User Guide Cancel

Update organization policies

Search
Enterprise

Enterprise

Admin Console
  1. Adobe Enterprise & Teams: Administration guide
  2. Plan your deployment
    1. Basic concepts
      1. Licensing
      2. Identity
      3. User management
      4. App deployment
      5. Admin Console overview
      6. Admin roles
    2. Deployment Guides
      1. Named User deployment guide
      2. SDL deployment guide
      3. Deploy Adobe Acrobat 
    3. Deploy Creative Cloud for education
      1. Deployment home
      2. K-12 Onboarding Wizard
      3. Simple setup
      4. Syncing Users
      5. Roster Sync K-12 (US)
      6. Key licensing concepts
      7. Deployment options
      8. Quick tips
      9. Approve Adobe apps in Google Admin Console
      10. Enable Adobe Express in Google Classroom
      11. Integration with Canvas LMS
      12. Integration with Blackboard Learn
      13. Configuring SSO for District Portals and LMSs
      14. Add users through Roster Sync
      15. Kivuto FAQ
      16. Primary and Secondary institution eligibility guidelines
  3. Set up your organization
    1. Identity types | Overview
    2. Set up identity | Overview
    3. Set up organization with Enterprise ID
    4. Setup Azure AD federation and sync
      1. Set up SSO with Microsoft via Azure OIDC
      2. Add Azure Sync to your directory
      3. Role sync for Education
      4. Azure Connector FAQ
    5. Set up Google Federation and sync
      1. Set up SSO with Google Federation
      2. Add Google Sync to your directory
      3. Google federation FAQ
    6. Set up organization with Microsoft ADFS
    7. Set up organization for District Portals and LMS
    8. Set up organization with other Identity providers
      1. Create a directory
      2. Verify ownership of a domain
      3. Add domains to directories
    9. SSO common questions and troubleshooting
      1. SSO Common questions
      2. SSO Troubleshooting
      3. Education common questions
  4. Manage your organization setup
    1. Manage existing domains and directories
    2. Enable automatic account creation
    3. Set up organization via directory trust
    4. Migrate to a new authentication provider 
    5. Asset settings
    6. Authentication settings
    7. Privacy and security contacts
    8. Console settings
    9. Manage encryption  
  5. Manage users
    1. Overview
    2. Administrative roles
    3. User management strategies
      1. Manage users individually   
      2. Manage multiple users (Bulk CSV)
      3. User Sync tool (UST)
      4. Microsoft Azure Sync
      5. Google Federation Sync
    4. Assign licenses to a Teams user
    5. Add users with matching email domains
    6. Change user's identity type
    7. Manage user groups
    8. Manage directory users
    9. Manage developers
    10. Migrate existing users to the Adobe Admin Console
    11. Migrate user management to the Adobe Admin Console
  6. Manage products and entitlements
    1. Manage products and product profiles
      1. Manage products
      2. Buy products and licenses
      3. Manage product profiles for enterprise users
      4. Manage automatic assignment rules
      5. Entitle users to train Firefly custom models
      6. Review product requests
      7. Manage self-service policies
      8. Manage app integrations
      9. Manage product permissions in the Admin Console  
      10. Enable/disable services for a product profile
      11. Single App | Creative Cloud for enterprise
      12. Optional services
    2. Manage Shared Device licenses
      1. What's new
      2. Deployment guide
      3. Create packages
      4. Recover licenses
      5. Manage profiles
      6. Licensing toolkit
      7. Shared Device Licensing FAQ
  7. Get started with Global Admin Console
    1. Adopt global administration
    2. Select your organization
    3. Manage organization hierarchy
    4. Manage product profiles
    5. Manage administrators
    6. Manage user groups
    7. Update organization policies
    8. Manage policy templates
    9. Allocate products to child organizations
    10. Execute pending jobs
    11. Explore insights
    12. Export or import organization structure
  8. Manage storage and assets
    1. Storage
      1. Manage enterprise storage
      2. Adobe Creative Cloud: Update to storage
      3. Manage Adobe storage
    2. Asset migration
      1. Automated Asset Migration
      2. Automated Asset Migration FAQ  
      3. Manage transferred assets
    3. Reclaim assets from a user
    4. Student asset migration | EDU only
      1. Automatic student asset migration
      2. Migrate your assets
  9. Manage services
    1. Adobe Stock
      1. Adobe Stock credit packs for teams
      2. Adobe Stock for enterprise
      3. Use Adobe Stock for enterprise
      4. Adobe Stock License Approval
    2. Custom fonts
    3. Adobe Asset Link
      1. Overview
      2. Create user group
      3. Configure Adobe Experience Manager Assets
      4. Configure and install Adobe Asset Link
      5. Manage assets
      6. Adobe Asset Link for XD
    4. Adobe Acrobat Sign
      1. Set up Adobe Acrobat Sign for enterprise or teams
      2. Adobe Acrobat Sign - Team feature Administrator
      3. Manage Adobe Acrobat Sign on the Admin Console
    5. Creative Cloud for enterprise - free membership
      1. Overview
  10. Deploy apps and updates
    1. Overview
      1. Deploy and deliver apps and updates
      2. Plan to deploy
      3. Prepare to deploy
    2. Create packages
      1. Package apps via the Admin Console
      2. Create Named User Licensing Packages
      3. Adobe templates for packages
      4. Manage packages
      5. Manage device licenses
      6. Serial number licensing
    3. Customize packages
      1. Customize the Creative Cloud desktop app
      2. Include extensions in your package
    4. Deploy Packages 
      1. Deploy packages
      2. Deploy Adobe packages using Microsoft Intune
      3. Deploy Adobe packages with SCCM
      4. Deploy Adobe packages with ARD
      5. Install products in the Exceptions folder
      6. Uninstall Creative Cloud products
      7. Use Adobe provisioning toolkit enterprise edition
      8. Adobe Creative Cloud licensing identifiers
    5. Manage updates
      1. Change management for Adobe enterprise and teams customers
      2. Deploy updates
    6. Adobe Update Server Setup Tool (AUSST)
      1. AUSST Overview
      2. Set up the internal update server
      3. Maintain the internal update server
      4. Common use cases of AUSST   
      5. Troubleshoot the internal update server
    7. Adobe Remote Update Manager (RUM)
      1. Use Adobe Remote Update Manager
      2. Resolve RUM errors
    8. Troubleshoot
      1. Troubleshoot Creative Cloud apps installation and uninstallation errors
      2. Query client machines to check if a package is deployed
      3. Creative Cloud package "Installation Failed" error message
  11. Manage your Teams account
    1. Overview
    2. Update payment details
    3. Manage invoices
    4. Change contract owner
    5. Change your plan
    6. Change reseller
    7. Cancel your plan
    8. Purchase Request compliance
    9. Manage your team in Adobe Express
  12. Renewals
    1. Teams membership: Renewals
    2. Enterprise in VIP: Renewals and compliance
  13. Manage contracts
    1. Automated expiration stages for ETLA contracts
    2. Switching contract types within an existing Adobe Admin Console
    3. Value Incentive Plan (VIP) in China
    4. VIP Select help
  14. Reports & logs
    1. Audit Log
    2. Assignment reports
    3. Content Logs
  15. Get help
    1. Contact Adobe Customer Care
    2. Support options for teams accounts
    3. Support options for enterprise accounts
    4. Support options for Experience Cloud

Learn how a global administrator can set and modify policies for an organization and its children.

In the Global Admin Console, select an organization from the hierarchy, and navigate to the Policies tab to allow or disallow, or lock the policies.

Sign in to the Global Admin Console

Policies are associated with an organization and restrict operations that can be performed on that organization. When a policy value is set, it restricts or enables actions from that point forward. For example, if Claim Domains policy is set to not allowed, no additional domains can be claimed but any domains claimed before setting the policy value are not affected. To modify the policies of an organization, do the following:

Configure policies

  1. In the Global Admin Console, select an organization to edit, then navigate to the Policies tab.

  2. Select the toggle for the relevant policy to allow or disallow it.

    You can also lock a policy so no one except a global administrator of the organization selected in the organization picker or its parent organization can change or unlock it.

  3. To lock a policy, select the Lock  icon. Hovering on the lock now displays the name of the selected organization. Learn more about policy locks.

  4. Select Review Pending Changes after you are done editing the organizations. After reviewing, select Submit Changes to execute them.

Policy locks

When a policy is locked, its value cannot be changed until the policy is unlocked. The Global Admin Console remembers the selected organizataion in the organization picker as being the organization from which the policy was locked. Any global administrator of that selected organization or of any organization higher in the tree has the permission to unlock the policy. Global administrators whose scope is lower than that organization do not have the permission to unlock and change policy values.

To create a locked-down environment, set desired policy values on your child organizations and then lock them. global administrators of those child organizations will not be able to edit the policy values.

For example, if Elissa, the global administrator of Acme Division creates child orgs, Marketing and Engineering. Then, adds Robert as a global admin of Marketing and Sarah as global admin of Engineering. Next, she sets several policies to Not Allowed and locks them. Elissa can later unlock and change the policy values when she chooses Acme Division as the selected organization, but Robert and Sarah cannot unlock the policies on the organizations they are global admins of because the policies are locked by the organization Acme Division.

Policy details

Policy Category

Policy Name

Description

Organization Management

Create Child Orgs

Allows global admin(s) to create child orgs. If off, no child orgs can be created.

Rename Org

If allowed, a global or system admin can rename the org. It also controls changing the country/region of the org. The pathname of an organization can also be changed independently of this policy setting if a parent organization is renamed, or the organization or an ancestor of the organization is reparented.

Allows global admin(s) to delete child organizations. This becomes more important when organizations with Enterprise Storage are enabled due to the risk of deleting user assets.

Delete Orgs

Administrator Management

Add or Delete Admins

Allows global admin(s) to add new admins to an organization. If off, new admins cannot be added.

Inherit System Admins from Parent when Child Org is Created

When global admin(s) create new child organizations, systems admins of the parent become system admins of the new organization automatically. This policy is default off.

Manage Admins

Allows global admin(s) to change or remove/edit admin permissions.

User Management

Inherit Users from Directories Managed by the Parent Org

This policy must be toggled on and active prior to creating the new child org.

When a child organization is created, users in the parent organization are made available as users in the child org. In other words, this policy automatically sets up a trust relationship between the parent and the child when the new child is created within GAC.

For existing orgs, any trust relationships prior to being added to GAC will remain once brought into GAC. If there were no trust relationships in place, the usual trust request process must be followed.

For this policy to be successful, the global admin who creates the new organization must also be a system admin of the parent organization with the claimed domain. If not, the domain trust relationship will not be inherited into the newly created org.

Add Adobe ID Users

If set, the organization cannot add Adobe ID type users via the Admin Console, User Management API (UMAPI), or sync mechanism.

Manage User Groups

If allowed, Global, System, and user group admins can create, edit, and delete User Groups.

Directory and Domain Enforcement

Claim Domains

Change Identity Configuration

If set, system admins can claim domains on the Admin Console.

If set, system admins can change the setup of user identity configuration on the Admin Console.

Product Allocation

Manage Products

Allows global admin(s) to add or remove products and change product resource grants.

Asset Sharing

System or Storage admin can change asset sharing settings

If allowed, storage and system admins can change asset sharing settings, including security contacts, password policy, and storage policy.

If allowed, asset sharing settings are inherited from the parent when a child organization is created. Asset sharing settings include security contacts, password policy, and storage policy.

This only applies to newly created orgs at the time of creation. It is set on a parent and affects the creation of child orgs under that parent.

Inherit sharing policy from a parent when an organization is created

 

 

 Adobe

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links

Legal Notices    |    Online Privacy Policy