Introducing the Business Storage Model

The Business Storage model gives a business control over assets their employees create, by assigning them cloud storage that is specifically owned by the business. Business Storage enables all kinds of new features for controlled sharing and collaboration. The new model provides significant business value, allowing companies to exert control over cloud data, mitigate IP risks, and reclaim assets when an employee leaves the company.​

To achieve this, we created a new user account model that separates authentication from authorization.

• Authentication proves that you are who you say you are. When you log in with a username and password, you are authenticating.
• Authorization proves that you have the right to use the product or service you are trying to access. After authentication, the system checks a user's entitlement profile to determine whether that user is authorized.

An admin delegates access to a specific offering by adding users and groups to a product profile. Those users are authorized to use that product.

Previously, all authorization details for a user (including access to cloud storage) were kept with the user's authentication account. In the new model, the user's authentication information is kept in the user's account as before, but for business users, authorizations are kept in a separate business profile. This profile-only account associates an authentication account with an entitlement profile for a specific organization. For more details, see Understanding Profiles.

About Authentication Accounts

Authentication accounts associate an email address with login credentials (usually a password) that are stored at Adobe. They contain user-specific information such as the user's name and group memberships.

Anyone can have a personal Adobe ID account, whether or not they use it for business. The username is an email address in any unclaimed or public domain, and the credentials are controlled by the user, at account.adobe.com.

In the previous model, when Adobe teams and enterprise customers added Adobe ID users to their directories, entitlements delegated by the business were added directly to a profile in the user's account. In the new model, the business entitlements need to be kept separate, so that assets can be stored properly in the business-owned cloud storage.

When you are updated to the new model, existing Adobe ID users are moved to Enterprise storage, and their business authorizations are moved into the new account. They still own their Adobe ID account, and authenticate with their Adobe ID credentials.

Managed authentication accounts for enterprises

Enterprise customers can manage their users' authentication credentials using one of Adobe's Managed account types:

• Enterprise ID: If your organization has a claimed or trusted domain, you can use that domain to give users an Enterprise ID. These users will sign in using their organization email in your claimed domain.  
• Federated ID: If your organization has also set up and integrated SSO with the Admin Console, your users can sign in using single sign-on with an email in a federated domain.   

In Enterprise storage model, each of these managed ID users also has a Business account, which links their User Profile with their managed authentication account. 

When you add managed users to a Console that has been updated, the system automatically assigns the correct type of authentication account (Enterprise or Federated) based on the user email domain--regardless of any Identity Type value you specify in a CSV file or UMAPI call.

Choosing Adobe Profiles

Cloud storage authorization can come from different sources. A user can have personal access; in fact, all Adobe IDs come with some personal cloud storage, and storage can be part of  products and services that individuals purchase on their own. A business user can have authorization for both personal and business storage, and can even have authorization for business storage from different organizations.

In the previous model, there was no way to distinguish assets created with different authorization sources. Separating authentication accounts from authorization information allows the sign-in process to identify which profile is in use, and therefore whose cloud storage is used for work done in a particular session.

In the new model, all users still authenticate using their personal or managed credentials. If they potentially have multiple sources of authorization, they might also have to choose an entitlement profile for the specific organization they are working for at the time.

Multiple authorization sources

A user can have profiles in more than one organization, just as they can have authentication accounts in more than one organization. This means they might have more than one source of authorization for business storage. If so, they can choose the appropriate entitlement profile as part of the login workflow. 

If an employee uses Adobe ID credentials to authenticate, they have a mix of personal and business authorizations. To make sure the business owns assets their employees create with the business license, the update process creates profile-only accounts for these users. 

• As part of the update process, all assets that were previously associated with the personal account might be moved into business storage. To prepare for update, a user might have to download any personal assets and store them locally.
• The user will still use the Adobe ID credentials to authenticate, but they will then have to choose either their Personal Profile or the Organization Profile to complete the sign-in process.

Multiple authentication accounts

An email address in a federated domain (such as adobe.com) can be used for both an Adobe ID and a Federated ID in the same organization. When this happens, the user sees an account picker to choose which account to sign in with. Once they have chosen the account, they could see the profile picker to choose from profiles associated with that account.