adobe-enterprise-rbac
Configure Adobe enterprise identity with Admin Console SCIM provisioning, User Management API, product profile-based RBAC, and Federated ID with Azure AD or Google Workspace. Trigger with phrases like "adobe SSO", "adobe RBAC", "adobe enterprise", "adobe roles", "adobe SCIM", "adobe user management".
What this skill does
# Adobe Enterprise RBAC
## Overview
Configure enterprise-grade access control for Adobe integrations using Admin Console product profiles, User Management API (UMAPI) for programmatic user provisioning, and SCIM-based identity sync with Azure AD or Google Workspace.
## Prerequisites
- Adobe Enterprise or Teams subscription
- Adobe Admin Console system administrator access
- Identity Provider (Azure AD, Google Workspace, or Okta) for SSO
- Understanding of SCIM 2.0 protocol
## Instructions
### Step 1: Set Up Federated Identity in Admin Console
1. Go to https://adminconsole.adobe.com > Settings > Identity
2. Create a Federated ID directory
3. Configure SSO:
- **Azure AD**: Admin Console > Add Azure Sync > Follow SCIM setup
- **Google Workspace**: Admin Console > Add Google Sync > SCIM provisioning
- **Generic SAML**: Upload IdP metadata XML
```yaml
# SAML Configuration Values (for your IdP)
Adobe SP Entity ID: https://federatedid-na1.services.adobe.com/federated/saml/metadata
ACS URL: https://federatedid-na1.services.adobe.com/federated/saml/SSO
Name ID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
```
### Step 2: Define Product Profiles (Adobe's RBAC Mechanism)
Product Profiles in Admin Console are Adobe's native RBAC system. Create profiles that map to your application roles:
| Profile Name | Adobe APIs Granted | Application Role |
|-------------|-------------------|------------------|
| `API-Developers` | Firefly, PDF Services, Photoshop | Full API access |
| `API-Viewers` | PDF Services (read-only) | Report viewers |
| `API-Automation` | PDF Services, Document Generation | CI/CD service accounts |
| `API-Admin` | All APIs + Admin Console | Platform administrators |
### Step 3: Programmatic User Management via UMAPI
```typescript
// src/adobe/user-management.ts
// Adobe User Management API (UMAPI) — manage users and product profile assignments
const UMAPI_BASE = 'https://usermanagement.adobe.io/v2/usermanagement';
interface UmapiUser {
email: string;
firstname: string;
lastname: string;
country: string;
}
export async function addUserToProductProfile(
user: UmapiUser,
productProfile: string
): Promise<void> {
const token = await getAccessToken();
const response = await fetch(`${UMAPI_BASE}/action/${process.env.ADOBE_IMS_ORG_ID}`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
'x-api-key': process.env.ADOBE_CLIENT_ID!,
'Content-Type': 'application/json',
},
body: JSON.stringify([{
user: user.email,
requestID: `req-${Date.now()}`,
do: [
{
addAdobeID: {
email: user.email,
firstname: user.firstname,
lastname: user.lastname,
country: user.country,
},
},
{
add: {
product: [productProfile],
},
},
],
}]),
});
if (!response.ok) throw new Error(`UMAPI error: ${await response.text()}`);
const result = await response.json();
console.log(`User ${user.email} added to profile ${productProfile}:`, result);
}
export async function removeUserFromProductProfile(
email: string,
productProfile: string
): Promise<void> {
const token = await getAccessToken();
const response = await fetch(`${UMAPI_BASE}/action/${process.env.ADOBE_IMS_ORG_ID}`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
'x-api-key': process.env.ADOBE_CLIENT_ID!,
'Content-Type': 'application/json',
},
body: JSON.stringify([{
user: email,
requestID: `req-${Date.now()}`,
do: [{
remove: {
product: [productProfile],
},
}],
}]),
});
if (!response.ok) throw new Error(`UMAPI error: ${await response.text()}`);
}
```
### Step 4: Map IdP Groups to Adobe Product Profiles
```typescript
// src/adobe/group-sync.ts
// Sync IdP group membership to Adobe Product Profiles
const GROUP_TO_PROFILE: Record<string, string[]> = {
'Engineering': ['API-Developers'],
'Data-Science': ['API-Developers', 'API-Viewers'],
'Platform-Admins': ['API-Admin'],
'CI-CD-Services': ['API-Automation'],
'Business-Analysts': ['API-Viewers'],
};
export async function syncGroupMembership(
userEmail: string,
idpGroups: string[]
): Promise<void> {
// Determine which Adobe profiles this user should have
const targetProfiles = new Set<string>();
for (const group of idpGroups) {
const profiles = GROUP_TO_PROFILE[group];
if (profiles) profiles.forEach(p => targetProfiles.add(p));
}
// Get current Adobe profile assignments
const currentProfiles = await getUserProfiles(userEmail);
// Add missing profiles
for (const profile of targetProfiles) {
if (!currentProfiles.includes(profile)) {
await addUserToProductProfile(
{ email: userEmail, firstname: '', lastname: '', country: 'US' },
profile
);
}
}
// Remove stale profiles
for (const profile of currentProfiles) {
if (!targetProfiles.has(profile)) {
await removeUserFromProductProfile(userEmail, profile);
}
}
}
```
### Step 5: Application-Level Permission Check
```typescript
// src/middleware/adobe-auth.ts
// Check that the current user's Adobe profile grants the required permission
interface AdobeUserContext {
email: string;
profiles: string[]; // Product profiles from SSO token claims
}
const PROFILE_PERMISSIONS: Record<string, string[]> = {
'API-Developers': ['read', 'write', 'generate', 'extract'],
'API-Viewers': ['read', 'extract'],
'API-Automation': ['read', 'write', 'extract', 'generate'],
'API-Admin': ['read', 'write', 'generate', 'extract', 'delete', 'admin'],
};
function checkAdobePermission(user: AdobeUserContext, requiredPerm: string): boolean {
return user.profiles.some(profile => {
const perms = PROFILE_PERMISSIONS[profile];
return perms?.includes(requiredPerm);
});
}
// Express middleware
function requireAdobePermission(permission: string) {
return (req: any, res: any, next: any) => {
if (!checkAdobePermission(req.user, permission)) {
return res.status(403).json({
error: 'Forbidden',
message: `Missing Adobe permission: ${permission}`,
requiredProfile: Object.entries(PROFILE_PERMISSIONS)
.filter(([_, perms]) => perms.includes(permission))
.map(([profile]) => profile),
});
}
next();
};
}
// Usage
app.post('/api/generate-image', requireAdobePermission('generate'), generateHandler);
app.delete('/api/assets/:id', requireAdobePermission('delete'), deleteHandler);
```
## Output
- Federated Identity with SSO (SAML/OIDC) configured
- Product Profiles created for each application role
- Programmatic user provisioning via UMAPI
- IdP group-to-profile sync automation
- Application middleware enforcing Adobe permissions
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| SSO login redirect loop | Wrong ACS URL | Verify SAML config in Admin Console |
| UMAPI 403 | Missing admin permission | Use system admin credentials for UMAPI |
| Profile not applied | SCIM sync delay | Wait 5-10min for Azure/Google sync |
| User can't access API | Missing product profile | Assign profile in Admin Console or via UMAPI |
## Resources
- [Adobe Admin Console](https://adminconsole.adobe.com)
- [User Management API](https://adobe.io/apis/experienceplatform/umapi-new.html)
- Adobe Admin Console Roles
- Azure AD Sync Setup
- Google Workspace Sync
## Next Steps
For major migrations, see `adobe-migration-deep-dive`.
Related in Ads & Marketing
ads
IncludedMulti-platform paid advertising audit and optimization skill. Analyzes Google, Meta, YouTube, LinkedIn, TikTok, Microsoft, and Apple Ads. 250+ checks with scoring, parallel agents, industry templates, and AI creative generation.
banana
IncludedAI image generation Creative Director powered by Google Gemini Nano Banana models. Use this skill for ANY request involving image creation, editing, visual asset production, or creative direction. Triggers on: generate an image, create a photo, edit this picture, design a logo, make a banner, visual for my anything, and all /banana commands. Handles text-to-image, image editing, multi-turn creative sessions, batch workflows, and brand presets.
rpg-migration-analyzer
IncludedAnalyzes legacy RPG (Report Program Generator) programs from AS/400 and IBM i systems for migration to modern Java applications. Extracts business logic from RPG III/IV/ILE source code, identifies data structures (D-specs), file operations (F-specs), program dependencies (CALLB/CALLP), and converts RPG constructs to Java equivalents. Generates migration reports, complexity estimates, and Java implementation strategies with POJO classes, JPA entities, and service methods. Use when modernizing AS/400 or IBM i legacy systems, analyzing RPG source files (.rpg, .rpgle, .RPGLE), converting RPG to Java, mapping data specifications to Java classes, planning legacy system migration, or when user mentions RPG analysis, Report Program Generator, RPG III/IV/ILE, AS/400 modernization, IBM i migration, packed decimal conversion, or mainframe application rewrite.
brand-library-architect
IncludedBuild a complete brand library for a product — visual asset render pipeline, brand documentation set (BRAND, COPY, MANIFESTO, BIOS, FAQ, GLOSSARY, TONE, PRICING), open-source convention files (README, CONTRIBUTING, SECURITY, CODE_OF_CONDUCT), and a self-contained press kit. This skill should be used when the user asks to "build a brand library / brand kit / press kit / brand assets" for a product, "set up a brand library workflow," "create a positioning manifesto plus visual identity," or any combination of brand documentation + visual asset pipeline. Apply phase-by-phase or run end-to-end. Templates are product-agnostic and use {{TOKEN}} placeholders the skill prompts the user to fill.
writing-tech-post
IncludedAuthors engineering blog posts end-to-end: launch deep-dives, incident postmortems, architecture migrations, performance case studies, tutorials, AI/agent system writeups, security disclosures, and research-to-product translations. Picks the correct archetype, plans the abstraction ladder, enforces an evidence cadence (diagrams, benchmarks, profiles, traces, code, ablations), tunes voice against publisher house styles (Datadog, Vercel, GitHub, AWS, Meta, Cloudflare, Jane Street), and runs a pre-publish gate for narrative momentum and disclosure ethics. Use when drafting a new engineering post, restructuring a draft that feels flat, deciding which evidence form belongs where, validating that depth and product context are balanced, or preparing a postmortem, migration, or performance narrative for external publication. Do not use for API reference documentation, README authoring, marketing copy, release notes, generic SEO content, ghost-written executive thought leadership, or non-engineering long-form essays.
blog-google
IncludedGoogle API integration for blog performance: PageSpeed Insights, CrUX Core Web Vitals with 25-week history, Search Console performance, URL Inspection, Indexing API, GA4 organic traffic, NLP entity analysis for E-E-A-T, YouTube video search for embedding, and Google Ads Keyword Planner. Progressive feature availability based on credential tier (API key, OAuth/service account, GA4, Ads). Shares config with claude-seo at ~/.config/claude-seo/google-api.json. Use when user says "google data", "page speed", "core web vitals", "search console", "indexation", "GA4", "keyword research", "nlp entities", "blog performance", "youtube search", "google api setup".