Site Security, housed in the Application Dictionary of the Admin Console, manages the creation rights and site visibility for Optimizely Configured Commerce users. Security is handled on both the entity level and the user role level. Although the Admin Console comes with several default user roles, custom roles can be created to fit specific business needs.
## Security hierarchy
Security is determined from the most general to the most specific, with security being more open than more secure. For example, if a user has two roles, one with access to a page and one without access to a page, the user would still be able to access the page.
## Entity permission
There are three security levels that control the extent to which a user can interact with Admin Console entities. Each level guarantees access to the lower level, such that if a user can Create, she can also Edit and View. If she cannot Create, but can Edit, she can also View. This is dynamically reflected in the UI of the Application Dictionary.
The exception to this is **Can Delete**. **Can Delete** only has access to **Can View**, but does not give access to **Can Edit** or **Can Create**.
By default, all Application Dictionary permissions are set to **Inherit**. The Inherit permissions level is flexible, in that it provides the user role with the expected level of access as defined by the default role permissions. Once a security level is altered in the Application Dictionary, it overrides the default role permission.
## Immutable entities
Below are a list of entities that can only be viewed or hidden.
These entities will also have **Can Create** as **Yes** when inherited. These entities cannot be manually created by a user, but the system will be able to create new records which is reflected in the Application Dictionary.
Although the Application Dictionary UI allows users to change and save permissions for the above listed immutable Entities, the changes will not actually take effect.
## Property permissions
Property security is determined based on the hierarchy below.
Individual roles can be edited within the Application Dictionary. Roles can be given **Can Create**, **Can Edit**, **Can View**, and **Can Delete** permissions. If these permission grant access to the entity, they will override the more general entity restriction.
Only roles that start with "ISC \_" will appear in the **Roles** section of the Admin Console.