Workfront

ChristinaJa · 3/6/24

Our migration to the Adobe Admin console for managing Workfront access has caused significant frustrations and additional work for Workfront system admins.

This contradicts the 'seamless' migration that we were promised.

Despite using multiple Adobe products with the console managed by IT, the migration has led to several issues below. Can you confirm/deny any of these issues you have experienced with migration to the Adobe Admin console?

Issue 1: User creation and management

Before requesting a Workfront (WF) license from the SysAdmin, a user is automatically created in WF with default access. This prevents cloning an existing user's setup for new team members. Deleting the auto-created user doesn't work due to syncing issues with the Adobe console.

The catch-22: Either manually set up each new user from scratch or create the user first before requesting a WF license assignment.

This process creates unnecessary back-and-forth between the Adobe admin and the WF SysAdmin, causing delays in user provisioning.

Issue 2 - User deactivations

For non-SSO users, deactivation by Adobe flags them as non-secure. Upon reactivation, the system admin user loses all data (reports, layouts, queues) previously associated to the user role. The WF admin cannot modify the email or restore admin status without deactivating in Adobe console.

Issue 3 - User modifications

Changing a user's email address requires creating a duplicate user, deactivating the old, changing the email, deactivating the duplicate, re-adding the email, and reactivating.

Issue 4 - Missing Audit Logs

The audit log functionality to view login errors, system changes, etc. is no longer available.

Issue 5 - Missing SSO Mapping

Direct mapping from SSO to departments/titles/phone numbers is no longer possible, making it difficult to review access by department.

Issue 7 - Automatic End User Notification

Users receive notifications from Adobe for any add/change/removal, causing confusion and distrust.

Issue 8 (Possible) - Reset of system preferences

Custom forms were unexpectedly reset to system-wide availability, presenting potential risk.

KatherineLa · 3/7/24

We have not yet been able to migrate due to Adobe requiring updates to our DNS setup that are not going to be approved by my IT governance council. That being said, thank you for sharing, this is a rather concerning list of bugs especially with respect to missing audit logs.

Kelly_Wehrmann · 3/8/24

Thanks for sharing this list of issues. A lot of good information here and it has me even more skeptical about how "seamless" this is actually going to be.

Have you received any additional feedback or a response from Support about any of these Issues?

Are y'all using SSO? Just asking for clarification because in Issue #2 you mentioned non-SSO users, but in Issue #8 you mention missing SSO mapping. It is my understanding that all of our users will be on SSO once migrated; currently we do not use SSO.

Thanks.

ChristinaJa · 3/8/24

We have some users (external consultants, profiles setup for use when the 'profile' email address is a shared mailbox) that is not directly linked to SSO. So, it shows up as a risk since it's not linked to a Federated ID. So, its an educational issue that we hadn't encountered before.

But yes, the SSO mapping is not working now. I dont know.

Support has been GREAT but I dont think they even are aware of some of the 'ripple effects' from the move.

For instance, my support person later confirmed that indeed - the ability to delete users entirely has been removed from WF. (not helpful for me).

In other news, the audit logs which were not available (and the migration specialist said it was a loss) is now BACK!

I just feel like Workfront is a round peg being shoved in a square Adobe hole and whatever happens, happens. Growing pains, maybe? I dont know.

TimLe4 · 3/11/24

Hi Christina,

Thanks so much for sharing. This is very valuable. We are currently testing in the Sandbox - a few questions for you:

How did you resolve mapping a new user's information such as department, title, etc? The admin console only appears to have functionality to map first/last name, email and country.
Can you explain item #7 "Users receive notifications from Adobe for any add/change/removal" a bit more? Do you mean a user receives notification when anything impacts their account specifically, or is it more frequent than that?

Thanks!

Tim

ChristinaJa · 3/11/24

How did you resolve mapping a new user's information such as department, title, etc? The admin console only appears to have functionality to map first/last name, email and country.

We've lost the ability to do so: I can manually type in what may or may not be on our intranet, but anyone that changes departments, job titles, phone numbers.....nada. It's a big loss for us.

Can you explain item #7 "Users receive notifications from Adobe for any add/change/removal" a bit more? Do you mean a user receives notification when anything impacts their account specifically, or is it more frequent than that?

I'll have to find an example. It's more like a automatic email that 'You have been added to Workfront as a xyz person"

I believe after the first 1-2 I was able to request support suppress the notification.

TimLe4 · 3/11/24

Thanks Christina. So far, I am not finding a way to map those fields either. I am finding work arounds for many of the other issues mentioned (or they are not impacting us), but this one is a problem. For those of us with Fusion, it could pull values for users from AD on user creation and then slice those into the user record, but to keep that updated would mean a second scenario querying hundreds of users and comparing values daily 'just in case' something changed.

JonahMc · 3/12/24

Hi Christina,

Thank you for your feedback and patience as we onboard Workfront to the Adobe ecosystem! I have a few comments and questions when you have the time.

Issue 1: User creation and management

Are you using "Zero Touch" for user account provisioning or are you using something else such as Directory Sync?

If you're using one of those features, newly created users will indeed be created in Workfront with the default "request" access level which is in line with how "Auto-Provisioning" behaved prior to the migration.

The ability to delete users is in the process of being removed entirely and is unrelated to the migration due to issues and complications around restoring user data. Happy to hear your use case and reasoning for deleting users and take that back to our team.

On our Roadmap:

We are early in the design phase but we want to give customers the ability to create their own "default user profile."

Our intention is to give admins the ability to determine what attributes a user has (such as role, access level, layout template, etc..) when they are created automatically via the console using any of the existing methods such as Zero Touch, Directory Sync, or if they are created ad-hoc within in the console manually. After the user is created, admins will then be able to update the user profile inside Workfront just like they are able to prior to migration.

Issue 2 - User deactivations
This seems abnormal and would like to understand what flagging them as non-secure means.

Have you worked with customer support on this? I recommend working with them as we'll need more information to understand the exact steps to duplicate this behavior and prevent data loss from happening in the future because no data loss is expected as a result of a migration.

Issue 3 - User modifications

This is a tricky one due to the way the console handles email address modifications. I agree that the current process is not ideal but we have an item on our backlog to improve this process later this year. I am unable to provide an exact ETA at the moment.

Issue 4 - Missing Audit Logs

This is unexpected as the migration should not impact audit logs. I recommend working with support if this is still a problem.

Issue 5 - Missing SSO Mapping

Attribute Mapping via SSO/SAML is live in Workfront production if you are migrated to the console. If attribute mapping was configured before migration, you are able to automatically map previously configured attributes so long as your SSO provider is still passing them to Adobe during the sign in process. Please contact support if you have questions or need assistance.

Note- Within the console you will still only see first name, last name, and email address. All other Workfron-specific attributes will remain in Workfront.

Lastly, were you using Attribute Mapping prior to your migration to the console?

Issue 7 - Automatic End User Notification

Which email(s) are you referring to? Some emails can be suppressed and others cannot. Emails that cannot be suppressed are usually required for account creation and without accepting the invite in those specific emails then the user will never be able to sign in.

Issue 8 (Possible) - Reset of system preferences

This definitely not expected as a part of the migration. Has a case been raised with support to determine the root cause and has it been resolved?

Thanks!

Doug_Den_Hoed__AtAppStore · 3/15/24

Thanks @JonahMc,

For those who've read this thread, I invite you to also check out (and contribute to) the new Adobe Admin Console: Dear Diary... post I just created.

Regards,

Doug

Workfront

Admin Console - Post Migration Issues?

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe