Setting up and organizing users

Adding and configuring users

User and group information is maintained in a third-party storage system, such as an LDAP directory. User Management does not write to the third-party storage system. Instead, User Management synchronizes the user and group information with its own database

Create a user

When you create users, you can add the them to groups and assign roles to the them.

If you are using Content Services (Deprecated), you can select the Select This Option For Pushing Users And Groups Into Registered External Principal Storage Providers option on the Domain Management page to push the information for new users or groups you create in Content Services (Deprecated).

Note: Adobe® LiveCycle® Content Services ES (Deprecated) is a content management system installed with LiveCycle. It enables users to design, manage, monitor, and optimize human-centric processes. Content Services (Deprecated) support ends on 12/31/2014. See Adobe product lifecycle document . To know about configuring Content Services (Deprecated), see Administering Content Services .

  1. In administration console, click Settings > User Management > Users and Groups, and click New User.

  2. Under General Settings, provide information as required, and then click Next. For details about the settings, see User settings .

  3. (Optional) To add the user to a group, click Find Groups, and do these tasks:

    • In the Find box, type all or part of the group name.

    • Select the domain to search, select the number of items to display, and click Find.

    • (Optional) To view group details, select the group name, and then click OK to return to the search results page.

    • Select the check box for the group and click OK.

    • Click Next.

  4. (Optional) To assign roles to the user, click Find Roles, select the check box for the roles to assign, and then click OK.

  5. Click Finish.

User settings

Specify the following settings when you create or edit a user.

Canonical Name: (Mandatory) Unique identifier for the user. Each user and group in a domain must have a unique canonical name. Select the System Generated checkbox to let User Management assign a unique value, or clear the checkbox and specify a custom value for the Canonical Name.

Avoid using underscore characters (_) in canonical names, for example, sample_user . When you search for users based on their canonical name, those containing underscore characters are not returned.

First Name: (Mandatory) User’s given name

Last Name: (Mandatory) User’s family name

Common Name: Full name or display name for the user. For example, if First Name = Gloria and Last Name = Rios, then Common Name = Gloria Rios.

Email: User’s email address

Telephone: User’s telephone number

Description: Optional description. Use this field as suits your organization’s needs.

Address: User’s mailing address

Organization: Organization to which the user belongs

Email Aliases: User’s email aliases. Separate the email aliases with commas.

Domain: Domain to which the user belongs

Locale: User’s ISO locale

Business Calendar Key: Enables you to map a business calendar to a user, based on the value for this setting. Business calendars define business and non-business days. AEM forms can use business calendars when calculating future dates and times for events such as reminders, deadlines, and escalations. The way that you assign business calendar keys to users depends on whether you are using an enterprise, local, or hybrid domain. (See Adding domains .)

If you are using a local or hybrid domain, information about users is stored only in the User Management database. For these users, set the Business Calendar Key to a string. Then map the business calendar key (the string) to a business calendar in forms workflow.

If you are using an enterprise domain, information about users resides in a third-party storage system, such as an LDAP directory. User Management synchronizes user information from the directory with the User Management database. This feature allows you to map a business calendar key to a field in the LDAP directory. For example, consider a scenario where each user record in your directory contains a country field, and you want to assign business calendars based on the country where the user is located. In this case, you specify the country field name as the value for the Business Calendar Key setting. You can then map the business calendar keys (the values defined for the country field in the LDAP directory) to business calendars in forms workflow.

For additional information on business calendars, including how to map business calendar keys to business calendars, see Configuring Business Calendars .

Limit the name to less than 53 characters. A shorter name helps prevent problems displaying the business calendar key in the Process Management pages in administration console.

User ID: (Mandatory) User ID that the user uses to log in. User ID is not case sensitive and it must be unique across the domain.

In enterprise domains, use a non-DN attribute as the user ID because a user’s DN can change if they move to another part of the organization. This setting depends on the directory server. The value is objectGUID for Active Directory 2003, nsuniqueID for Sun™ One, and guid for eDirectory.

Ensure that the user ID is unique. Do not use one that was assigned to a deleted user.

AEM forms cannot differentiate between user accounts that have identical user IDs and passwords but belong to different domains. To avoid this problem, do not create accounts that have the same user ID on multiple domains.

When using SQL Server as your database, you cannot create a user ID that exceeds 255 characters.

When using MySQL, the user ID can contain extended characters. However, when a comparison is made between two strings, such as abcde and âbcdè, they are considered the same. For example, when syncing, if a new user was added to the database, a comparison is made to check whether a user with the same user ID exists in the database. If user abcde already exists in the database when the new user âbcdè is added, the comparison cannot distinguish between the two names. It is assumed that the user already exists in the database, and the new user is ignored and not added.

Avoid creating user names that begin with a number sign (#). Performing task searches returns no results for those user names. (See Working with tasks .)

Password and Confirm Password: Password the user uses to log in. It must have a minimum of eight characters. A password is not required for a user who is part of a hybrid domain.

View details about a user

  1. In administration console, click Settings > User Management > Users and Groups.

  2. Specify information to narrow the search and, in the In list, select Users and then click Find. The results of the search are listed at the bottom of the page. You can sort the list by clicking any of the column headings.

  3. Click the name of the user to display details about. The Edit User page displays such details as below about the user:

    • General identification information, such as name, email, address, domain, and organization

    • Roles assigned to the user

    • Groups the user is a member of

Change the password for a local user

  1. In administration console, click Settings > User Management > Users and Groups.

  2. Specify information to narrow the search for a particular user and click Find. The results of the search are listed at the bottom of the page. You can sort the list by clicking any of the column headings.

  3. Click the name of the user and then click Change Password.

  4. Type and confirm the new password, and then click OK. The password must be a minimum of eight characters.

Edit a user’s properties

  1. In administration console, click Settings > User Management > Users and Groups.

  2. To find the user to edit, do these tasks:

    • In the Find box, type your search criteria.

    • In the Using list, select Name, Email, or User ID.

    • In the In list, select Users.

    • Select the domain, select the number of items to display, and then click Find.

  3. Click the user to edit.

  4. For a user who is part of a local or hybrid domain, on the Detail tab, edit the General Settings and Login Settings, and click Save. For details about the settings, see User settings . You cannot edit the general and login settings for a user who belongs to an enterprise domain.

  5. To edit the group settings for the user, click the Group Membership tab and do these tasks:

    • Click Find Group and complete the search information.

    • To add the user to a new group, select the check box for the group, click OK, and then click Save.

      Note: Local users cannot be added to directory groups. However, directory users can be added to local groups.

    • To remove the user from a group, select the check box for the group, click Delete, and then click Save.

  6. To edit the user’s roles, click the Role Assignments tab and do these tasks:

    • To display a list of roles, click Find Roles.

    • To add a role, select the check box for the role, click OK, and then click Save.

    • To remove a role, select the check box for the role, click Unassign, and then click Save.

Delete a user

  1. In administration console, click Settings > User Management > Users and Groups.

  2. To find the user to delete, do these tasks:

    • In the Find box, type your search criteria.

    • In the Using list, select Name, Email, or User ID.

    • In the In list, select Users.

    • Select the domain, select the number of items to display, and then click Find.

  3. Select the check box for the user, click Delete, and then click OK.

Note: AEM Forms on JEE also allows users of the AEM forms add-on running on an OSGi to be recognized as AEM users. This is required for scenarios where single sign-on between AEM Forms on JEE and AEM forms add-on running on an OSGi is required (for example, HTML workspace). The above mentioned delete operation removes a user only from AEM Forms on JEE . The user is not deleted from AEM Forms add-on running on OSGi environment. But any login attempt made after deleting the user (a login attempt to AEM Forms add on JEE server or AEM Forms add-on on OSGi environment) is denied.

Create custom login error handler

If a user without the required AEM forms and CQ permissions, attempts to log into the following applications embedded in CQ, the user is redirected to the default CQ 404 page containing the error trace:

  • Correspondence Management solution

  • AEM forms Workspace

    Note: The Flex Worksapce is deprecated for AEM forms release.

  • forms manager

  • Process Reporting

CQ provides a mechanism to override the default 404 handler jsp.

For details on how to to customize the error handling page, see Customizing Pages shown by the Error Handler in the Adobe Experience Manager Documentation.

Creating and configuring groups

Creating groups of users lets you assign roles to the group instead of to individual users.

Two different types of groups are available. You can manually create a group and add users and other groups to it. You can also create dynamic groups that automatically include all users who meet a specified set of rules.

Users may experience a slower response time if they belong to many groups (for example, 500 or more) or if the groups are nested deeply (for example, 30 levels). If you are experiencing this problem, you can configure AEM forms to pre-fetch information from certain domains. (See Configure AEM forms to prefetch domain information .)

Create a group manually

When you manually create a group, you can add users and other groups to it and assign roles to the group. You can also associate the group with a parent group.

If you are using Content Services (Deprecated), you can select the Select This Option For Pushing Users And Groups Into Registered External Principal Storage Providers option on the Domain Management page to push the information for any new users or groups that you create in Content Services (Deprecated).

  1. In administration console, click Settings > User Management > Users And Groups, and then click New Group.

  2. Complete the General Settings section and click Next. Canonical Name and Group Name are mandatory attributes.

    The Canonical Name is a unique identifier for the group. Each group and user in a domain must have a unique canonical name. Select the System Generated checkbox to let User Management assign a unique value, or clear the checkbox and specify a custom value for the Canonical Name.

    Avoid using underscore characters (_) in canonical names, for example, sample_group . When you search for groups based on their canonical name, those containing underscore characters are not returned.

  3. To add users and groups to this new group, click Find Users/Groups and do these tasks:

    • In the Find box, type your search criteria.

    • In the In list, select Users, Groups, or Users and Groups.

    • In the Using list, select Name, Email, or User ID.

    • Select the domain, select the number of items to display and click Find.

    • In the search results, select the check boxes for the users and groups to add to this new group and click OK.

  4. Click Next.

  5. To add this new group to other existing groups, click Find Groups and do these tasks:

    • In the Find box, type your search criteria.

    • Select the domain, select the number of items to display, and click Find.

    • In the search results, select the check boxes for the groups that the new group belongs to and click OK.

  6. Click Next.

  7. To assign roles to the group, click Find Roles, select the check boxes for each role to assign to the group and click OK. Users in the group inherit roles that are assigned at the group level.

  8. Click Finish.

Create a dynamic group

In a dynamic group, you do not individually select the users who belong to the group. Instead, you specify a set of rules and all users who meet those rules are automatically added to the dynamic group.

Use one of these two ways to create dynamic groups:

  • Enable the automatic creation of dynamic groups based on email domains, such as @adobe.com. When you enable this feature, User Management creates a dynamic group for each unique email domain in the AEM forms database. Use a cron expression to specify how often User Management searches the AEM forms database for new email domains. These dynamic groups are added to the DefaultDom local domain and are named "All users with an [email domain] mail ID."

  • Create a dynamic group based on specified criteria, including the user’s email domain, description, canonical name, and domain name. To belong to the dynamic group, a user must meet all the specified criteria. To set up an "or" condition, create two separate dynamic groups and add them both to a local group. For example, use that approach to create a group of users who belong to the @adobe.com email domain or whose canonical name contains ou=adobe.com. However, the users do not necessarily have to meet both conditions.

A dynamic group contains only users. It cannot contain other groups. However, a dynamic group can belong to a parent group.

Automatically create dynamic groups based on email domains

  1. In administration console, click Settings > User Management > Configuration > Configure Advanced System Attributes.

  2. Under Auto Creation of Dynamic Group, select the check box.

  3. Specify when User Manager checks for new email domains. This time should be after the domain synchronization time because the creation of dynamic groups is logical only if the domain synchronization is completed.

    • To enable automatic synchronization on a daily basis, type the time in the 24-hour format in the Occurs Daily At box. When you save your settings, this value is converted to a cron expression, which is displayed in the box below.

    • To schedule synchronization on a particular day of the week or month, or in a particular month, select type the appropriate cron expression in the box. The default value is 0 00 4 ? * * (which means check at 4 A.M. every day).

      The cron expression usage is based on the Quartz open source job-scheduling system, version 1.4.0. (See Class CronTrigger .)

  4. Click Save.

Create a dynamic group based on specified criteria

  1. In administration console, click Settings > User Management > Users And Groups.

  2. Click New Dynamic Group.

  3. Complete the General Settings section. Group Name is a mandatory attribute. You can assign the group to any configured domain.

  4. Under Dynamic Group Criteria, specify one or more attributes used to populate the dynamic group.

    Note: The Email, Description, and Canonical Name attributes are case-sensitive when using the Equals operator. They are not case-sensitive with the Starts With, Ends With, or Contains operators.

    Email: User’s email domain, such as @adobe.com .

    Description: User’s description, such as "Computer Scientist"

    Canonical Name: User’s canonical name, such as ou=adobe.com

    Domain Name: The name of the domain to which the user belongs, such as DefaultDom . The Domain Name attribute is case-sensitive when using the Contains operator. It is not case-sensitive with the Starts With, Ends With, or Equals operators.

  5. Click Test. A Test page displays the first 200 users who meet the defined criteria. Click Close.

  6. If the test returned the expected results, click Next. Otherwise, edit the dynamic group criteria and test again.

  7. To add the dynamic group to a parent group, click Find Groups and do these tasks:

    • In the Find box, type your search criteria.

    • Select the domain, select the number of items to display, and click Find.

    • In the search results, select the check boxes for groups that the dynamic group belongs to and click OK.

  8. Click Next.

  9. To assign roles to the dynamic group, click Find Roles, select the check boxes for each role to assign to the group, and then click OK. Users in the group inherit roles that are assigned at the group level.

  10. Click Finish.

View details about a group

  1. In administration console, click Settings > User Management > Users and Groups.

  2. In the In list, select Group, and then click Find. The results of the search are listed at the bottom of the page. You can sort the list by clicking any of the column headings.

  3. Click the name of the group to display details about. The Group Detail page appears.

  4. To view direct members of the group, click Child Principals.

Edit a group

  1. In administration console, click Settings > User Management > Users And Groups.

  2. To find the group to edit, do these tasks:

    • In the Find box, type your search criteria.

    • In the Using list, select Name or Email.

    • In the In list, select Groups.

    • Select the domain, select the number of items to display, and click Find.

    • In the search results, click the name of the group to edit.

  3. On the Details tab, edit the general settings and click Save.

  4. To edit the associated groups, click the Parent Groups tab and do these tasks:

    • To find groups to add to the association, click Find Groups and complete the search information.

    • To add groups, select the check box for the groups to add, click OK, and then click Save.

    • To delete an associated group, select the check box for the group to delete, click Delete, click OK, and then click Save.

  5. To edit the users and groups in the group, click the Child Principals tab and do these tasks:

    • To find users and groups to add, click Find Users/Groups and complete the search information.

    • To add a user or group, select the check box for the user or group, click OK, and click then Save.

    • To delete a user or group, select the check box for the user or group, click Delete, click OK, and then click Save.

  6. To edit role assignments, click the Role Assignments tab and do these tasks:

    • To find roles to assign to the group, click Find Roles.

    • To add a role, select the check box for the role, click OK, and then click Save.

    • To unassign a role, select the check box for the role, click Unassign, and then click Save.

Delete a group

  1. In administration console, click Settings > User Management > Users And Groups.

  2. In the Find list, select Groups, and then click Find.

  3. Select the check box for the group to delete, click Delete, and then click OK.

Search for a user or group

  1. In administration console, click Settings > User Management > Users And Groups.

  2. Specify information to narrow the search and click Find. The results of the search are listed at the bottom of the page. You can sort the list by clicking any of the column headings. A maximum of 1000 results are returned.

Creating and configuring roles

Using the User Management web pages, you can associate users and groups with roles that are already part of the User Management database. You can also create, edit, and delete roles.

User Management has two types of roles:

Mutable roles:
This type of role can be edited and deleted, and role permissions can be added and deleted from these role types. Any role that you create is considered a mutable role. You can add or remove users and groups assigned to mutable roles.

Immutable roles:
The default roles that are included with User Management are immutable roles. These roles cannot be edited or deleted. You can, however, add or remove users and groups assigned to immutable roles.

Both mutable and immutable roles can also be created through the AEM forms APIs.

Default roles

The following default roles are included in the User Management database.

administration console User:
Can access administration console.

Application Administrator:
Can use all Workbench features. Can use the Applications and Services pages in administration console to configure service run-time properties, endpoints, and security.

AEM forms Administrator:
Can perform all tasks for all installed services.

Security Administrator:
Controls User Management settings, and manages users and groups that are associated with any User Manager domain

Services User:
Can view and invoke any service

Super Administrator:
Has access to all administrative functionality in the system, including services

Trust Administrator:
Can manage the PKI trust settings and PKI credentials that are managed from the Trust Store Management page in administration console

Additional default roles

The following additional default roles may be included, depending on the AEM forms components you installed

Document Upload Application User:
Can upload documents using Flex Remoting.

Forms Administrator:
Can view and modify settings from the Forms page in Administration Console

AEM forms Contentspace Administrator:
Can view and modify settings from the Content Services (Deprecated) page in administration console

AEM forms Contentspace User:
Can log in to the Contentspace (Deprecated) web pages

Documentum Connector Administrator:
Can view and modify settings from the Connector for EMC Documentum page in administration console

AEM forms FileNet Connector Administrator:
Can view and modify settings from the Connector for IBM FileNet page in administration console

AEM forms IBM CM Connector Administrator:
Can view and modify settings from the Connector for IBM Content Manager page in administration console

Rights Management Administrator:
Performs all tasks that are required for all server configurations on the relevant Rights Management pages

Rights Management End User:
Can access Rights Management end-user web pages

Rights Management Invite User:
Can invite users

Rights Management Manage Invited and Local Users:
Can perform tasks that are required to manage all invited and local users on the relevant Rights Management pages

Rights Management Policy Set Administrator:
Performs all tasks that are required for all policy sets on the relevant Rights Management pages

Rights Management Super Administrator:
Performs all tasks that are required from the Rights Management page

AEM forms Workspace Administrator:
Can view and modify settings from the Workspace page in Administration Console
Note: The Flex Worksapce is deprecated for AEM forms release.

Workspace User:
Can log in to the Workspace end-user application

Output Administrator:
Can view and modify settings from the Output page in Administration Console

PDFG Administrator:
Can view and modify settings from the PDF Generator page in administration console

PDFG User:
Can access all non-administrative functionality for PDF Generator

Acrobat Reader DC extensions Web Application:
Can use the Acrobat Reader DC extensions web application

Note: Users with certain types of administrator privileges cannot access the Workspace end-user web pages for security reasons. Because these pages can exist outside a firewall, permitting administration-level tasks could pose a security risk. Only users who have the AEM forms Workspace Administrator or AEM forms Workspace User privileges can access the Workspace end-user web pages.
Note: The Flex Worksapce is deprecated for AEM forms release.

Create a role

  1. In administration console, click Settings > User Management > Role Management, and then click New Role.

  2. In the Role Name box, type a name for the role and, optionally, type a description of the role, and then click Next.

    Note: When using MySQL, you cannot create two roles that have the same name but differ in the use of extended characters. For example, attempting to create a role named abcde when one named âbcdè already exists results in an error.

  3. Click Find Permissions, select the permissions to add to the role.

  4. Click OK and then click Next.

  5. Assign this role to users and groups:

    • Click Find Users/Groups.

    • In the Find box, type your search criteria.

    • Select Name, Email, or User ID, and then select Users, Groups, or Users and Groups.

    • Select the domain, select the number of results to display, and click Find.

    • Select the check boxes for the users and groups to assign this role to and click OK.

  6. To view user and group details, select the entity.

  7. Click OK and then click Finish.

Edit a role

  1. In administration console, click Settings > User Management > Role Management, and then click Role Name.

    By default, the Role Management page displays all the roles in the User Management database. If the list of roles is large, use the Find area at the top of the page to search for a specific role name.

  2. Click the role to edit, edit the general settings, and click Save.

  3. To edit role permissions, click the Permissions tab and do these tasks:

    • To add new permissions, click Find Permissions, select the check boxes for the permissions to add, click OK, and then click Save.

    • To delete a permission from the role, select the check box for the permission, click Delete, and then click Save.

  4. To manage who the role is assigned to, click the Role Users tab and do these tasks:

    • To assign the role to new users and groups, click Find Users/Groups, and complete the search information. Select the check box for each user and group to assign this role to, click OK, and then click Save.

    • To remove the role, select the check box for the users or group, click Unassign, and then click Save.

Delete a role

You can delete any of the roles that you created, but not the default AEM forms roles that are included in the product.

  1. In administration console, click Settings > User Management > Role Management, and then click Role Name.

    By default, the Role Management page displays all the roles in the User Management database. If the list of roles is large, use the Find area at the top of the page to search for a specific role name.

  2. Select the check box for the role to delete, click Delete, and then click OK.

Assign a role to users and groups

  1. In administration console, click Settings > User Management > Users and Groups.

  2. Specify information to narrow the search and click Find. The results of the search are listed at the bottom of the page. You can sort the list by clicking any of the column headings.

  3. Select the check boxes beside the users and groups to associate with a role and click Assign Role.

  4. Select the role to assign to the user or group and click OK.

You can also assign roles by using the Role Management page.

Determine who is assigned to a role

  1. In administration console, click Settings > User Management > Role Management, and then click Role Name.

    By default, the Role Management page displays all the roles in the User Management database. If the list of roles is large, use the Find area at the top of the page to search for a specific role name.

  2. On the Role Detail page, click the Role Users tab. A list of users and groups that are directly associated with the role are displayed.

Change role permissions

You can change the permissions for any of the roles that you created. You cannot change the permissions for the default AEM forms roles that are included in the product.

  1. In administration console, click Settings > User Management > Role Management, and then click Role Name.

    By default, the Role Management page displays all the roles in the User Management database. If the list of roles is large, use the Find area at the top of the page to search for a specific role name.

  2. Select the role to view permissions for and click the Permissions tab.

  3. To change these permissions, click Find Permissions, select the check boxes for the permissions to add to the role, click OK, and then click Save.

  4. To delete a permission, select the permission, click Delete, and then click Save.

AEM forms permissions

ADD_REMOVE_ENDPOINT_PERM:
Add, remove, and modify endpoints for a service

Admin Console Login:
View the administration console

Certificate Modify:
Modify the trust settings of any certificate in the Trust Store

Certificate Read:
Read any certificate in the Trust Store

Certificate Write:
Add a certificate to the Trust Store

Component Add:
Install a new component in the system

Component Delete:
Delete any component in the system

Component Read:
Read any component in the system

Contentspace Administrator:
Permission for Contentspace (Deprecated) Administrator

Contentspace Console Login:
Permission for Contentspace (Deprecated) Console Login

Core Settings Control:
Manage the settings on the Core System Settings page in Administration Console

CREATE_VERSION_PERM:
Create a new version of a service

Credential Modify:
Modify any signing credential in the Trust Store

Credential Read:
Read any signing credential in the Trust Store

Credential Write:
Add a signing credential to the Trust Store

CRL Modify:
Modify any CRL (Certificate Revocation List) in the Trust Store

CRL Read:
Read any CRL in the Trust Store

CRL Write:
Add a CRL to the Trust Store

Delegate:
Set an ACL on a resource

DELETE_VERSION_PERM:
Delete a version of a service

Document Upload:
Upload documents in AEM forms

Domain Control:
Create, delete, or modify settings for any User Management domain, including its authentication and directory providers

Event Type Edit:
Edit to event types

Identity Impersonation Control:
Impersonate identity in User Manager

INVOKE_PERM:
Invoke all operations on a service

LCDS Data Model Control:
Read and deploy data models in Data Services

License Manager Update:
Update license information

MODIFY_CONFIG_PERM:
Modify the configuration of a service

TERM
Modify the version of a service

PDFGAdminPermission:
PDFG administrator

PDFGUserPermission:
PDFG user

PERM_DCTM_ADMIN:
Documentum Connector administrator

PERM_FILENET_ADMIN:
FileNet Connector administrator

PERM_FORMS_ADMIN:
Forms administrator

PERM_IBMCM_ADMIN:
IBM CM Connector administrator

PERM_OUTPUT_ADMIN:
Output administrator

PERM_READER_EXTENSIONS_WEB_APPLICATION:
Use the Acrobat Reader DC extensions web application

PERM_SP_ADMIN:
Manage SharePoint Connector settings

PERM_WORKSPACE_ADMIN:
Manage Workspace settings

PERM_WORKSPACE_USER:
Log in to the Workspace end-user application

Principal Control:
Manage users and groups for any domain, and manage role assignments for all users and groups in any domain

Process Recording Read/Delete:
List and retrieve workflow audit instances

PROCESS_OWNER_PERM:
View trend data and perform administrative actions on a service created from a process

Read:
Read the content of a resource

READ_PERM:
Read or view a service

Renew assertion:
Renew assertions in User Management

Repository Delegate:
Set an ACL on a resource

Repository Read:
Read the content of a resource

Repository Traverse:
Include a resource in a list resources request or read the metadata of a resource

Repository Write:
Write repository metadata and content

Rights Management Change Policy Owner:
Change policy owner

Rights Management End User Console Login:
Log in to the Rights Management End User UI

Rights Management Manage Configuration:
Manage server configuration

Rights Management Manage Invited and Local Users:
Manage invited and local users

Rights Management Manage Policy Sets:
Manage all policies and documents within any policy set

Rights Management Policy Set Add Coordinator:
Add, remove, and change permissions for policy set coordinators

Rights Management Policy Set Create Policy:
Create a a new policy for a policy set

Rights Management Policy Set Delete Policy:
Remove a policy from a policy set

Rights Management Policy Set Edit Policy:
Edit a policy in a policy set

Rights Management Policy Set Manage Document Publisher:
When you create policy sets, you assign users the role of document publisher. The document publisher is the user who protects the document with a policy.

Rights Management Policy Set Remove Coordinator:
Remove a policy set coordinator from a policy set

Rights Management Policy Set Revoke Document:
Revoke access to documents in a policy set

Rights Management Policy Set Switch Policy:
Switch policies for a document

Rights Management Policy Set Unrevoke Document:
Unrevoke a document

Rights Management Policy Set View Event:
View policy and document events for any policy or document within a policy set

Rights Management View Server Events:
Search and view all audit events

Role Control:
Create, delete, and modify roles in User Management

Service Activate:
Start any service, making it available for invocation

Service Add:
Deploy a new service to the service registry. This includes adding new processes and process variants

Service Deactivate:
Stop any service in the system

Service Delete:
Delete any service in the system, including processes and process variants

Service Invoke:
Invoke any service in the service registry available at runtime

Service Modify:
Modify the configuration properties of any service in the system. This includes locking and unlocking a service in the IDE, and adding or removing endpoints from a service

Service Read:
Read any services in the system. This includes all processes and process variants

SERVICE_AGENT_PERM:
View data and interact with process instances for a service created from a process

SERVICE_MANAGER_PERM:
Perform load balancing and other administrative actions on a service created from a process

START_STOP_PERM:
Start or stop a service

SUPERVISOR_PERM:
View process instance data for a service created from a process

Traverse:
Include a resource in a list resources request or read the metadata of a resource

Write:
Write repository metadata and content

Opening files in Workbench

To view the contents of the Resources view in Workbench and open files for viewing, a user requires the following permissions:

  • Repository Read

  • Repository Traverse

  • Service Invoke

  • Service Read

Remove a user or group from a role

Use the Role Management page to remove users and groups from a particular role. If the user or group inherited the role assignment, you cannot remove the role at the user or group level. Either remove the user or group from the inheritance tree or remove the role from the parent.

  1. In administration console, click Settings > User Management > Role Management, and then click Role Name.

    By default, the Role Management page displays all the roles in the User Management database. If the list of roles is large, use the Find area at the top of the page to search for a specific role name.

  2. In the list of roles, click the name of the role to update and then click the Role Users tab. A list of users and groups associated with the role are displayed.

  3. Select the check boxes for the users and groups to remove from the role and click Unassign.

  4. Click Save and then click OK.

Just-in-time user provisioning

AEM forms supports just-in-time provisioning of users that don’t yet exist in User Management. With just-in-time provisioning, users are automatically added to User Management after their credentials are successfully authenticated. In addition, relevant roles and groups are assigned dynamically to the new user.

Need for just-in-time user provisioning

This is how traditional authentication works:

  1. When a user tries to log in to AEM forms, User Management passes the user’s credentials sequentially to all available authentication providers. (Login credentials include a username/password combination, Kerberos ticket, PKCS7 signature, and so on.)

  2. The authentication provider validates the credentials.

  3. The authentication provider then checks whether the user exists in the User Management database. The following results are possible:

    Exists:
    If the user is current and unlocked, User Management returns authentication success. However, if the user is not current or is locked, User Management returns authentication failure.

    Does not exist:
    User Management returns authentication failure.

    Invalid:
    User Management returns authentication failure.

  4. The result returned by the authentication provider is evaluated. If the authentication provider returned authentication success, the user is allowed to log in. Otherwise, User Management checks with the next authentication provider (steps 2-3).

  5. Authentication failure is returned if no available authentication provider validates the user credentials.

When just-in-time provisioning is implemented, a new user is created dynamically in User Management if one of the authentication providers validates the user’s credentials. (After step 3 in the traditional authentication procedure, above.)

Implement just-in-time user provisioning

APIs for just-in-time provisioning

AEM forms provides the following APIs for just-in-time provisioning: 

package com.adobe.idp.um.spi.authentication  ; 
publ ic interface IdentityCreator { 
/**   
* Tries  to create a user with the  in formation  provided in the <code>UserProvisioningBO</code> object. 
* If the user is successfully created, a valid AuthResponse is returned along with the information using which the user was created. 
* It is the responsibility of the IdentityCreator to set the User obje ct  in the cre dential map with th e  ke y  <code>UMA u thenticationUtil.authenticatedUserKey</code> 
* The credentials are available in the <code>UserProvisioningBO</code> object in the 'credentials' property. 
* If the IdentityCreator is unable to create a user due to any reason, it returns <code>null</code> 
* @param userBO An object of <code>com.adobe. i dp.um . spi.authenti c ationUserProvisioningBO</code> 
* @return */public AuthResponse create(UserProvisioningBO userBO); 
/** 
* Returns the name of the IdentityCreator which will be registered in preferences. 
* This name is used to associate the IdentityProvider with the Auth Provider Configuration in the domain. 
* @return The name of the Identity Creator which is recognized in Configuration. 
*/ 
public String getName(); 
} 
package com.adobe.idp.um.spi.authentication; 
import com.adobe.idp.um.api.infomodel.User; 
public interface AssignmentProvider { 
/** 
* Tries to assign roles or permissions or group memberships to users created via Just-in-time provisioning. 
* @param user The User created via the Just-in-time provisioning process. 
* @return a Boolean flag indicating whether the assignment was successful or not. 
*/ 
public Boolean assign(User user); 
/** 
* Returns the name of the AssignmentProvider through which it is registered under preferences. 
* This name is used to associate the AssignmentProvider with the Auth Provider Configuration in the domain. 
* @return The name of the AssignmentProvider which is recognized in Configuration. 
*/public String getName(); 
}

Considerations while creating a just-in-time-enabled domain

  • While creating a custom IdentityCreator for a hybrid domain, ensure that a dummy password is specified for the local user. Do not leave this password field empty.

  • Recommendation: Use DomainSpecificAuthentication to validate user credentials against a specific domain.

Create a just-in-time-enabled domain

  1. Write a DSC implementing the APIs in the “APIs for just-in-time provisioning” section.

  2. Deploy the DSC to the forms server.

  3. Create a just-in-time-enabled domain:

    • In Administration Console, click Settings > User Management > Domain Management > New Enterprise Domain.

    • Configure the domain and select Enable Just In Time Provisioning. (See Setting up and managing domains .

    • Add authentication providers. While adding authentication providers, on the New Authentication screen, select a registered Identity Creator and Assignment Provider.

  4. Save the new domain.

Behind the scenes

Assume that a user is trying to log in to AEM forms and an authentication provider accepts their user credentials. If the user doesn’t yet exist in the User Management database, the identity check for the user fails. AEM forms now performs the following actions:

  1. Create a UserProvisioningBO object with the authentication data and place it in a credential map.

  2. Based on domain information returned by UserProvisioningBO , fetch and invoke the registered IdentityCreator and AssignmentProvider for the domain.

  3. Invoke IdentityCreator . If it returns a successful AuthResponse , extract UserInfo from the credential map. Pass it to the AssignmentProvider for group/role assignment and any other post-processing after the user is created.

  4. If the user is created successfully, return the login attempt by the user as successful.

  5. For hybrid domains, pull user information from the authentication data provided to the authentication provider. If this information is fetched successfully, create the user on-the-fly.

Note: The just-in-time provisioning feature ships with a default implementation of IdentityCreator that you can use to dynamically create users. Users are created with the information associated with the directories in the domain.

// Ethnio survey code removed