Authorization Fundamentals
Sitecore contains a number of security tools to configure authorization for roles and users on content items.
Sitecore Commerce 8.2 powered by Commerce Server and Commerce Server 11.4 distills authorization down to these simple rules:
-
Business Users should only be able to view data they’re granted access to view (down to the field level)
-
Business Users should only be able to edit data they’re granted access to edit (down to the field level)
-
Business Users should only be able to create entities that they’re granted access to create
-
Business Users should only be able to delete entities that they’ve been granted access to delete
-
Business Users should only be able to perform operations that they’ve been granted access to execute
Access to Sitecore Commerce 8.2 powered by Commerce Server and Commerce Server 11.4 data and operations are secure by default -unless a Business User is explicitly granted access to data or an operation, they will not be allowed to manipulate that data or perform the operation.
Security administrators should assign access rights by a role, and not at the individual user level. While user level authorization is supported, it can make management of access rights more difficult.
Administrators need to manage and coordinate authorization within Sitecore and AzMan. These authorization rights are independently managed and are not synchronized between the two systems in any way.
Inheritance in Sitecore
Sitecore supports inheritance as part of its security model. This allows an administrator to apply access rights to content in the tree, and have those access rights be applied to all child items. This is predicated on the assumption that every item in Sitecore has exactly ONE parent item. Since a category or product may be contained by many categories, an item could have MULTIPLE parents. When attempting to evaluate whether a user has an access right on an item, Sitecore will recurse backward up the tree, checking to see whether a parent item has an access right that should be inherited by the child item. Since a Sitecore Commerce 8.2 powered by Commerce Server and Commerce Server 11.4 item can have multiple parents, it’s possible that the item has been granted an access right in one category and not another. This can cause a user to lose rights to a content item even though they should have them.
The rules to evaluate parent items with Sitecore Commerce 8.2 powered by Commerce Server and Commerce Server 11.4 data are:
-
If the category has a primary parent category assigned, Sitecore authorization checks will recurse parents starting from the primary parent category
-
If the category does not have a primary parent category, the first parent category assigned to the category is used
The Sitecore access viewer is a useful tool to determine if access rights are assigned at the right location in the content tree.
Business Tools checks access to the Sitecore Media Library when attempting to assign/update media assets to categories, products and variants.
Assigning Security Rights for Content Items
Standard Values are inherited by data templates. If a field in a content item breaks inheritance, it can be reset through the Content Editor. You will need to do this if you:
-
Change the security rights on a content item in the Content Editor (and break inheritance).
-
Subsequently change the access rights on the standard values of the data template for that content item.