Adobe Experience Manager Sites & More

anurag_dang · 6/3/25

Hello,

We have a business requirement where we have created a user group called as "Group A" to onboard users to AEM, all the users that are added to this group will get the access to AEM according to the privileges applied to this group. Now as per the normal functioning in admin console, only the Admins of "Group A" can add the users to this group, now our requirement is that we create a new user group for "Onboarding Users to AEM" which can be called as "Group B", all the users inside this group can add users to "Group A" and to do that these users must be admins of Group A, is there any way through which we can add the "Group B" directly as the admin in Group A instead of adding individual users as admins.

Thanks

SantoshSai · 6/3/25

Hi @anurag_dang,

In Admin Console, I think, you cannot assign a user group (eg. "Group B") as an admin of another user group (eg. "Group A") directly. Adobe Admin Console does not support nested group administration, meaning:

You must assign individual users as admins of a group — group-to-group admin relationships are not supported.

Workaround Options

Although direct group admin delegation isn’t possible, here are a couple of workable alternatives to manage onboarding cleanly:

Option 1: Automate via Admin Console API

You can script the process using the Adobe User Management API to:

Automatically add members of Group B as admins of Group A.

Steps:

Maintain users in Group B normally.
Periodically (via cron or webhook) check Group B’s membership.
Use the API to make each Group B user an admin of Group A if they are not already.

Adobe User Management API:
https://adobe-apiplatform.github.io/umapi-documentation/en/

Option 2: Manual Sync Process

If automation is not feasible:

Create an SOP (standard operating procedure) for your AEM/Adobe Admin.
Whenever a user is added to Group B, ensure they are also manually made an admin of Group A.

Adobe’s Admin Console is user-based when it comes to group admin roles for security and auditability. Allowing groups to be admins of other groups could obscure who has actual permission to manage access.

Santosh Sai

AmitVishwakarma · 6/4/25

Hi @anurag_dang ,

Adobe Admin Console does not allow assigning one user group (e.g., Group B) as the admin of another group (e.g., Group A).

Admins must be individual users, not groups.

Try below solution:

Automate Admin Role Sync

Step 1: Create Groups in Admin Console

Group A = Target AEM access group

Group B = Onboarding Managers

Note: Only users in Group A get AEM access.
Users in Group B should get admin rights over Group A via automation.

Step 2: Setup Adobe UMAPI Integration

Adobe's User Management API (UMAPI) lets you automate admin tasks.

Docs: UMAPI Official Docs

Install the tool:

pip install user-sync

Step 3: Create a Script or Use User Sync Tool

Fetch all users in Group B

Loop over each user and assign them as Admin of Group A

Sample Python Script (using UMAPI SDK):

from umapi_client import Client
from umapi_client.auth import JWTAuth

auth = JWTAuth(
    org_id="your_org_id",
    tech_acct="your_tech_account_id",
    api_key="your_api_key",
    client_secret="your_client_secret",
    private_key_file="private.key",
)

client = Client(auth)

group_b_users = client.get_group_users("Group B")

for user in group_b_users:
    client.add_user_to_group(user['email'], "Group A", admin=True)

Schedule this daily using a cron job or pipeline.

Step 4: Monitor or Log Actions

Ensure your job logs who was promoted to admin in Group A from Group B for traceability.

Alternative (Manual SOP if Automation Not Feasible)

If scripting is not allowed:

Document a simple onboarding SOP.

Anytime a user is added to Group B, manually add them as Group A admin.

Keep a shared tracker (Excel/Confluence).

Regards,
Amit

PandaBa · 6/4/25

Sorry Adobe Admin Console does not support assigning a group (like Group B) as an admin of another group (like Group A). Only individual users can be assigned as admins of a product profile or user group.

What You Can Do Instead

1. Create a Custom "Delegated Admin" Role

If you want users in Group B to manage Group A's membership, you'll need to:

->Manually assign each user in Group B as an admin of Group A in Admin Console.

2. Automate the Assignment (Optional / Advanced)

If you're using Azure AD / Okta / SCIM provisioning, you can:

Sync Group B membership to a role-based admin assignment process using Adobe's User Management API.

Adobe User Management API (UMAPI) allows you to automate:

Assigning product profile (group) admins

Adding/removing users to/from groups

With this approach, you can:

Detect users added to Group B (in your IDP)

Automatically assign them as admins of Group A using UMAPI

3. Alternative: AEM-side Delegation

If the need is only to manage group membership within AEM itself (not in Admin Console), and you're managing users via local AEM groups (e.g., in AMS / on-prem):

You can create a group (Group B) and assign them ACLs on /home/groups and /home/users to manage group A members.

Adobe Experience Manager Sites & More

Can we add an ims user group as an admin to another ims user group in admin console

Workaround Options

Option 1: Automate via Admin Console API

Option 2: Manual Sync Process

Santosh Sai

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe