Dev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

User security

Describes the security measures you can take with users in Optimizely Configured Commerce.

Users can be created through four different processes:

  • Pre-populated through ERP system integration
  • Uploaded via Template (usually during implementation)
  • Manually via the Admin Console
  • Automatically when a new customer creates an order

Personal information

Although, username and email address are the only required fields, additional information may be entered. The amount of information stored about the user is dependent on the method with which the user was created. Generally, detailed information about users automatically created for new customers is stored within the customer record itself; however, fields such as whether or not the user has subscribed to emails are stored within the user record.


Optimizely Configured Commerce uses .Net Membership Role-based security. Users are assigned roles which manage the Admin Console and/or control website functions that the user may or may not be able to access.

Security functions, such as changing or resetting passwords and unlocking users, are also performed within the Users module via transactions with the .Net Membership Services.


To maintain PA-DSS compliance, passwords must meet the following requirements (set within the Web.Config file):

  • The password must have a minimum length of 7 characters
  • The password must contain both numeric and alphabetic characters

In addition to the requirements on the password itself, PA-DSS requires that admin user passwords (users who log in to the Admin Console) expire at least every 90 days and that the system keeps track of user passwords when changed. Finally, PA-DSS also requires that new passwords are different from the user's last four passwords


When a new customer creates an account on the website to place an order, a user record is created automatically and associated with that customer record. There are some instances that require a user to be associated with multiple customers; this is common in business-to-business implementations where a sales representative needs to place orders for multiple customers. Additionally, cases such as department stores with multiple buyers require many users to be associated with a single customer. The Admin Console natively supports all three of these models.

Custom properties

Custom property fields are available to facilitate implementation-specific, custom functionality. These can be found within the Application Dictionary article.