Create security criteria
Security criteria can be assigned to roles to restrict access to specific catalogs or price groups.
A security criterion restricts the specific data a user can access. For example, a user might be assigned the Catalog role and also a custom role containing a security criterion that limits the user to modifying only one specific catalog. Another role might have a security criterion that denies update access to two specific price groups but permits update access to all others.
Currently, security criteria affect users who have roles with the Catalog privilege or Administrator privilege, and restrict update access only, not read access. Any user with one of these privileges can view any catalog or price group. Also, if a user has one of these privileges but no security criteria, the user can update any catalog or price group.
This chapter describes how to create and view security criteria. The use of security criteria to control update access to catalogs and price groups is described in detail in Understand Role-based Access Control.
Create security criteria for catalogs
An individual security criterion applies either to catalogs or to price groups, and includes one of these constraint types:
grant
– Grants update access to specific catalogs or price groups.deny
– Denies update access to specific catalogs or price groups.grantNone
– Denies create and update access to all catalogs or price groups.
The following example illustrates using the
createAdminSecurityCriterion
endpoint in the Admin API to
create a security criterion for catalogs. This criterion grants update access to a
single catalog. Note the following properties in the payload:
id
– The ID to give the security criterion you are creating.securityCriteriaResource.id
– The ID of the type of resource the security criterion applies to. Specifyora.catalogAssetResource
for catalogs orora.pLGAssetResource
for price groups.actions
– An array specifying the actions the criterion affects. Currently this must be["create", "update", "delete"]
, as shown in the example below. You can specify this explicitly, or you can omit the property and it will default to this value.constraintType
– The type of constraint the security criterion includes. See the list above.constraints.constraintConfig.id
– The ID of the asset type the security criterion applies to. Specifyora.catalogConstraintConfiguration
for catalogs orora.pLGConstraintConfiguration
for price groups.constraints.values
– An array of the IDs of the specific catalogs or price groups the security criterion applies to.
POST /ccadmin/v1/adminSecurityCriteria HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json
{
"id": "securityCriterionHomeGoodsCatalog",
"name": "Security Criterion for HomeGoodsCatalog",
"description": "Grants access to catalog assets of the HomeGoodsCatalog",
"securityCriteriaResource": {
"id": "ora.catalogAssetResource"
},
"actions": [
"create",
"update",
"delete"
],
"constraintType": "grant",
"constraints": [
{
"constraintConfig": {
"id": "ora.catalogConstraintConfiguration"
},
"values": [
"HomeGoodsCatalog"
]
}
]
}
The response is similar to the following:
{
"constraintType": "grant",
"roles": [],
"name": "Security Criterion for HomeGoodsCatalog",
"description": "Grants access to catalog assets of the HomeGoodsCatalog",
"links": [
{
"rel": "self",
"href": "http://www.example.com:7002/ccadmin/v1/adminSecurityCriteria"
}
],
"securityCriteriaResource": {
"name": "Catalog Assets",
"id": "ora.catalogAssetResource"
},
"lastModified": "2021-03-08T19:52:43.752Z",
"id": "securityCriterionHomeGoodsCatalog",
"constraints": [
{
"values": [
"HomeGoodsCatalog"
],
"constraintConfig": {
"id": "ora.catalogConstraintConfiguration"
},
"id": "scc-100001"
}
],
"actions": [
"update",
"delete",
"create"
]
}
Create security criteria for price groups
The following example illustrates using the
createAdminSecurityCriterion
endpoint to create a security
criterion for a price group. This criterion grants update access to a single price
group.
POST /ccadmin/v1/adminSecurityCriteria HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json
{
"id": "securityCriterionHomeGoodsPriceGroup",
"name": "Security Criterion for HomeGoodsPriceGroup",
"description": "Grants access to HomeGoodsPriceGroup",
"securityCriteriaResource": {
"id": "ora.pLGAssetResource"
},
"actions": [
"create",
"update",
"delete"
],
"constraintType": "grant",
"constraints": [
{
"constraintConfig": {
"id": "ora.pLGConstraintConfiguration"
},
"values": [
"HomeGoodsPriceGroup"
]
}
]
}
The response is similar to the following:
{
"constraintType": "grant",
"roles": [],
"name": "Security Criterion for HomeGoodsPriceGroup",
"description": "Grants access to HomeGoodsPriceGroup",
"links": [
{
"rel": "self",
"href": "http://www.example.com:7002/ccadmin/v1/adminSecurityCriteria"
}
],
"securityCriteriaResource": {
"name": "Price Groups",
"id": "ora.pLGAssetResource"
},
"lastModified": "2021-03-08T20:12:19.302Z",
"id": "securityCriterionHomeGoodsPriceGroup",
"constraints": [
{
"values": [
"HomeGoodsPriceGroup"
],
"constraintConfig": {
"id": "ora.pLGConstraintConfiguration"
},
"id": "scc-100002"
}
],
"actions": [
"create",
"update",
"delete"
]
}
List available security criteria
You can use the listAdminSecurityCriteria
endpoint to see a
list of your available security criteria. The following example returns the two
security criteria created in the examples above:
GET /ccadmin/v1/adminSecurityCriteriaResources HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json
The response is similar to the following:
{
"total": 2,
"totalResults": 2,
"offset": 0,
"limit": 250,
"links": [
{
"rel": "self",
"href": "http://www.example.com:7002/ccadmin/v1/adminSecurityCriteriaResources"
}
],
"sort": [
{
"property": "id",
"order": "asc"
}
],
"items": [
{
"constraintConfigurations": [
{
"constrainingAssetType": "catalog",
"displayName": "Catalogs",
"constrainingAssetDisplayNameProperty": "displayName",
"id": "ora.catalogConstraintConfiguration",
"constrainingAssetGroup": "/atg/commerce/catalog/ProductCatalog/"
}
],
"name": "Catalog Assets",
"id": "ora.catalogAssetResource"
},
{
"constraintConfigurations": [
{
"constrainingAssetType": "priceListGroup",
"displayName": "Price Groups",
"constrainingAssetDisplayNameProperty": "displayName",
"id": "ora.pLGConstraintConfiguration",
"constrainingAssetGroup": "/atg/commerce/pricing/priceLists/PriceLists/"
}
],
"name": "Price Groups",
"id": "ora.pLGAssetResource"
}
]
}