Controlling access to views and actions

Abstract

An overview of the ActionsRolesPolicy policy that specifies the roles required to access Business Tools views and actions.

Sitecore XC uses a role-based access control mechanism that gives you the ability to restrict access to specific areas of Business Tools functionality. Business users are assigned Commerce user roles in Sitecore, but ultimately it is the ActionsRolesPolicy policy in the Commerce Engine that determines what access the roles provide. The ActionsRolesPolicy policy specifies the roles that provide access to a specific entity type, entity view or action.

The wwwroot\<CommerceAuthoring_Sc>\wwwroot\data\Environments\Plugin.AccessByRoles.PolicySet-1.*.*.json file defines an instance of the ActionsRolesPolicy policy for each Business Tools view, in addition to default restrictions that apply to specific actions. You can update the file to change existing policies, or add new policies as required, to restrict access to custom entity views or actions, for example.

The following shows examples of some of the default ActionsRolesPolicy policies included in the Plugin.AccessByRoles.PolicySet.1.*.*.json file.

{
  "Type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
  "EntityType": "Sitecore.Commerce.Plugin.Orders.Order",
  "Role": "sitecore\\Customer Service Representative"

}
  "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
  "View": "PriceSnapshotDetails",
  "Action": "RequestSnapshotApproval",
  "Role": "sitecore\\Pricer"
}
{
  "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
  "View": "",
  "Action": "RemoveView",
  "Role": "sitecore\\Commerce Administrator"
},

Each ActionsRolesPolicy policy contains the mandatory Type and Role properties, and at least one of the optional properties EntityType, View, Action, based on the level of granularity to which the restriction applies.

The following table provides a description of the ActionsRolesPolicy properties:

Property

Description

"Type"

Refers to the base ActionRoleModel defined in the Sitecore.Commerce.Plugin.Views plugin.

"EntityType"

Applies role-based restrictions at the specified Entity type level, to limit access to a functional area of Business Tools functionality. For example: "EntityType": "Sitecore.Commerce.Plugin.Orders.Order"

"View"

Applies role-based restrictions to the specified view (EntityView) or child view. For example: "View": "PriceSnapshotDetails".

Note

When a restriction applies to a view, it extends to all of its components, properties and child views.

"Action"

Applies role-based restrictions to the specified action name. For example, "Action": "ApproveSnapshot".

"Role"

Specifies the role or a list of roles (pipe-separated) required to access the restricted EntityType, View, or Action.

Note

When you specify a role name, you must always state the prefix sitecore\\ followed the role name to configure. For example sitecore\\<RoleName>. When multiple roles are required, you separate each role using a pipe (|) symbol as follows: "Role": "sitecore\\Role1"|"sitecore\\Role2"

The following are various example usages of the ActionsRolesPolicy policy:

  • The following shows an example of a ActionsRolesPolicy policy where the Entity view View1 is restricted to users with the role Sitecore\\Role1 assigned.

    {
      "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views",
      "View": "View1",
      "Action": "",
      "Role": "sitecore\\Role1"
    }
  • In the following example, the Promotion Entity view View2 is restricted to users with the roles Sitecore\\Role1 and sitecore\\role2 assigned.

    {
      "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views",
      "View": "View2",
      "Action": "",
      "EntityType": "Sitecore.Commerce.Plugin.Promotions.Promotion",
      "Role": "sitecore\\Role1"|"sitecore\\Role2"
    }
  • In the following example, the action action1 in the Entity view View1 is restricted to users with the roles Sitecore\\Role1 and sitecore\\role2 assigned.

    {
      "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views",
      "View": "View1",
      "Action": "Action1",
      "Role": "sitecore\\Role1|sitecore\\Role2"
    }
  • In the following example, the action action3 in any Entity view is restricted to users with the role Sitecore\\Role1 assigned.

    {
      "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views",
      "View": "",
      "Action": "Action3",
      "Role": "sitecore\\Role1"
    }