1. Extending Oracle Commerce
  2. Implement Access Control for Internal Users

33 Implement Access Control for Internal Users

Oracle Commerce includes a role-based access control system that is applied to all internal users such as merchandisers and administrators.

Each internal user can be assigned one or more roles. Depending on the roles assigned, the user may have access to a number of areas of Commerce. These include:

  • Specific pages of the administration interface and the Agent Console, and the functionality available on those pages.
  • Catalogs and price groups.
  • Properties of shopper profiles.

Commerce includes several predefined roles, and you can create additional custom roles. Roles primarily function as containers for various entities that are used to control access. These entities are:

  • privileges – Predefined rights that grant access to specific functionality. Each predefined role has a single privilege assigned to it. Merchants can assign privileges to custom roles, but cannot create new privileges, or edit or delete existing privileges.
  • security criteria – Merchant-defined restrictions on the data access granted by privileges. For example, if a role has the Catalog privilege, a merchant might create a security criterion that restricts access to specific catalogs and assign the security criterion to that role, or create a separate role and assign the security criterion to it.
  • generic access rights – Merchant-defined rights that can be used to control read and write access to the properties of shopper profiles. Generic access rights are particularly useful for ensuring compliance with consumer privacy laws such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Note that although privileges and access rights are used for different purposes, privileges are treated internally as a special type of access right. So, for example, the same endpoint property is used to add privileges and access rights to a custom role. To reduce the possibility of confusion, access rights for controlling property access are referred to as generic access rights.

This chapter describes how to create and modify these elements of access control and assign them to roles. For information about assigning roles to internal users and implementing an overall access control strategy, see Understand Role-based Access Control.