1. Extending Oracle Commerce
  2. Implement Access Control for Internal Users
  3. Create security criteria

Create security criteria

Security criteria can be assigned to roles to restrict access to specific catalogs or price groups.

A security criterion restricts the specific data a user can access. For example, a user might be assigned the Catalog role and also a custom role containing a security criterion that limits the user to modifying only one specific catalog. Another role might have a security criterion that denies update access to two specific price groups but permits update access to all others.

Currently, security criteria affect users who have roles with the Catalog privilege or Administrator privilege, and restrict update access only, not read access. Any user with one of these privileges can view any catalog or price group. Also, if a user has one of these privileges but no security criteria, the user can update any catalog or price group.

This chapter describes how to create and view security criteria. The use of security criteria to control update access to catalogs and price groups is described in detail in Understand Role-based Access Control.

Create security criteria for catalogs

An individual security criterion applies either to catalogs or to price groups, and includes one of these constraint types:

  • grant – Grants update access to specific catalogs or price groups.
  • deny – Denies update access to specific catalogs or price groups.
  • grantNone – Denies create and update access to all catalogs or price groups.

The following example illustrates using the createAdminSecurityCriterion endpoint in the Admin API to create a security criterion for catalogs. This criterion grants update access to a single catalog. Note the following properties in the payload:

  • id – The ID to give the security criterion you are creating.
  • securityCriteriaResource.id – The ID of the type of resource the security criterion applies to. Specify ora.catalogAssetResource for catalogs or ora.pLGAssetResource for price groups.
  • actions – An array specifying the actions the criterion affects. Currently this must be ["create", "update", "delete"], as shown in the example below. You can specify this explicitly, or you can omit the property and it will default to this value.
  • constraintType – The type of constraint the security criterion includes. See the list above.
  • constraints.constraintConfig.id – The ID of the asset type the security criterion applies to. Specify ora.catalogConstraintConfiguration for catalogs or ora.pLGConstraintConfiguration for price groups.
  • constraints.values – An array of the IDs of the specific catalogs or price groups the security criterion applies to. 
POST /ccadmin/v1/adminSecurityCriteria  HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json
 
{
  "id": "securityCriterionHomeGoodsCatalog",
  "name": "Security Criterion for HomeGoodsCatalog",
  "description": "Grants access to catalog assets of the HomeGoodsCatalog",
  "securityCriteriaResource": {
    "id": "ora.catalogAssetResource"
  },
  "actions": [
    "create",
    "update",
    "delete"
  ],
  "constraintType": "grant",
  "constraints": [
    {
      "constraintConfig": {
        "id": "ora.catalogConstraintConfiguration"
      },
      "values": [
        "HomeGoodsCatalog"
      ]
    }
  ]
}

The response is similar to the following:

{
    "constraintType": "grant",
    "roles": [],
    "name": "Security Criterion for HomeGoodsCatalog",
    "description": "Grants access to catalog assets of the HomeGoodsCatalog",
    "links": [
        {
            "rel": "self",
            "href": "http://www.example.com:7002/ccadmin/v1/adminSecurityCriteria"
        }
    ],
    "securityCriteriaResource": {
        "name": "Catalog Assets",
        "id": "ora.catalogAssetResource"
    },
    "lastModified": "2021-03-08T19:52:43.752Z",
    "id": "securityCriterionHomeGoodsCatalog",
    "constraints": [
        {
            "values": [
                "HomeGoodsCatalog"
            ],
            "constraintConfig": {
                "id": "ora.catalogConstraintConfiguration"
            },
            "id": "scc-100001"
        }
    ],
    "actions": [
        "update",
        "delete",
        "create"
    ]
}

Create security criteria for price groups

The following example illustrates using the createAdminSecurityCriterion endpoint to create a security criterion for a price group. This criterion grants update access to a single price group. 

POST /ccadmin/v1/adminSecurityCriteria  HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json

 {
  "id": "securityCriterionHomeGoodsPriceGroup",
  "name": "Security Criterion for HomeGoodsPriceGroup",
  "description": "Grants access to HomeGoodsPriceGroup",
  "securityCriteriaResource": {
    "id": "ora.pLGAssetResource"
  },
  "actions": [
    "create",
    "update",
    "delete"
  ],
  "constraintType": "grant",
  "constraints": [
    {
      "constraintConfig": {
        "id": "ora.pLGConstraintConfiguration"
      },
      "values": [
        "HomeGoodsPriceGroup"
      ]
    }
  ]
}

The response is similar to the following:

{
    "constraintType": "grant",
    "roles": [],
    "name": "Security Criterion for HomeGoodsPriceGroup",
    "description": "Grants access to HomeGoodsPriceGroup",
    "links": [
        {
            "rel": "self",
            "href": "http://www.example.com:7002/ccadmin/v1/adminSecurityCriteria"
        }
    ],
    "securityCriteriaResource": {
        "name": "Price Groups",
        "id": "ora.pLGAssetResource"
    },
    "lastModified": "2021-03-08T20:12:19.302Z",
    "id": "securityCriterionHomeGoodsPriceGroup",
    "constraints": [
        {
            "values": [
                "HomeGoodsPriceGroup"
            ],
            "constraintConfig": {
                "id": "ora.pLGConstraintConfiguration"
            },
            "id": "scc-100002"
        }
    ],
    "actions": [
        "create",
        "update",
        "delete"
    ]
}

List available security criteria

You can use the listAdminSecurityCriteria endpoint to see a list of your available security criteria. The following example returns the two security criteria created in the examples above: 

GET /ccadmin/v1/adminSecurityCriteriaResources  HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json

The response is similar to the following:

{
    "total": 2,
    "totalResults": 2,
    "offset": 0,
    "limit": 250,
    "links": [
        {
            "rel": "self",
            "href": "http://www.example.com:7002/ccadmin/v1/adminSecurityCriteriaResources"
        }
    ],
    "sort": [
        {
            "property": "id",
            "order": "asc"
        }
    ],
    "items": [
        {
            "constraintConfigurations": [
                {
                    "constrainingAssetType": "catalog",
                    "displayName": "Catalogs",
                    "constrainingAssetDisplayNameProperty": "displayName",
                    "id": "ora.catalogConstraintConfiguration",
                    "constrainingAssetGroup": "/atg/commerce/catalog/ProductCatalog/"
                }
            ],
            "name": "Catalog Assets",
            "id": "ora.catalogAssetResource"
        },
        {
            "constraintConfigurations": [
                {
                    "constrainingAssetType": "priceListGroup",
                    "displayName": "Price Groups",
                    "constrainingAssetDisplayNameProperty": "displayName",
                    "id": "ora.pLGConstraintConfiguration",
                    "constrainingAssetGroup": "/atg/commerce/pricing/priceLists/PriceLists/"
                }
            ],
            "name": "Price Groups",
            "id": "ora.pLGAssetResource"
        }
    ]
}