Controlling access to views and actions
Sitecore XC uses a role-based access control mechanism that gives you the ability to restrict access to specific areas of Business Tools functionality. Business users are assigned Commerce user roles in Sitecore, but ultimately it is the ActionsRolesPolicy
policy in the Commerce Engine that determines what access the roles provide. The ActionsRolesPolicy
policy specifies the roles that provide access to a specific entity type, entity view or action.
The wwwroot\<CommerceAuthoring_Sc>\wwwroot\data\Environments\Plugin.AccessByRoles.PolicySet-1.*.*.json
file defines an instance of the ActionsRolesPolicy
policy for each Business Tools view, in addition to default restrictions that apply to specific actions. You can update the file to change existing policies, or add new policies as required, to restrict access to custom entity views or actions, for example.
The following shows examples of some of the default ActionsRolesPolicy
policies included in the Plugin.AccessByRoles.PolicySet.1.*.*.json
file.
{
"Type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
"EntityType": "Sitecore.Commerce.Plugin.Orders.Order",
"Role": "sitecore\\Customer Service Representative"
}
"$type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
"View": "PriceSnapshotDetails",
"Action": "RequestSnapshotApproval",
"Role": "sitecore\\Pricer"
}
{
"$type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
"View": "",
"Action": "RemoveView",
"Role": "sitecore\\Commerce Administrator"
},
ActionsRolesPolicy properties
Each ActionsRolesPolicy
policy contains the mandatory Type
and Role
properties, and at least one of the optional properties EntityType
, View
, Action
, based on the level of granularity to which the restriction applies.
The following table provides a description of the ActionsRolesPolicy
properties:
Property |
Description |
---|---|
|
Refers to the base |
|
Applies role-based restrictions at the specified Entity type level, to limit access to a functional area of Business Tools functionality. For example: |
|
Applies role-based restrictions to the specified view ( Note When a restriction applies to a view, it extends to all of its components, properties and child views. |
|
Applies role-based restrictions to the specified action name. For example, |
|
Specifies the role or a list of roles (pipe-separated) required to access the restricted Note When you specify a role name, you must always state the prefix |
Examples of ActionsRolesPolicy policy configurations
The following are various example usages of the ActionsRolesPolicy
policy:
-
The following shows an example of a
ActionsRolesPolicy
policy where the Entity viewView1
is restricted to users with the roleSitecore\\Role1
assigned.RequestResponseshell{ "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views", "View": "View1", "Action": "", "Role": "sitecore\\Role1" }
-
In the following example, the Promotion Entity view
View2
is restricted to users with the rolesSitecore\\Role1
andsitecore\\role2
assigned.RequestResponseshell{ "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views", "View": "View2", "Action": "", "EntityType": "Sitecore.Commerce.Plugin.Promotions.Promotion", "Role": "sitecore\\Role1"|"sitecore\\Role2" }
-
In the following example, the action
action1
in the Entity viewView1
is restricted to users with the rolesSitecore\\Role1
andsitecore\\role2
assigned.RequestResponseshell{ "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views", "View": "View1", "Action": "Action1", "Role": "sitecore\\Role1|sitecore\\Role2" }
-
In the following example, the action
action3
in any Entity view is restricted to users with the roleSitecore\\Role1
assigned.RequestResponseshell{ "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views", "View": "", "Action": "Action3", "Role": "sitecore\\Role1" }