Dev GuideAPI ReferenceUser Guide
Dev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityOptimizely AcademySubmit a ticketLog In
Dev Guide
GitHubNuGetDev CommunityOptimizely AcademySubmit a ticket

Authorization and authentication

Describes the authentication and authorization model in Optimizely Commerce Connect

Authentication in Optimizely Commerce Connect and Optimizely Content Management System (CMS) is based on the ASP.NET Core built-in framework for users and roles. Optimizely CMS uses a standard API so you can create your own provider for any user database or third-party provider.

The Optimizely Commerce Connect sample site also includes several predefined users, groups, and roles for managing content and administering commerce tasks.

Terminology

Optimizely Commerce Connect uses authentication and authorization to identify users and user groups and determine what they are allowed to do. The following terms are used throughout this article:

  • Authentication – The process of identifying a user, typically with a username and password.
  • Authorization – The process of determining the actions a user is allowed to perform.

Administer security and access rights

When you administer access rights, use the following distinct components, which are loosely tied together. The EPiServer.CMS.UI.AspNetIdentity package implements and registers the UIUserProvider, UIRoleProvider, UISignInManager, and SecurityEntity providers in the container.

  • Users – Delivered by the current UIUserProvider.
  • Roles – Delivered by the current UIRoleProvider and the virtual roles.
  • Access control lists (ACLs) – A list of SecurityEntity classes and an access level.

A security entity is a name combined with information stating whether the name represents a role or a user. A security entity in an ACL is not affected by changes in the UIUserProvider or UIRoleProvider implementations. For example, if you delete a role and then open an ACL that had an access entry for that role, the entry still appears in the ACL.

Commerce Connect-specific virtual roles

In addition to the default Optimizely CMS groups (such as WebAdmins and WebEditors), Commerce Connect provides virtual roles that control access and visibility to parts of the UI.

  • BusinessFoundations – Access to the Business Foundations interface.
  • CatalogIndexing – Access to the Catalog Indexing page.
  • CatalogManagers – Access to the Catalogs UI.
  • CommerceAdmins – Access to all parts of Commerce Connect except the Administration and CMS Admin pages.
  • Countries – Access to the Countries page.
  • CustomerManagers – Access to the Customer interface.
  • CustomerServiceRepresentatives – Access to the Order management page.
  • Dashboard – Access to the Dashboard page.
  • Dictionaries – Access to the Dictionaries page.
  • MarketingManagers – Access to the Marketing UI.
  • Markets – Access to the Market page.
  • PaymentMethods – Access to the Payments page.
  • ReportManagers – Access to the Report page.
  • ShippingMethods – Access to the Shipping interface.
  • Taxes – Access to the Taxes interface.
  • Warehouses – Access to the Warehouse page.

Add the virtual roles to appsettings.json. The following configuration registers CatalogManagers and CustomerManagers as virtual roles:

{
  "EPiServer": {
    "Cms": {
      "VirtualRole": {
        "Roles": {
          "CatalogManagers": {},
          "CustomerManagers": {}
        }
      }
    }
  }
}
📘

Note

MarketingManagers also have access to the CMS editor by default. To restrict this group's ability to edit content, limit access through Admin > Set Access Rights and grant Read access to MarketingManagers.

To add a role, add a user to a role, or check if a user is assigned to a role, use UIRoleProvider.

_roleProvider.CreateRoleAsync(roleName);
_roleProvider.AddUserToRoleAsync(userName, roleName);
var userRoles = _roleProvider.GetRolesForUserAsync(userName);

Updated 21 days ago