Get User Information
GET /v2/usermanagement/organizations/{orgId}/users/{userString}
Retrieves the details of a single user within a specified organization, identified by email address or username and domain. Successful queries return a 200 response whose body is a single JSON structure containing the user information.
Throttle Limits: Maximum 25 requests per minute per a client. See Throttling Limits for full details.
Parameters
| Name | Type | Req? | Description |
|---|---|---|---|
| orgId | path | true | The unique identifier for an organization. This is a string of the form A495E53@AdobeOrg where the prefix before the @ is a hexadecimal number. You can find this value as part of the URL path for the organization in the Admin Console or in the adobe.io console for your User Management integration. |
| userString | path | true | For AdobeID, Enterprise and email-federated users this should be the full email address including domain. In all cases the parameter is case-insensitive. Identity Types explains the different account types available. |
| X-Api-Key | header | true | The API key specified in the Adobe IO Console for the UMAPI integration used to authorize this session. See the Getting Started documentation for details. The header name is X-Api-Key and this parameter is its value. |
| Authorization | header | true | The OAuth token generated by the authorization server from the JWT exchange which starts every UMAPI session. (This token usually begins with the letters ‘ey’.) The header name is Authorization, and this parameter, preceded by the word ‘Bearer’ and a space, is its value, as in Authorization: Bearer ey.... |
| domain | query | false | Optional parameter but highly recommended including for all user types. For AdobeID users this would be AdobeID. For Enterprise and email-federated users the domain will either match the email domain or, in the case of multi-domain federations, have any other domain for that directory. |
| content-type | header | false | Used to specify the content type of the request data. Must be application/json
|
| X-Request-Id | header | false | An arbitrary string used to identify the corresponding response to a request. If a header with this name is provided in the request, the exact same header will be included in the response to that request. |
Responses
Content-Type: application/json
Use only those properties that are documented in the Response Properties section. Additional fields can appear in the response, but should not be relied upon.
200 OK
The response body contains the requested user data in JSON format including any of the user’s group membership and admin roles. Fields can be missing if values were never supplied or are not applicable for a particular account type.
Identity Types explains the different account types available.
Examples
Response for an Adobe ID user with System Administrator role:
{
"result": "success",
"user": {
"email": "jdoe@my-domain.com",
"status": "active",
"username": "jdoe@my-domain.com",
"domain": "my-domain.com",
"firstname": "John",
"lastname": "Doe",
"country": "US",
"type": "adobeID",
"groups": [
"_org_admin"
],
"tags": [
"edu_student"
]
}
}
Enterprise User with membership in two user-groups but no administrative roles. If the fields are not populated (firstname andlastname in this example), they are excluded from the response.
{
"result": "success",
"user": {
"email": "jdoe@my-domain.com",
"status": "active",
"groups": [
"UserGroup1",
"UserGroup2"
],
"username": "jdoe@my-domain.com",
"domain": "my-domain.com",
"country": "JP",
"type": "enterpriseID"
}
}
Federated User with no memberships or administrative roles:
{
"result": "success",
"user": {
"email": "jdoe@my-domain.com",
"status": "active",
"username": "johndoe",
"domain": "my-domain.com",
"firstname": "John",
"lastname": "Doe",
"country": "US",
"type": "federatedID"
}
}
Response Properties
result: string, The status of the request. One of success or an error key: { "success", "error", "error.apikey.invalid", "error.user.email.invalid", "error.api.user.not.parent.org", "error.organization.invalid_id" }
message: string An error message, returned only if initial validation of the request fails. It is not populated when a 200 status is returned.
{
"result": "error.organization.invalid_id",
"message": "Bad organization Id"
}
user: A user object containing relevant properties. Properties that are not populated are not returned in the response. Some properties are not applicable for particular account types.
- country: string; A valid ISO 2-character country code.
- domain: string; The user’s domain.
- email: string; The user’s email address.
- firstname: string; The user’s first name.
-
groups: string[]; The list of groups in which the user is a current member, including, user groups, product profiles, product admin groups, and group-specific admin groups. Administrative groups are named with a prefix and the group name. For example,
_product_admin_Photoshop,_admin_DesignTools, or_developer_Marketing. You should avoid any logic that expects fixed group names as these are liable to change without notice. Organization-wide admin groups are:-
_org_admin: The user is a System Administrator. -
_deployment_admin: The user is a Deployment Administrator. -
_support_admin: The user is a Support Administator.
-
- id: string; The user’s unique identifier.
- lastname: string; The user’s last name.
-
status: string; A user’s status with the organization. Only “active” users are returned by Get User Information and Get Users in Organization. One of the following:
- “active”: Normal status for a user account in good standing.
- “disabled”: Disabled temporarily - user is not allowed to login, but is not removed.
- “locked”: Disabled permanently - user is not allowed to login, but is not removed.
- “removed”: The user account is being removed.
-
type: string, The user type, one of:
{ "adobeID", "enterpriseID", "federatedID", "unknown" }. See Identity Types for more information. - username: string; The user’s username (applicable for Enterprise and Federated users). For most Adobe ID users, this value is the same as the email address.
-
tags: string[]; Returns a list of the tags applied to a user e.g.
["edu_student", "edu_staff"]. This will not be returned if the user has no tags. -
adminRoles: string[]; Deprecated. Administrative roles are reflected in group memberships, returned in the
groupsfield.
Schema Model
{
"message": "string",
"result": "string",
"user": {
"country": "string",
"domain": "string",
"email": "string",
"firstname": "string",
"groups": [
"string"
],
"id": "string",
"lastname": "string",
"status": "string",
"type": "string",
"username": "string",
"tags": [
"string"
]
}
}
400 Bad Request
Some parameters of the request were not understood by the server or the Service Account Integration certificate has expired.
401 Unauthorized
Possible causes are:
- Invalid or expired token.
- Invalid Organization.
< HTTP/1.1 401 Unauthorized
< Content-Type: */*
< Date: Thu, 22 Jun 2017 09:47:04 GMT
< WWW-Authenticate: Bearer realm="JIL", error="invalid_token", error_description="The access token is invalid"
< X-Request-Id: user-assigned-request-id
< Content-Length: 0
< Connection: keep-alive
403 Forbidden
Possible causes are:
- Missing API key.
- The organization is currently migrating. Either from DMA or to One Console.
- API key is not permitted access.
< HTTP/1.1 403 Forbidden
< Date: Thu, 22 Jun 2017 09:41:22 GMT
< X-Request-Id: user-assigned-request-id
< Content-Length: 0
< Connection: keep-alive
404 Not Found
The user was not found in the given organization.
< HTTP/1.1 404 Not Found
< Canonical-Resource: /v2/usermanagement/organizations/{orgId}/users/{userstring:.*}
< Content-Type: application/json
< X-Request-Id: user-assigned-request-id
< Connection: keep-alive
{"result":"error.user.not_found","message":"User not found email@email.com"}
Example Requests
Searching by email for AdobeID, Enterprise or email-federated users:
curl -X GET https://usermanagement.adobe.io/v2/usermanagement/organizations/12345@AdobeOrg/users/jdoe@example.com \
--header 'Authorization: Bearer ey...' \
--header 'X-Api-Key: 88ce03094fe74f4d91c2538217d007fe'
Searching for AdobeID user with domain:
curl -X GET https://usermanagement.adobe.io/v2/usermanagement/organizations/12345@AdobeOrg/users/jdoe@example.com?domain=AdobeID \
--header 'Authorization: Bearer ey...' \
--header 'X-Api-Key: 88ce03094fe74f4d91c2538217d007fe'
Searching for Enterprise or email-federated users with domain parameter included:
curl -X GET https://usermanagement.adobe.io/v2/usermanagement/organizations/12345@AdobeOrg/users/jdoe@example.com?domain=example.com \
--header 'Authorization: Bearer ey...' \
--header 'X-Api-Key: 88ce03094fe74f4d91c2538217d007fe'
Note that the authorization directory, which is specified by the “domain” parameter, can contain more than one domain name. This means that the “domain” value does not necessarily match the domain portion of user email addresses.
Throttling Limits
To protect the availability of the Adobe back-end user identity systems, the User Management API imposes limits on client access to the data. Limits apply to the number of calls that an individual client can make within a time interval, and global limits apply to access by all clients within the time period. For this API the throttling limits are as follows:
- Maximum calls per client: 25 requests per a minute
- Maximum calls for the application: 100 requests per a minute
When the client or global access limit is reached, further calls fail with HTTP error status 429 Too Many Requests. The Retry-After header is included in the 429 response, and provides the minimum amount of time that the client should wait until retrying. See RFC 7231 for full information.
The User Management API recommends limiting your syncs to two hourly intervals and consider scheduling your sync for a time that works best for you, taking into account other timezones and clients. This will help to prevent how often your client is throttled.
The following sample shows a 429 response with the Retry-After header detailing the number of seconds to wait before retry:
========================= RESPONSE =========================
Status code: 429
-------------------------- header --------------------------
Content-Type: application/json
Date: Fri, 19 Jan 2018 10:31:43 GMT
Retry-After: 38
Server: APIP
X-Request-Id: iEUtsLiFgj3R4xsbirAyZlMyaxRTo8Xo
Content-Length: 54
Connection: keep-alive
--------------------------- body ---------------------------
{
"error_code" : "429050",
"message" : "Too many requests"
}
============================================================
Because of the global limits, and because the specific limits may change, you cannot simply limit the rate at which you make your own calls. You must handle rate-limit errors by retrying the failed calls. We recommend an exponential backoff retry technique for handling such errors.
Handling error responses
When you retry a failed request, the retry can also fail, and can fall back into the retry loop, adding to the system overload. The exponential backoff retry method increases the period between retries, so that the client makes fewer calls while the system is overloaded.
To implement an exponential backoff method, you increase the retry interval with each failed request. You should retry sending the request after a certain number of seconds, and increase that interval by a random amount with each attempt. For example, you can double the retry period each time, or escalate it by a power of 2, and then add a small random delay between failures.
A small random delay, known as “jitter,” prevents the “herd effect” that can occur if many clients attempt to reconnect to a recovering system at the same time. Without jitter, all of the retries could occur after 20 seconds, then 40 seconds, and so on. With the jitter, different retries occur at slightly different intervals. This allows the system to recover without further overloading it.
For an example of how to implement this error-handling method, see “Retrying Requests” in the User Management Walkthrough.