AEM Brand Portal, being an Experience cloud product, gets its users and groups created and managed through Admin Console.
- Once an organization is provisioned on AEM Brand portal, the administrator can create product profiles under product AEM Brand Portal. These product profiles are
user to segregate users. AEM Brand portal reads these product profiles as Groups in Brand Portal.
Q. How and when these profiles get created on Brand Portal?
A. Once the administrator creates product profiles in Admin Console, AEM Brand portal reads them using a sync job every 8 hours. So AEM Brand portal syncs any changes done in Admin Console to Brand portal's system every 8 hours. A Product Profile created in Admin Console will be visible in Brand portal latest by 8 hours under Tools→Users → Groups. - To
on board Users,administrator can configure federated ID which uses organization's SSO and identity management for authentication. In this case, Admin console authenticates users using organization's identity management system and doesn't require to register/enroll every user for AdobeID. One can achieve this using https://helpx.adobe.com/enterprise/using/set-up-identity.html. - If the organization wants its users to use Adobe's authentication then
they can use AdobeID. In this case, everyusers to whom the organization's administrator wants to give access should have a valid AdobeID. The administrator can then add the user to any one of the product profile he has created as mentioned above in point#1.
Q. in what cases the usersdoesn't need to belong to a product profile, yet can access brand portal.
A. Ifadministrator adds a user with a system administrator privilege he doesn't need to add this user to any product profile. Since this use is system administrator he gets the administrative rights over the organization's every product.
Ifadministrator adds a user with product administrator of AEM Brand portal product, then also this user doesn't need to belong to a product profile in order to be able to access brand Portal. In all other cases,user can't access Brand Portal until he belongs to any one of the product profile (Group in AEM Brand Portal). - User and Group Listing in AEM Brand portal:
- When a valid user (who has access to
brand portal product in admin console) logs in to AEM Brand portalurl , his user node is created in AEM Brand portal system. Until a user logins to Brand Portal,Brand portal doesn't have any information about this user. Brand portal creates this user in its repository only when the user logins for the first time. so it is quite possible that the user lists n number of users in admin console but Brand Portal lists only n-m users in its user listing because of the same reason. - Groups listing in Brand Portal depends upon the UserGroupSyncJob which runs every 8 hours. This job updates the content on Brand Portal if
- A new product profile is added/deleted from
admin console - Any user is added/deleted from any product profile in
admin console.
- A new product profile is added/deleted from
admin console, "m" out of the "N" users have logged into Brand Portal at least once but still I see less number of users (<m) in Brand portal's user listing, what might be the reason?
A. If all the "m" users have logged intoBrand portal at least once, then probably the users which are not listing might have been deactivated. refer to user deactivation/activation below. the User listing in brand portal lists only thecurrent active users.
Q. I have created some product profiles in admin console but those don't show up under groups listing inbrand portal?
A. Please wait for sometime, when the next userGroupSyncJob runs, the product profiles will be synced to AEM Brand portal as Groups. - When a valid user (who has access to
- User Activation/Deactivation in
Brand portal :- If a user is removed from all the product profiles i.e. his access is revoked from the product in
admin console, this use is marked inactive when any one ofthese is triggered firstevent - the user tries to
login to Brand Portal - The userGroupsSyncJob runs
- the user tries to
- Inactive users though
remains in the system but are not listed on users listing in Brand Portal. The same is true for all user personas admins and non-admins.- If a system administrator doesn't have the administrator privilege in
and doesn't have a product profile associated also, then he is marked inactive.adminconsole , - A product administrator doesn't have product administrator rights in admin console anymore and
doesnt have a product profile associated, then he is marked inactive. - any other user
if doesn't have any product profile assigned to himthen he is marked inactive inbrand portal.
- If a system administrator doesn't have the administrator privilege in
- Inactive Users can't
login to Brand Portal and see a request access page when they try tologin . Using this page, they can submit an access request. this access request shoots an email and a pulse notification to all the administrators of that organization. - To activate the user, administrator of the organization needs to do any one of the following
- assign him system administrator rights in
admin console - assign him product administrator right for product AEM Brand Portal in
adminconsole - assign him to one or more product profiles.
- assign him system administrator rights in
- whenever the user logins to
Brand portal, the user gets activated again. Onceactiveuser starts to receive all emails and pulse notifications according to his current user persona. - User count: shown on top of this page is the total number of active users in Brand Portal. so it excludes the users who have not yet logged in to
brand portal at least once or are not active. the list below the count displays details of these users.
- If a user is removed from all the product profiles i.e. his access is revoked from the product in
- User's Effective Role:
- In AEM Brand Portal a User can hold one of the following roles at a time
admin : all the capabilitieseditor : no admin toolsviewer : no sharing capability
- The effective Role of a user is listed on
Tools → Users→ users tab.Similarly a group also has one of the 2 roles Editor or Viewer. Role is specific to AEM Brand Portal and doesn't have anything to do withadminconsole . so Role is the upper layer of the persona a user has inadmin console.Role is applicable to non-admin users only. All admins (system or product) have all capabilities available inBrand portal.- A user gets his role from the group he belongs
to, If a user ismember of multiple groups he holds the highest role he has in any of those groups.- Example1: user1 has editor role in group1 and has viewer role in group2 so user1's effective role will be
editor . - Example2: user1 has viewer role in group1 and has viewer role in group2 so user1's effective role will be
viewer .
- Example1: user1 has editor role in group1 and has viewer role in group2 so user1's effective role will be
- Changing User's Role: If a User has viewer role, admin can change its role to
editor . But if the user has editor role admin can't always change its role toviewer . - If a user is
editor in any one of the groups, admin can't change its role toviewerwithout changing the group role toviewer . - User Role change is immediately effective and doesn't depend on the userGroupSyncJob to run.
- In AEM Brand Portal a User can hold one of the following roles at a time
- User Roles in collection settings: whenever a user shares a collection further, the effective role of the user always applies and not the role you mention while sharing the collection.
Viewer can createcollection and hence becomesowner of that collection. But since he doesn't have rights to see what other users are there in his organization hence when he tries to share the collection he created he sees only his email and the groups which he belongs to. So he can sharecollection with his groups but not with individual members of the organization.- Original Download Restriction on Group: If the
admin , restricts any group to download original rendition then irrespective of the user's role (editor or viewer) all users belonging to that group won't have access to original renditions of the images. - Original download restriction is applied
on group level for non-admin users and not onfolder basis.- Example1: admin shares folder1 and folder2 with group1. group1 has restricted access to download originals. Now consider 3
users , user1, user2, user3 all belonging togroup1 , the behavior for images in both the folders will be likeuser1 : viewer role: can't download original renditions of images in any of the folder.- user2: editor role: can't download original renditions of images in any of the folder.
- user3:
admin : can download original renditions of images in any of thefolder , since he isadmin .
- Example1: admin shares folder1 and folder2 with group1. group1 has restricted access to download originals. Now consider 3