How do users and groups in Brand Portal map with Admin Console?

AEM Brand Portal, being an Experience cloud product, gets its users and groups created and managed through Admin Console.

Admin Console with respect to AEM Brand Portal

  1. Once an organization is provisioned on AEM Brand portal, the administrator can create product profiles under product AEM Brand Portal. These product profiles are user to segregate users. AEM Brand portal reads these product profiles as Groups in Brand Portal. 
    Q. How and when these profiles get created on Brand Portal?
    A. Once the administrator creates product profiles in Admin Console, AEM Brand portal reads them using a sync job every 8 hours. So AEM Brand portal syncs any changes done in Admin Console to Brand portal's system every 8 hours. A Product Profile created in Admin Console will be visible in Brand portal latest by 8 hours under Tools→Users → Groups.
  2. To on board Usersadministrator can configure federated ID which uses organization's SSO and identity management for authentication. In this case, Admin console authenticates users using organization's identity management system and doesn't require to register/enroll every user for AdobeID. One can achieve this using https://helpx.adobe.com/enterprise/using/set-up-identity.html.
  3. If the organization wants its users to use Adobe's authentication then they can use AdobeID. In this case, every users to whom the organization's administrator wants to give access should have a valid AdobeID. The administrator can then add the user to any one of the product profile he has created as mentioned above in point#1.
    Q. in what cases the users doesn't need to belong to a product profile, yet can access brand portal.
    A. If administrator adds a user with a system administrator privilege he doesn't need to add this user to any product profile. Since this use is system administrator he gets the administrative rights over the organization's every product.
    If administrator adds a user with product administrator of AEM Brand portal product, then also this user doesn't need to belong to a product profile in order to be able to access brand Portal. In all other cases, user can't access Brand Portal until he belongs to any one of the product profile (Group in AEM Brand Portal).
  4. User and Group Listing in AEM Brand portal
    1. When a valid user (who has access to brand portal product in admin console) logs in to AEM Brand portal url, his user node is created in AEM Brand portal system. Until a user logins to Brand Portal, Brand portal doesn't have any information about this user. Brand portal creates this user in its repository only when the user logins for the first time. so it is quite possible that the user lists n number of users in admin console but Brand Portal lists only n-m users in its user listing because of the same reason.
    2. Groups listing in Brand Portal depends upon the UserGroupSyncJob which runs every 8 hours. This job updates the content on Brand Portal if 
      1. A new product profile is added/deleted from admin console
      2. Any user is added/deleted from any product profile in admin console.
    Q. I have "N" users in admin console, "m" out of the "N" users have logged into Brand Portal at least once but still I see less number of users (<m) in Brand portal's user listing, what might be the reason?
    A. If all the "m" users have logged into Brand portal at least once, then probably the users which are not listing might have been deactivated. refer to user deactivation/activation below. the User listing in brand portal lists only the current active users.
    Q. I have created some product profiles in admin console but those don't show up under groups listing in brand portal?
    A. Please wait for sometime, when the next userGroupSyncJob runs, the product profiles will be synced to AEM Brand portal as Groups. 
  5. User Activation/Deactivation in Brand portal :
    1. If  a user is removed from all the product profiles i.e. his access is revoked from the product in admin console, this use is marked inactive when any one of these event is triggered first
      1. the user tries to login to Brand Portal
      2. The userGroupsSyncJob runs
    2. Inactive users though remains in the system but are not listed on users listing in Brand Portal. The same is true for all user personas admins and non-admins.
      1. If a system administrator doesn't have the administrator privilege in adminconsole, and doesn't have a product profile associated also, then he is marked inactive.
      2. A product administrator doesn't have product administrator rights in admin console anymore and doesnt have a product profile associated, then he is marked inactive.
      3. any other user if doesn't have any product profile assigned to him then he is marked inactive in brand portal.
    3. Inactive Users can't login to Brand Portal and see a request access page when they try to login. Using this page, they can submit an access request. this access request shoots an email and a pulse notification to all the administrators of that organization.
    4. To activate the user, administrator of the organization needs to do any one of the following
      1. assign him system administrator rights in admin console
      2. assign him product administrator right for product AEM Brand Portal in adminconsole
      3. assign him to one or more product profiles.
    5. whenever the user logins to Brand portal, the user gets activated again. Once activeuser starts to receive all emails and pulse notifications according to his current user persona.
    6. User count: shown on top of this page is the total number of active users in Brand Portal. so it excludes the users who have not yet logged in to brand portal at least once or are not active. the list below the count displays details of these users.
  6. User's Effective Role:
    1. In AEM Brand Portal a User can hold one of the following roles at a time
      1. admin : all the capabilities 
      2. editor : no admin tools
      3. viewer : no sharing capability
    2. The effective Role of a user is listed on Tools→ Users→ users tab. Similarly a group also has one of the 2 roles Editor or Viewer.
    3. Role is specific to AEM Brand Portal and doesn't have anything to do with adminconsole. so Role is the upper layer of the persona a user has in admin console. 
    4. Role is applicable to non-admin users only. All admins (system or product) have all capabilities available in Brand portal.
    5. A user gets his role from the group he belongs to, If a user is member of multiple groups he holds the highest role he has in any of those groups.
      1. Example1: user1 has editor role in group1 and has viewer role in group2 so user1's effective role will be editor.
      2. Example2: user1 has viewer role in group1 and has viewer role in group2 so user1's effective role will be viewer.
    6. Changing User's Role: If a User has viewer role, admin can change its role to editor. But if the user has editor role admin can't always change its role to viewer.
    7. If a user is editor in any one of the groups, admin can't change its role to viewerwithout changing the group role to viewer.
    8. User Role change is immediately effective and doesn't depend on the userGroupSyncJob to run.
  7. User Roles in collection settings: whenever a user shares a collection further, the effective role of the user always applies and not the role you mention while sharing the collection.
  8. Viewer can create collection and hence becomes owner of that collection. But since he doesn't have rights to see what other users are there in his organization hence when he tries to share the collection he created he sees only his email and the groups which he belongs to. So he can share collection with his groups but not with individual members of the organization.
  9. Original Download Restriction on Group: If the admin , restricts any group to download original rendition then irrespective of the user's role (editor or viewer) all users belonging to that group won't have access to original renditions of the images.
  10. Original download restriction is applied on group level for non-admin users and not on folder basis. 
    1. Example1: admin shares folder1 and folder2 with group1. group1 has restricted access to download originals. Now consider 3 users , user1, user2, user3 all belonging to group1 , the behavior for images in both the folders will be like
      1. user1 : viewer role: can't download original renditions of images in any of the folder. 
      2. user2: editor role: can't download original renditions of images in any of the folder. 
      3. user3: admin : can download original renditions of images in any of the folder, since he is admin.