Skip to content

Commit a25b172

Browse files
adorton-adobeadorton-adobe
committed
document uses_business_id
1 parent fc7cfde commit a25b172

File tree

1 file changed

+38
-0
lines changed

1 file changed

+38
-0
lines changed

docs/en/user-manual/advanced_configuration.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,44 @@ group name. Join them with "::". For example:
169169
- "d37::Special Ops Group"
170170
```
171171
172+
### ESM Secondary Targets
173+
174+
Organizations with Enterprise Storage Model (ESM) enabled handle users differently from traditional User Storage Model (USM) organizations.
175+
ESM organizations use Business IDs instead of Adobe IDs. Business IDs are special accounts that govern a user's profile for a specific
176+
organization. Business IDs do not directly provide authentication capabilities for users. Instead, each is linked to an Adobe ID,
177+
Enterprise ID or Federated ID that handles authentication.
178+
179+
The nature of Business IDs creates unique behavior in ESM organizations that have a trust with an existing user directory. Users
180+
with a domain belonging to the directory will always be created as Business ID instead of the actual user type (Federated or Enterprise,
181+
depending on directory settings).
182+
183+
For example, if we have a Federated directory with a claim on `example.com`, and we create a new user in the ESM trustee
184+
(e.g. `[email protected]`), then that user will be a Business ID in the trustee console and not Federate. The user will
185+
still use the configured Identity Provider to authenticate.
186+
187+
When syncing to secondary ESM targets, this feature prevents the UST from fully managing Business ID users on trustee consoles.
188+
When performing user sync on secondary targets, the UST expects the identity types between users on parent and child to match.
189+
190+
To manage Business IDs as their linked identity type, enable the `uses_business_id` option in the secondary target's UMAPI
191+
connector config file.
192+
193+
```yaml
194+
# connector-umapi-org2.yml
195+
server:
196+
host: usermanagement.adobe.io
197+
ims_host: ims-na1.adobelogin.com
198+
enterprise:
199+
org_id: xxx@AdobeOrg
200+
client_secret: xxx
201+
priv_key_path: private-org2.key
202+
client_id: xxx
203+
tech_acct_id: [email protected]
204+
uses_business_id: True
205+
```
206+
207+
This essentially overrides the Business ID user type to the type of the user from the primary target, ensuring that
208+
the full user lifecycle of the user on the secondary target is managed.
209+
172210
## Custom Attributes and Mappings
173211

174212
It is possible to define custom mappings of directory attribute

0 commit comments

Comments
 (0)