Authorization Fundamentals

Sitecore contains a number of security tools to configure authorization for roles and users on content items.

Sitecore Commerce 7.5, powered by Commerce Server and Commerce Server 11.1 distills authorization down to these simple rules:

Note: Access to Sitecore Commerce 7.5, powered by Commerce Server and Commerce Server 11.1 data and operations are secure by default -unless a Business User is explicitly granted access to data or an operation, they will not be allowed to manipulate that data or perform the operation.
Note: Security administrators should assign access rights by a role, and not at the individual user level. While user level authorization is supported, it can make management of access rights more difficult.
Important: Administrators need to manage and coordinate authorization within Sitecore and AzMan. These authorization rights are independently managed and are not synchronized between the two systems in any way.

Inheritance in Sitecore

Sitecore supports inheritance as part of its security model. This allows an administrator to apply access rights to content in the tree, and have those access rights be applied to all child items. This is predicated on the assumption that every item in Sitecore has exactly ONE parent item. Since a category or product may be contained by many categories, an item could have MULTIPLE parents. When attempting to evaluate whether a user has an access right on an item, Sitecore will recurse backward up the tree, checking to see whether a parent item has an access right that should be inherited by the child item. Since a Sitecore Commerce 7.5, powered by Commerce Server and Commerce Server 11.1item can have multiple parents, it’s possible that the item has been granted an access right in one category and not another. This can cause a user to lose rights to a content item even though they should have them.

The rules to evaluate parent items with Sitecore Commerce 7.5, powered by Commerce Server and Commerce Server 11.1data are:

Note: The Sitecore access viewer is a useful tool to determine if access rights are assigned at the right location in the content tree.
Note: Business Tools checks access to the Sitecore Media Library when attempting to assign/update media assets to categories, products and variants.

Assigning Security Rights for Content Items

Standard Values are inherited by data templates. If a field in a content item breaks inheritance, it can be reset through the Content Editor. You will need to do this if you:
  1. Change the security rights on a content item in the Content Editor (and break inheritance).
  2. Subsequently change the access rights on the standard values of the data template for that content item.