes take effect:

You no longer manage users in the product.

Use the Admin Console to manage users. For an introduction on how to use the Admin Console, see this article.

If you are the primary (or first) System administrator for your organization on the Admin Console, you can assign administrative roles to other users. These roles can include:

• Other System administrators
• Product administrators

You no longer manage users, their permissions, or their roles in the product.

You are assigned administrative privileges to one or more products in your organization. You can create product profiles and assign administrators to the profiles that you create. You can also assign users and user groups to these product profiles. Optionally, you can then assign roles to these users and user groups. 

For details on how to manage product profiles in the Admin Console, see Manage products and profiles.

Your end users will log into the existing product using their credentials. All user information is specific to the Adobe ID or as specified in your enterprise (if you choose Federated or Enterprise IDs).