1. Implementing Buying Experience
  2. Manage Data Security Using Roles

Manage Data Security Using Roles

You can use the security mechanisms such as role-based user access controls and anonymity to help protect data. The data can come from internal users and your customers, such as user credentials or account information.

You use predefined roles and REST APIs to access your data. Buying REST APIs are of these categories:

  • Generic entities. These entities include ProductOfferings and ProductSpecifications. Any user can access these entities.

  • Anonymous entities. These entities include ShoppingCart for anonymous users. Only anonymous users can access these entities. However, once this entity is associated with a subscriber account, only that subscriber can access this entity as an authenticated user.

  • User-specific entities. These entities are subscriber-specific and include Party, Customer, PartyAccount, ShoppingCart, ProductOrder, and Assets. Only authenticated users with appropriate job roles can access these entities. For example, Subscriber 1 can't access the entities of Subscriber 2.

Here's the list of REST API entities with the corresponding data privileges for predefined roles.

REST Entity

Job Role

 Privilege Description
  • ProductOffering

  • Anonymous

  • Subscriber

  • Support Specialist
  • GET

Can retrieve or view product offers.

  • Anonymous ShoppingCart
  • Anonymous

  • GET

  • POST

  • PATCH

 Can view, create, or update anonymous shopping carts.

  • Individual

  • Customer

  • PartyAccount

  • Subscriber ShoppingCart

  • ProductOrder

  • Product(Asset)

  • Agreement

  • Quote

  • Promotion

  • Document

  • Anonymous (applicable only for the individual entity)

  • Subscriber

  • Support Specialist

  • GET

  • POST

  • PATCH

 Can view, create, or update different type of accounts, subscriber's shopping carts, orders, assets, and agreements.
  • Bulk Job
 Bulk Job Administrator

  • GET

  • POST

  • PATCH

 Can view, create, or update bulk jobs for performing bulk operations on product orders.
  • Configuration
 Back Office Specialist

  • GET

  • PATCH

 Can view or update the configurations.
  • TmfSpecs
  • ReferenceFields
  • Mappings
  • Template

Contract Administrator

  • GET

  • POST

  • PATCH

Can view, create or update placeholder mappings and templates.
  • Channel
  • Store
  • Inventory

Inventory Management Specialist
  • GET
  • POST
  • PATCH
  • PUT

Can view, create, or update channels, stores, and inventory.

Here are a few things to know while working with REST entities:

  • A subscriber can't view other subscribers' offers.

  • A support specialist can view or manage all the subscribers REST entities.

  • A subscriber can access the following REST entities that are created by a support specialist:

    • Party

    • Customer

    • Party Account

    • Shopping Cart

    • Product Order

  • In an account hierarchy, a parent can place an order for a child. A parent can also view or manage child's REST entities. But the child can't view or manage parent's REST entities.

  • A subscriber can't view or update another subscriber's REST entities.

Related Topics