Restricting page access with SXA Storefront security roles

Abstract

Overview of how security is handled on a storefront site.

Security roles assign permissions to Sitecore users for different areas of a site. When you create a new site with Commerce features, Sitecore creates a domain (with the same name as the site) and two security roles, and assigns them to the site.

Sitecore creates the following roles:

  • Extranet User

  • Extranet Customer

By default, these roles do not have permissions or restrictions assigned. You can change this in the User Manager, which you access from the Sitecore Launchpad. You can then configure the roles to restrict access to sections of the storefront that require authentication. It is always best to configure permissions on roles and not individual user accounts.

Note

Each role belongs to only one domain. You can have two roles that belong to different domains and have the same name. For example, Site1/Extranet User is a different role from Site 2/Extranet User.

In line with the Sitecore security model , you can set security on some or all storefront pages so that only authenticated customers can access them. This lets you control which pages are publicly available and which pages require authentication. By default, if customers try to access a page on the storefront that they do not have permission for, they are automatically redirected back to the login page.

Note

You cannot set security on Commerce catalog items.

Each Storefront site is associated with a Commerce control panel (/sitecore/Commerce/Commerce Control Panel/Storefront Settings/Storefronts/<site>) and it is here that you define security as part of the Storefront configuration. The control panel is referenced by the site itself <sitecore/Content/<tenant>/<site>/Settings/Commerce/Control Panel Configuration).

You set the login page for a storefront site using a custom SXA page.

Note

In Sitecore 9.2, the reference to the Commerce Control Panel was moved to allow security to be set on the Home item so that, if required, you could set the entire site as private.