Controlling access to views and actions
Sitecore XC uses a role-based access control mechanism that gives you the ability to restrict access to specific areas of Business Tools functionality. Business users are assigned Commerce user roles in Sitecore, but ultimately it is the ActionsRolesPolicy policy in the Commerce Engine that determines what access the roles provide. The ActionsRolesPolicy policy specifies the roles that provide access to a specific entity type, entity view or action.
The wwwroot\<CommerceAuthoring_Sc>\wwwroot\data\Environments\Plugin.AccessByRoles.PolicySet-1.*.*.json file defines an instance of the ActionsRolesPolicy policy for each Business Tools view, in addition to default restrictions that apply to specific actions. You can update the file to change existing policies, or add new policies as required, to restrict access to custom entity views or actions, for example.
The following shows examples of some of the default ActionsRolesPolicy policies included in the Plugin.AccessByRoles.PolicySet.1.*.*.json file.
{
"Type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
"EntityType": "Sitecore.Commerce.Plugin.Orders.Order",
"Role": "sitecore\\Customer Service Representative"
}
"$type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
"View": "PriceSnapshotDetails",
"Action": "RequestSnapshotApproval",
"Role": "sitecore\\Pricer"
}
{
"$type": "Sitecore.Commerce.EntityViews.ActionRoleModel, Sitecore.Commerce.Plugin.Views",
"View": "",
"Action": "RemoveView",
"Role": "sitecore\\Commerce Administrator"
},ActionsRolesPolicy properties
Each ActionsRolesPolicy policy contains the mandatory Type and Role properties, and at least one of the optional properties EntityType, View, Action, based on the level of granularity to which the restriction applies.
The following table provides a description of the ActionsRolesPolicy properties:
|
Property |
Description |
|---|---|
|
|
Refers to the base |
|
|
Applies role-based restrictions at the specified Entity type level, to limit access to a functional area of Business Tools functionality. For example: |
|
|
Applies role-based restrictions to the specified view ( Note When a restriction applies to a view, it extends to all of its components, properties and child views. |
|
|
Applies role-based restrictions to the specified action name. For example, |
|
|
Specifies the role or a list of roles (pipe-separated) required to access the restricted Note When you specify a role name, you must always state the prefix |
Examples of ActionsRolesPolicy policy configurations
The following are various example usages of the ActionsRolesPolicy policy:
-
The following shows an example of a
ActionsRolesPolicypolicy where the Entity viewView1is restricted to users with the roleSitecore\\Role1assigned.RequestResponse{ "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views", "View": "View1", "Action": "", "Role": "sitecore\\Role1" } -
In the following example, the Promotion Entity view
View2is restricted to users with the rolesSitecore\\Role1andsitecore\\role2assigned.RequestResponse{ "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views", "View": "View2", "Action": "", "EntityType": "Sitecore.Commerce.Plugin.Promotions.Promotion", "Role": "sitecore\\Role1"|"sitecore\\Role2" } -
In the following example, the action
action1in the Entity viewView1is restricted to users with the rolesSitecore\\Role1andsitecore\\role2assigned.RequestResponse{ "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views", "View": "View1", "Action": "Action1", "Role": "sitecore\\Role1|sitecore\\Role2" } -
In the following example, the action
action3in any Entity view is restricted to users with the roleSitecore\\Role1assigned.RequestResponse{ "$type": "Sitecore.Commerce.EntityViews.ActionRoleModel,Sitecore.Commerce.Plugin.Views", "View": "", "Action": "Action3", "Role": "sitecore\\Role1" }