Create generic access rights
You can create generic access rights and use them to limit which internal users can access specific shopper data.
A generic access right is essentially a label that is applied to metadata
attributes of shopper profile properties. Generic access rights are used by the Commerce access control system to determine which users can access the values of those
properties. For example, if a property's readAccessRight
attribute is
set to the ID of a specific generic access right, then internal users who are assigned
roles that include that access right will be able to see the value of that property.
(Because they are simply labels, you may also be able to use generic access rights in
other contexts such as integrations, though you will need to implement the logic for
applying them in your own code.)
This section describes how to create and view generic access rights. The use of generic access rights to control access to properties is described in detail in Manage Access to Shopper Data.
Create a new generic access right
Commerce does not include any predefined generic access rights for internal users. If you
want to use generic access rights, you need to create them using the
createAdminAccessRight
endpoint in the Admin API. For
example:
POST /ccadmin/v1/adminAccessRights HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json
{
"displayName": "Access Right 1",
"name": "ar1",
"repositoryId": "ar1",
"description": "First of several access rights."
}
The response is similar to this:
{
"displayName": "Access Right 1",
"name": "ar1",
"repositoryId": "ar1",
"description": "First of several access rights.",
"links": [
{
"rel": "self",
"href": "http://www.example.com:7002/ccadmin/v1/adminAccessRights"
}
],
"id": "ar1",
"type": "generic",
"category": {
"displayName": "Custom",
"id": "customAccessRightCategory"
}
}
The Use and modify roles section of this chapter describes how to assign generic access rights to roles. For information about how to apply access rights to profile properties, see the Manage Access to Shopper Data chapter.
List generic access rights
To list all of the available generic access rights, use the
listAdminAccessRights
endpoint. For example:
GET /ccadmin/v1/adminAccessRights HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json
You can return a list of the predefined privileges in addition to the
generic access rights by including the includePrivileges
query
parameter in the call. For example:
GET /ccadmin/v1/adminAccessRights?includePrivileges=true HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json
The following shows part of the list of privileges in the response:
...
"items": [
{
"displayName": "Account Manager",
"name": "Account Manager",
"repositoryId": "ora.accountManagerPrivilege",
"description": "Account Manager Privilege",
"id": "ora.accountManagerPrivilege",
"type": "privilege"
},
{
"displayName": "Administrator",
"name": "Administrator",
"repositoryId": "ora.adminPrivilege",
"description": "Administrator Privilege",
"id": "ora.adminPrivilege",
"type": "privilege"
},
...