The User Management API provides programmatic access to the user accounts that are associated with your Adobe organization. You can integrate this API into your organization’s administrative applications and processes. You can use the API in scripts or programs to allow authorized administrators to create, update, and delete user accounts for your enterprise, and retrieve information about your Adobe users and their access to Adobe products.

Connecting to the User Management API

To establish a secure user-management session, you create a JSON Web Token (JWT) that encapsulates your identity information and exchange it for an IMS access token. Please see the Prerequisites section of the Getting Started Guide for detailed information about obtaining an access token.

  • A typical access token is valid for 24 hours after it is issued.
  • You can request multiple access tokens. Previous tokens are not invalidated when a new one is issued. You can authorize requests with any valid access token. This allows you to overlap access tokens to ensure your integration is always able to connect to Adobe.

Every call to the User Management API endpoints must be authorized with this access token in the Authorization header, along with the API key for your client, which you received when you created the integration in the Adobe I/O Console.

For an example of a Python script that creates a JWT and exchanges it for an access token, see the User Management Walkthrough.

User Management API Calls

An application can use the User Management API to access Adobe users and manage their identities. You can create and remove user accounts for your organization, modify a user’s personal information (depending on the account type), and modify users’ access rights to Adobe applications within your organization.

Address all user-management requests to the UM API server:

Summary of Actions on Users

Task Operation Endpoint Description
Create and Add Users POST action/{orgId} Create or add users to an organization by specifying a command in the request body.
Update User Records POST action/{orgId} Update existing user records
Remove Users POST action/{orgId} Remove users from your organization
Access Users GET various endpoints List users in organization or in group, get individual user records

Create and Add Users

Creative Cloud, Experience Cloud, and Document Cloud apps and services use an identity management system to determine an end user’s entitlements. A user is recognized based on their identity. You can use the User Management API to create and manage Adobe user identities of all types. User types include the personal Adobe ID, the Enterprise ID that is managed by your enterprise but hosted by Adobe, and the Federated ID that is both managed and hosted by your enterprise.

For details of supported types, see Manage Identity Types in the Enterprise help hub.

The POST action API allows an Organization to create or add users to an organization by specifying a command in the request body.

Update Users

You can update personal information for a user who has an Enterprise or Federated ID that is managed by your organization through the POST action API using the update command in the request body. The following link details the command but it is recommended to read the full API Actions Reference first.

Remove Users

You can remove a user from your organization, or from a Trusted Domain, through the POST action API. The removeFromOrg command removes the user from the organization and from any product profiles, user groups, and administrative groups in the organization. An organization can also delete user accounts of type Enterprise and Federated ID, if the caller is from the owning organization and has delete access. This will also remove them from all groups in a given domain.

Access Users

Retrieve user information for an organization or for members of user-groups and product profiles through the following GET APIs:

Summary of Actions on Groups

Groups include user groups, product profiles, organization-wide administrative groups, and administrative groups associated with specific products, user groups, and product profiles.

You can manage user groups and user-group memberships with a POST request to the actions/{orgId} endpoint, using the usergroup root command in the commands structure.

  • Manage user groups with the createUserGroup, deleteUserGroup, and updateUserGroup actions for a usergroup.
  • Add or remove user-group members with the add and remove actions for a usergroup. You can add and remove individual users and product profiles.

Manage Entitlements and Administrative Rights

Use a POST action request to manage entitlements and administrative rights. Entitlements are granted through membership in product profiles, and administrative rights are granted through membership in the specially named administrative groups.

Manage Entitlements

Users are granted access to Adobe products by adding them as members of a product profile that has been created in the Admin Console. A product profile identifies an Adobe product or set of products, and is associated with a list of users who are entitled to access. You can use the API to add individual users to and remove individual users from specific product profiles.

You can also create user groups in the Admin Console. You can use the API to manage both profiles and user groups:

  • You can add and remove users to manage membership in user groups.
  • You can add and remove both users and user groups to manage membership in product profiles.

Together, user groups and product profiles allow you to group users according to your own criteria, and then grant or deny product access to individuals and to entire groups.

Note: You cannot create or manage product profiles themselves through the User Management API. For more information about creating and managing product profiles, see Manage Product Profiles in the Enterprise help hub.

Use the POST action API to manage entitlements by adding and removing users to and from user groups and product profiles.

You can give users access to a product directly by adding them to a product profile for that product, or indirectly by adding them to a user group which itself has been added to a product profile for that product. In either case, a user might not get access if there are not enough licenses or other resources. You can tell if access was granted by using the status parameter to get users by group and see if the user is listed for the product profile.

Manage Administrative Permissions

Use the POST action API to manage permissions by adding and removing users to and from administrative groups. There are three administrative groups with fixed names:

  • Administrators: _org_admin
  • Support Administrators: _support_admin
  • Deployment Administrators: _deployment_admin

In addition, there are administrative groups for each user group and product profile. These are named with a prefix and the group name. For example, _admin_Marketing, _developer_Marketing or _product_admin_Adobe Document Cloud for business.

Please note that you cannot assign or remove the administrative role _org_admin using User Management API.