In This Section
- Post-Sync Connector
- Sign Sync Connector
The Post-Sync Connector framework for the User Sync Tool performs optional sync workflows with specific Adobe products. These workflows execute after the main sync workflow completes.
Specific functionality depends on the connector(s) used.
Multiple connectors can be enabled and configured for a single sync process.
NOTE: Adobe Sign Sync is currently the only supported connector. Additional connectors will be released in the future.
|Adobe Sign Sync||
||See Sign Sync Docs below|
Each post-sync connector has its own configuration file to specify any configuration options needed by that connector.
Post-sync connectors are enabled in
user-sync-config.yml with the optional
post-sync config option.
# user-sync-config.yml post_sync: modules: - sign_sync connectors: sign_sync: connector-sign-sync.yml
This example shows the Adobe Sign Sync connector enabled. The
modules option specifies that the
connector is enabled.
connectors.sign_sync points the Sync Tool to the Sign connector config file, which tells
the Sign connector how to operate. After the main sync completes, the Sign connector will be executed.
||Top-level config key that specifies which modules are enabled and where their configuration files live|
||List of post-sync modules to enable. Connectors will be run in order specified|
||Connector config files. Key: connector module; value: path to config file|
Post-sync connectors are executed after the main sync process completes. In the course of the sync process, the Post-Sync Manager marshals the following data to be used be each post-sync connector.
- Identity source data, including any additional attributes
- The current state of all users in the Admin Console after the completion of the sync process (with respect to
--adobe-usersand any exclusion rules that may be specified)
This post-sync data is provided to each post-sync connector for post-sync execution. It will not be altered by any post-sync connector.
During post-sync execution, each post-sync connector will be run in the order defined in
Sign Sync Connector
The Adobe Sign Sync connector introduces an optional sync workflow to manage Adobe Sign users.
- Assign Sign users to specific Sign groups
- Define Group Admin and Account Admin role assignmet rules
Native Sign <-> Admin Console Connection
The Adobe Sign Sync connector is not required to provision users to Adobe Sign. Users assigned to Sign Enterprise plans are automatically granted basic Sign accounts when they are first provisioned to a Sign product profile in the Admin Console. When Sign users are created in this manner, they are assigned to the Default Group in Sign and are assigned Normal User privileges.
Taking advantage of this native sync functionality with the User Sync Tool is easy - just target an Adobe Sign
product profile in your group mapping in
directory_users: groups: - directory_group: adobe-sign-enterprise adobe_groups: - Adobe Sign
Updates to user information (First Name, Last Name, and email address) are automatically synced to Sign the next time the user logs into Sign.
|Sign group assignment||Assign Sign users to a non-default group|
|Admin Roles||Provision users in Sign with Group Admin or Account Admin privileges|
|Automatic group creation||Sign groups are created automatically if they don’t already exist|
|Console-driven provisioning||Group and role assignment is governed by Admin Console group membership and/or Console admin role assignment|
The Adobe Sign Sync configuration file,
connector-sign-sync.yml, defines the behavior of the Adobe Sign sync process.
# connector-sign-sync.yml sign_orgs: - host: api.echosign.com key: [API key] admin_email: firstname.lastname@example.org entitlement_groups: - Adobe Sign user_groups: - Sign Users - More Sign Users identity_types: - federatedID admin_roles: - sign_role: ACCOUNT_ADMIN adobe_groups: - Adobe Sign Account Admins - sign_role: GROUP_ADMIN adobe_groups: - Adobe Sign Group Admins
A Closer Look
sign_orgs: - host: api.echosign.com key: [API key] admin_email: email@example.com
All Sign Connector configs must specify at least one item in the
sign_orgs list. This list defines the Sign API connections to be used
by the connector. Each
sign_org connection corresponds with a UMAPI connection as defined in
Note that for secondary Sign connections, the
console_org key must be used to identify the secondary connection.
For more information, see the tutorial on multiple connections.
entitlement_groups: - Adobe Sign
entitlement_groups define which product profiles or groups designate a Sign entitlement. It prevents the Sign connector from operating
on users that have not been given access to Adobe Sign. This list typically consists of the names of any Sign Enterprise product profile
defined in the Admin Console and/or any User Group with an associated Sign Enterprise profile.
user_groups: - Sign Users - More Sign Users
user_groups define Admin Console group memberships that should also be assigned in Adobe Sign. Any group defined in this list will
be created in Sign if a group by that name doesn’t already exist. Any user assigned to any of these groups in the Admin Console will
be assigned the same group in Adobe Sign.
For more information, see the tutorial on group assignment.
identity_types: - federatedID
identity_types designates which type of Admin Console users will be included in the Sign Sync. This should typically match the
identity type of users created by the main sync process as defined in
admin_roles: - sign_role: ACCOUNT_ADMIN adobe_groups: - Adobe Sign Account Admins - sign_role: GROUP_ADMIN adobe_groups: - Adobe Sign Group Admins
admin_roles defines a list of mapping rules that tie a list of Admin Console groups and/or roles to a Sign admin role.
For more information, see the tutorial on managing role assignments.
||Y||List of objects defining which Sign orgs to sync. If targeting a “secondary” org, it must be defined in
||N||List of Adobe group names to potentially assign to a user in Sign. If a user belongs to any group in this list, they will be assigned to the first matching group in Sign (with respect to the order these groups are defined in the Sign config)|
||Y||List of Adobe groups and/or product profiles that provision a user to Adobe Sign. Only users assigned to these groups will be processed by the Sign Sync connector.|
||N||Identity types to be processed by Sign Sync connector. Users of any type not specified here will not be processed.|
||N||List of mappings that define which Console user groups and/or admin roles determine Sign admin privileges|
Each object defined in
sign_orgs represents a connection to a different Sign organization. There should, at minimum, be one
Sign connection defined here - the connection to the Sign org that is linked to the “primary” UMAPI connection as defined in
connector-umapi.yml. Secondary Sign orgs can be defined here as well as long as their linked UMAPI connections are defined in
user-sync-config.yml (see docs).
||Base Sign endpoint host (e.g. api.echosign.com); actual API hostname and endpoint will be resolved dynamically|
||API integration key|
||Email address of Sign admin user associated with API key. This setting prevents the Sign Sync connector from performing any actions on this account|
||(only defined for secondary Sign conncections) Name of secondary Sign connection (must match any secondary UMAPI connection defined in
admin_roles defines a list of zero or more group mappings that specify how user groups, product profiles, or Console admin roles
should define Sign admin role privileges.
Two types of Sign admin privileges can be assigned:
ACCOUNT_ADMIN users have admin privileges for the entire Sign account (e.g. the Sign ‘organization’ linked to the Admin Console
GROUP_ADMIN users have admin privileges for the group they are assigned according to
||Sign admin role to assign. Valid values are
||List of Adobe groups that grant the defined Sign admin privilege. Any user that is a member of any group in this list will be assigned the defined privilege|
identity_types option will limit the scope of the Sign sync connector by identity type.
The following types are valid:
identity_types is not specified, then there will be no restrictions by identity type.
For more information on the Adobe Sign Sync connector, see the tutorial.