1. Extending Oracle Commerce
  2. Implement Access Control for Internal Users
  3. Create generic access rights

Create generic access rights

You can create generic access rights and use them to limit which internal users can access specific shopper data.

A generic access right is essentially a label that is applied to metadata attributes of shopper profile properties. Generic access rights are used by the Commerce access control system to determine which users can access the values of those properties. For example, if a property's readAccessRight attribute is set to the ID of a specific generic access right, then internal users who are assigned roles that include that access right will be able to see the value of that property. (Because they are simply labels, you may also be able to use generic access rights in other contexts such as integrations, though you will need to implement the logic for applying them in your own code.)

This section describes how to create and view generic access rights. The use of generic access rights to control access to properties is described in detail in Control access to shopper data.

Create a new generic access right

Commerce does not include any predefined generic access rights for internal users. If you want to use generic access rights, you need to create them using the createAdminAccessRight endpoint in the Admin API. For example: 

POST /ccadmin/v1/adminAccessRights  HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json

{
    "displayName": "Access Right 1",
    "name": "ar1",
    "repositoryId": "ar1",
    "description": "First of several access rights."
}

The response is similar to this:

{
    "displayName": "Access Right 1",
    "name": "ar1",
    "repositoryId": "ar1",
    "description": "First of several access rights.",
    "links": [
        {
            "rel": "self",
            "href": "http://www.example.com:7002/ccadmin/v1/adminAccessRights"
        }
    ],
    "id": "ar1",
    "type": "generic",
    "category": {
        "displayName": "Custom",
        "id": "customAccessRightCategory"
    }
}

The Use and modify roles for internal users section of this chapter describes how to assign generic access rights to roles. For information about how to apply access rights to profile properties, see Control access to shopper data.

List generic access rights

To list all of the available generic access rights, use the listAdminAccessRights endpoint. For example: 

GET /ccadmin/v1/adminAccessRights  HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json

You can return a list of the predefined privileges in addition to the generic access rights by including the includePrivileges query parameter in the call. For example: 

GET /ccadmin/v1/adminAccessRights?includePrivileges=true  HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json

The following shows part of the list of privileges in the response:

...

    "items": [
        {
            "displayName": "Account Manager",
            "name": "Account Manager",
            "repositoryId": "ora.accountManagerPrivilege",
            "description": "Account Manager Privilege",
            "id": "ora.accountManagerPrivilege",
            "type": "privilege"
        },
        {
            "displayName": "Administrator",
            "name": "Administrator",
            "repositoryId": "ora.adminPrivilege",
            "description": "Administrator Privilege",
            "id": "ora.adminPrivilege",
            "type": "privilege"
        },

...