One default Administrator profile is included with your Commerce Cloud instance, but you can add as many internal user profiles (including administrators) as you need. Only administrators can create and work with user accounts.

In order to comply with the Payment Card Industry Data Security Standard (PCI DSS), Commerce Cloud secures all logins to the administration interface with multi-factor strong authentication. This means that each user must enter their username and password, plus a one-time passcode, each time they log into the administration interface. SeeAccess the Commerce Cloud administration interface to learn about setup tasks new users must perform before they can log into the administration interface for the first time.

Administrators do not assign login passwords to user profiles. Once you create a new profile, Commerce Cloud sends an email to the address you added to the profile. The email includes a link that the user clicks to set their password. If the link has expired when the user clicks it, Commerce Cloud displays a page where the user can request a new link.

The password must be at least eight characters long and contain at least one number, one uppercase letter, and one lowercase letter. It cannot contain the email address and cannot match any of the last four passwords.

In addition, the password is checked against a dictionary of weak passwords that Commerce Cloud maintains. If a user attempts to set a password that matches one of the entries in this dictionary, the password is rejected. The dictionary is the same one used for shopper passwords, as described in the Block weak passwords section of Extending Oracle Commerce Cloud. Note, however, that additional entries created using the updateRestrictedWords endpoint in the Admin API are applied only to shopper passwords, and not to passwords for internal users.

To create a new user profile:

The following table describes the properties that identify a Commerce Cloud user profile. All properties are required.