17 Configure Internal User Accounts

Each person who works with the Retail Digital Commerce tools must have a valid user account to access the system. One default Administrator account is included with your Retail Digital Commerce instance. Only administrators can create and work with user accounts.

The Administrator account allows a designated person at your organization to log in and create accounts for other users. The administrator must create an account for each internal user who needs access to the system. The materials you receive from Oracle after you subscribe to the Commerce service include instructions for creating accounts. If you need an account or need changes made to an existing account, consult the administrator at your site.

Note:

You do not have to publish new user accounts or changes you make to existing ones. Changes to details such as a user's name are available as soon as you save them. For information on when to change a user's access control, refer to Edit user profiles.

Understand Role-Based Access Control

You can control your internal user's access to specific catalogs and price groups.

You have a great deal of flexibility in setting up access control to align with the way that your business users work within your organization. You can configure access for situations where your business runs multiple country or brand sites that use different catalogs and price groups and are managed by separate teams. Or in situations where your business sells to multiple accounts, you can configure access for the teams that manage their catalogs and price groups.

You can enhance access control in these situations by creating security criteria that grant or deny the ability to update specific catalogs or price groups. By adding security criteria to roles, and then assigning the roles to your users, you can allow your users to make changes only to the catalog assets and prices for which they are authorized.

By using multiple roles, privileges and security criteria, you can provide multiple levels of access. For example, a graphic designer needs different access to the administration interface than a merchandiser who sets up catalogs. Creating specific access controls ensures that internal users have the correct access and abilities to perform their jobs effectively.

Consider Access Control Settings

When configuring access control, it's important to take the following into consideration:

1. Make sure that your access control strategy is easy to understand and easy to implement. Overly complex access control strategies will be hard to maintain as your environment grows.
2. Identify functions that the internal users perform, and what access is required. You can set up restrictions to various data or areas to the administration interface depending on the user's tasks.
3. Identify roles that the internal users can be given. For example, is the user a designer, a merchandiser or an administrator? These can all be roles that indicate the user performs a specific task. A designer does not need access to all administrative functions, but does need access to Design, Preview and Publishing areas of the administrative interface.
4. Determine if there are security criteria necessary for controlling access. For example, to limit the catalogs that a merchandiser has access to, you could create a security criterion that identifies the specific catalog. This allows the merchandiser to access only the specific catalog.
5. Create custom roles that contain security criteria created using the API, as well as privileges. For information on working with the API, refer to Implement Access Control for Internal Users.

Understand Roles

Everyone who works with the administration interface or Console must have a valid user profile to access the system. There is a single default Administrator profile included with your instance. Only administrators can create and work with user profiles. Note that you do not need to publish user profiles when you create or update them.

Each internal user is assigned a role, or multiple roles, which in turn, contains privileges. Roles can also contain security criteria and access rights. Entities within a role grant or deny access.

You must assign each user one or more roles. A role can contain privileges, security criteria and/or generic access right entities. You cannot assign one of these entities directly to a user, instead you assign a role that contains these entities. Commerce includes a set of predefined roles, each containing a single privilege. You cannot add privileges to, remove privileges from, or delete a predefined role.

Roles can determine whether to display a particular layout or content slot variant to a user. This functionality is primarily used in the Console. For additional information, refer to Work with role-based layouts. Roles can also be used to grant read or write access to a property.

The User Management area of the administration interface, which is available only to users that have the Administrator privilege, allows you to assign roles to users. Note that you cannot create or edit the contents of a role using the administration interface. To do this, you must use the Admin API, which is described in Implement Access Control for Internal Users.

Understand Privileges

Privileges grant access to areas of the administration interface or Console. For example, the Catalog privilege provides access to the Catalog area of the administration interface. A user needs at least one privilege to gain access to the administration interface. Note that privileges cannot be edited or deleted. All privileges are predefine; you cannot create a privilege.

Users can have multiple privileges across different roles. The user has all of the privileges conferred by all of their assigned roles. For example, you could assign a user a Dashboard privilege that allows access to the administration interface, as well as the Agent privilege that enables access to the Console. These privileges could be assigned to a user by means of a single role, or two roles.

The following table describes the access provided by the Retail Digital Commerce privileges. Note that these privileges, and the roles that contain them, are separate from the roles that are available for account-based storefront contacts.

Privilege	Access
Administrator	Full access to the administration interface.
CS Agent	Full access to the Console, with the exception of Manual Adjustments. Note: This privilege is available only if the Console is available in your environment.
CS Agent Supervisor	Full access to the Console. Note: This privilege is available only if the Console is available in your environment.
Account Manager	Full access to the Accounts page. Note: This feature may not be enabled in your environment, refer to Configure Business Accounts for information.
Catalog	Full access to the Catalog page (you must also assign the Media role if the user will upload images for products, SKUs, and collections).
Dashboard	Read access to the summary reports on the dashboard. The dashboard is the landing page for the administration interface that users see when they log in to Retail Digital Commerce. All of the privileges that control access to the administration interface allow the user to see the dashboard. However only Dashboard or Administrator privilege allows a user to see the summary reports. A user who can see the summary reports on the dashboard requires the Reporting or Administrator role to view the full reports.
Design	Full access to the Design page.
Marketing	Full access to the Marketing page.
Media	Full access to the Media page.
Operations	Full access to the Operations page.
Preview	Access to the Preview button.
Publishing	Full access to the Publishing page.
Reporting	Full access to the Reporting page.
Search	Full access to the Search page.
Settings	Full access to all Settings pages except Access Control, Extensions, Extension Settings, Email Settings and Web APIs (access to those settings is granted by the Administrator privilege).

Refer to Configure Business Accounts for additional information on roles for storefront contacts.

Validate of privileges and roles

The following are validations that the system performs for all privileges and roles based upon the action you perform:

• Create/Update Profile - The system validates that the profile has at least one role that contains at least one privilege
• Update Profile - The system verifies that you are not removing the Administrator privilege from yourself
• Delete Role - The system verifies that the user will still have the Administrator privilege when the role is deleted. Note that predefined roles cannot be deleted.

Understand Security Criteria

Security criteria restricts a user's ability to update specific catalogs or price groups. For example, a user with the Catalog privilege might also have a security criterion that narrows catalog access allowing the ability to update only CatalogA and no other catalogs. A user's security criteria acts as a filter that narrows the specific data accessible with their assigned privilege. Security criteria restricts update access but does not restrict read-only access.

Using security criteria is optional. You can use them to prevent certain users from updating specific catalogs or price groups. Note that to create, update or delete security criteria, add them to roles or remove them from roles, you must use the API. Refer to Implement Access Control for Internal Users for additional information on working with the APIs.

A given security criterion applies either to catalogs or to price groups. There are three types of security criteria that narrow user access:

• Grant: This grants update access to one or more specific catalogs or price groups. For example a user who has a single Grant security criteria for Catalogs A and B can update Catalogs A and B but cannot update any other catalogs.
• Deny: This denies access to one or more specific catalogs or price groups. For example, a user who has a single Deny security criteria for Catalogs C and D can update all catalogs except catalogs C and D.
• Grant None: This denies update access to all catalogs or price groups. A user with a Grant None security criteria for catalogs cannot update any catalogs.

Price group security criteria applies not only to updating the properties of a price group, but also updating all of the prices within the price group. For example, a security criterion that grants update access to PriceGroup1 allows a user to update the properties of PriceGroup1, as well as all the prices within PriceGroup1. Note that update access to each price group is independent of access to any other price group, even if you are using price group hierarchies. Anyone who has update access to the Catalog privilege, and has update access to at least one price group, can create a price group.

Catalog security criteria applies not only to updating the properties of the catalog, but also updating all of the collections, products and SKUs within the catalog. For example, a security criterion that grants update access to Catalog A also grants access to the collections, products and SKUs within Catalog A. Any user that has the Catalog privilege can create or update a product type. Similarly, any user who has the Catalog privilege, and has update access to at least one catalog, can create a catalog.

When working with catalog hierarchy and shared items, the following rules apply:

1. If you have access to at least one parent of an item, then you have access to the item. If a product is shared by two catalogs, and you have update access to one parent of the product, then you can update the product.
2. To link an item to a parent, you need access to both the item and to its destination parent.
3. To unlink an item from a parent, you need access to that parent.
4. To delete an item, you need access to all of its parents. If it has no parent, you require access to the item itself.

Note that in this case, parent indicates an immediate parent, which can be a catalog, a collection or a product.

You can create, update or delete an unassigned product or collection if you have the Catalog privilege and access to at least one catalog. You can also link unassigned collections to the catalog.

A product or collection that belongs to both an unassigned collection and an assigned collection of a catalog is subject to the rules stated earlier but without counting the unassigned collection as a parent. For example, if product P belongs to both the unassigned collection C1 and the assigned collection C2, the user must have access to C2 to update product P, even though they have access to unassigned collections.

Access to a legacy secondary catalog and access to its primary catalog are independent of one another. The primary and secondary catalogs are treated the same as any other catalogs, with respect to access control.

Access to an independent catalog automatically gives a user access to all of the filtered catalogs on which the independent catalog is based. It is also possible to give a user access to a filtered catalog, but not to its base independent catalog. The following table shows the access control rules regarding filtered catalogs and their base independent catalogs:

Capability	Available to user with access to base independent catalog?	Available to user with access to filtered catalog but not based independent catalog?
Control if a product in the base independent catalog appears by default in all filtered catalogs.	Yes	No
Determine to which catalogs a product in the base independent catalog is directly linked.	Yes	No
Determine if a product in the base independent catalog appears in the filtered catalog.	Yes	Yes
Determine if a product in the base independent catalog appears in a different filtered catalog.	Yes	No
Update any other product property for any product in the base independent catalog. This does not include the properties listed earlier.	Yes	Yes
Update a property of the filtered catalog.	Yes	Yes
Delete the filtered catalog.	Yes	Yes
Delete a product that is in the base independent catalog.	Yes, if the user has access to all of the immediate parents of the product.	No
Link or unlink a product in the base independent catalog to or from a parent collection.	Yes	No
Create a product in the base independent catalog.	Yes	No
Create any catalog, including creating a filtered catalog in any base independent catalog.	Yes	Yes
Create, update, link, unlink or delete a collection in the base independent catalog.	Yes, although link and delete actions may require access to other parent catalogs of the collection.	No
Create, update or delete SKUs under a product in the base independent catalog.	Yes	No

When working with products and media, the user needs access to a product to perform the following media-related operations:

• Add a media item to the product from the Media Library. To upload new media items to the product, the user also needs the Media privilege
• Update the product-specific override values of the properties of a media item assigned to the product. For example, Alt Text or Title
• Remove the product-specific override values of the properties of a media item assigned to the product. For example, resetting the properties to their default values
• Reorder the media items assigned to the product
• Specify which media item is the primary one for the product
• Remove a media item from the product

Access to a product's prices is controlled separately from access to the product itself. A user with the Catalog privilege can update a product's prices without having access to the product itself, as long as the user has access to the price group in which the prices reside. Access to a product does not provide access to its prices. Only access to a price group allows a user to update prices. The same applies to SKUs and their prices. Note the following:

• To create a product, or update a product that was imported without prices, a user must have access to every price group for which the includeAllProducts flag is set.
• To delete a product, a user needs access to all price groups containing prices for the product.

Security criteria apply when catalog assets and prices are imported, either using the Import function in the UI, or when a logged-in user performs a bulk import. Bulk imports performed by registered applications are not subject to security criteria. If you use catalog security criteria, it is recommended that you use APIs rather than the UI for any catalog imports. This allows you to receive information about any records that fail to import due to access restrictions.

Combine security criteria

A user can have multiple security criteria within one role, or across different roles. The following examples show the effects of having multiple security criteria:

• A user with Grant access to PriceGroup1 and PriceGroup2 can update both PriceGroup1 and PriceGroup2
• A user with Grant access to Catalog 1 and Catalog2 can update Catalog2, Catalog2, and catalog assets whose immediate parents belong to Catalog1 or Catalog2
• A user with Deny access to PriceGroup1 and PriceGroup2 cannot update PriceGroup1 or PriceGroup2
• A user with Deny access to Catalog1 and Catalog2 cannot update Catalog1, Catalog2 or any catalog assets whose immediate parents belong only to Catalog1 or Catalog2

For example, consider the following rules. Note that in each of the following rules, the assets are either catalogs or price groups:

• Grant Asset1 + Deny Asset2 = Grant Asset1
• Grant Asset1 + Deny Asset1 = Grant None
• Grant Asset1 + Deny Asset1 + Grant Asset2 + Deny Asset3 = Grant Asset2 (Grant and Deny Asset1 cancel themselves out.)
• Grant None + any other security criteria = Grant None

Understand system-generated roles

If a user with security criteria creates a catalog or price group, the system may generate a role for that user to ensure that he or she has access to the asset just created. The system-generated role contains a security criterion that grants access to the catalog or price group. If the user subsequently creates another catalog or price group, the system adds a security criterion to the role, granting access to the new asset.

System-generated roles are visible in the Advanced section of the user's details in the User Management area of the administration console. System-generated roles function the same as other roles, except that the system may keep adding security criteria.

Generic Access Rights

The access control described here does not modify existing functionality related to access rights and the property-level access control that you use to meet the requirements of the General Data Protection Regulation (GDPR). However, if you use APIs it is important to note that privileges are a type of access right. Therefore non-privilege access rights are referred to as generic access rights. If a role contains generic access rights, they are visible in the Advanced section of the role's details in the User Management area of the administration console. Refer to Refer to Implement Access Control for Internal Users for more information on using generic access rights to control access to the properties of data items.

Understand when Access Control takes Effect

Changes to the contents of a user's access takes effect as follows:

1. Changes to a user's security criteria take effect the next time the user logs in. The user's access to specific catalogs or price groups does not change during their current session
2. Changes to a user's privileges take effect immediately, whenever any aspect of the UI or functionality checks for privileges
3. Changes to a user's generic access rights take effect immediately, when the user tries to access a property that is subject to access rights

View Role Contents

All internal users must have at least one privilege, and therefore at least one role, to gain access to the administration interface.

When creating new or editing existing users, you must assign them roles. Roles can contain privileges that grants the user access to various functions. To view the available roles, use the User Management area of the administration console.

Note that roles and roles and security criteria cannot be created in the administration console, to create roles and security criteria, you must use the Admin API. For information on using the API, refer to Implement Access Control for Internal Users. In the User Management area of the administration console, you can assign roles to users and view the contents of roles.

To view a user's roles:

1. Select User Management from the administration console. This displays the User Management screen.
2. You can select a user based upon specific roles by using the All Roles dropdown and selecting or entering the roles. This will display all users that have this role. Or you can select a user alphabetically, or by whether or not they are internally or externally managed.
3. When the user's page has opened, in addition to their email and name information, you will see all of the roles associated with the user listed under the Roles section. You can add or remove roles by clicking Edit List.
4. Select the roles to add or remove.
5. Click Done to save the changes.

You can review or edit any system-generated roles using the Advanced section of the User Management page. System-generated roles are roles that the system creates for a user to ensure that they have access to any catalog or price group they may have created. The system-generated role also contains a security criterion that grants access to the catalog or price group the user created.

You can review the roles themselves by selecting the role listed next to a user's name in the User Management screen. This displays the name of the role, a description and the privileges and security criteria contained in the role. Use the Advanced button to see the any generic access rights contained in the role. Roles and security criteria can only be created using the API. Refer to Implement Access Control for Internal Users for information on working with the API for access control.

Create New User Profiles

One default Administrator profile is included with your Retail Digital Commerce instance, but you can add as many internal user profiles (including administrators) as you need.

Only administrators can create and work with user accounts.

In order to comply with the Payment Card Industry Data Security Standard (PCI DSS), Retail Digital Commerce secures all logins to the administration interface with multi-factor strong authentication. This means that each user must enter their username and password, plus a one-time passcode, each time they log into the administration interface. See Access the Commerce administration interface to learn about setup tasks new users must perform before they can log into the administration interface for the first time.

Administrators do not assign login passwords to user profiles. Once you create a new profile, Retail Digital Commerce sends an email to the address you added to the profile. The email includes a link that the user clicks to set their password. If the link has expired when the user clicks it, Commerce displays a page where the user can request a new link.

The password must be at least eight characters long and contain at least one number, one uppercase letter, and one lowercase letter. It cannot contain the email address and cannot match any of the last four passwords.

In addition, the password is checked against a dictionary of weak passwords that Commerce maintains. If a user attempts to set a password that matches one of the entries in this dictionary, the password is rejected. The dictionary is the same one used for shopper passwords, as described in the Create a shopper profile. Note, however, that additional entries created using the updateRestrictedWords endpoint in the Admin API are applied only to shopper passwords, and not to passwords for internal users.

To create a new user profile, follow these steps:

1. Click the User Management icon.
2. Click New User.
3. Enter the information that identifies the new user and select an appropriate role. See the table that follows this procedure for information about each field.
4. Click Save.

The following table describes the properties that identify a Commerce user profile. All properties are required.

Property	Description
Email	The user’s email address. This usually functions as the username during login, and is the address where the password link is sent.
Roles	Assign one or more roles to the profile. See Understand Role-based Access Control for more information.
First Name	The user’s first name.
Last Name	The user’s last name.

Note that a user's page contains a read-only Externally Managed checkbox. This checkbox is selected by default if the user's details are managed in an external system. If a user is managed externally, the only change that can be made in User Management is the ability to identify which roles are assigned to the user.

Edit User Profiles

You can edit a profile’s first name, last name, email address, and assigned roles.

You can also reset the password for the profile and the secret key that links the profile to Oracle Mobile Authenticator.

To edit a user profile, follow these steps:

1. Click the User Management icon.
2. Click the name of the user whose profile you want to change.
3. Once you have made your changes, click Save.

To edit roles to the user profile, click Edit List under Roles. The list of assigned roles appears in the Selections pane. Search for a name or ID of a role to see it displayed in the search results. Double click on the role to add it to the selection. To delete a selection, select the X next to its name. Note that you can only create roles using the API. For information on using the API to create roles, refer to Implement Access Control for Internal Users.

The user can change the password at any time by clicking the Forgot Password? link on the administration interface login page and entering the email address associated with their profile, as described in the previous section. You can also force them to reset it.

To force a user to reset their password, follow these steps:

1. Click the User Management icon.
2. Click the name of the user.
3. Click Reset Password.
4. At the prompt, click Reset to confirm.

   Commerce sends a link to the email address associated with the user’s profile that the user can click to reset their password.

You can reset the secret key that links a user’s profile with Oracle Mobile Authenticator (OMA). You will need to reset the key if the original link in the user’s email has expired. When you reset a user’s secret key, they cannot log into the administration interface again until they reconfigure OMA as described in Add your Commerce profile to Oracle Mobile Authenticator.

To reset a user’s secret key, follow these steps:

1. Click the User Management icon.
2. Click the name of the user.
3. Click Reset Key.
4. At the prompt, click Reset to confirm.

   Commerce sends a message to the email address associated with the profile. The message includes several ways that the user can associate the new key with OMA. See Access the Commerce administration interface for more information.

Understand access control changes

Whenever you change a user's security criteria, the change occurs the next time that the user logs in. While the user is logged in, access to specific catalogs or price groups does not change.

When you change a user's privileges, the change occurs immediately, meaning any time system checks for privileges, it will retrieve the new privileges.

Deactivate and Reactivate User Profiles

You cannot delete internal user profiles but you can deactivate them.

Deactivated profiles cannot be used to access the service. Keep the following in mind before you deactivate user profiles:

• Only users with the Administrator role can deactivate and reactivate profiles.
• You cannot deactivate the last user with the Administrator privilege.
• You cannot deactivate the profile you are currently logged in with.
• You can reactivate any deactivated profile.
• Commerce does not notify users when their profiles are deactivated or reactivated.
• Deactivating a profile does not automatically expire its password or secret key.

To deactivate a user profile, follow these steps:

1. Click the User Management icon.
2. Click the name of the user whose profile you want to deactivate.
3. Click the Deactivate button.
4. Confirm that you want to deactivate the profile.

To reactivate a user profile, follow these steps:

1. Click the User Management icon.
2. Click the name of the user whose profile you want to reactivate.
3. Click the Reactivate button.
4. Confirm that you want to reactivate the profile.

Access the Retail Digital Commerce Administration Interface

All users who work in the administration interface must have an internal user profile and must understand how to log into the administration interface.

This section describes the tasks required to prepare your profile and access the administration interface:

• Understand multi-factor authentication

• Prepare to use multi-factor authentication

• Download Oracle Mobile Authenticator

• Add your Commerce profile to Oracle Mobile Authenticator

• Create your password

• Log into the Commerce administration interface

Understand Multi-Factor Authentication

Multi-factor authentication is an authentication mechanism that requires a user to present at least two of the following three types of credentials when logging into an account:

• Something you know, such as a password.
• Something you have, such as a smart card or a one-time passcode.
• Something you are, such as your fingerprint.

The Payment Card Industry Data Security Standard (PCI DSS) requires multi-factor authentication for any user who accesses an administrative environment that handles card data. Multi-factor authentication helps keep intruders out by providing an extra layer of security when users require access to environments that contain sensitive information.

Retail Digital Commerce implements this requirement by ensuring that each internal user enters their username and password, plus a one-time passcode (generated by Oracle Mobile Authenticator) every time they log into the administration interface.

Prepare to use Multi-Factor Authentication

You will receive an automatically-generated email that contains the information you need to perform the steps to set up multi-factor authentication.

• If you are a new Retail Digital Commerce user, you will receive an automatically-generated email whose subject line is Set Up Your Retail Digital Commerce Login once a Retail Digital Commerce administrator has created your profile.
• If you are an existing Retail Digital Commerce user, you will receive an automatically-generated email with the subject line Your Retail Digital Commerce Secret Key Reset once your site has been updated to a release of Retail Digital Commerce that requires multi-factor authentication.

Your email contains the information you need to perform the following steps:

1. Download Oracle Mobile Authenticator to your iOS, Android, or Windows device.
2. Add your Retail Digital Commerce profile to Oracle Mobile Authenticator using the secret key in the email.
3. Create your password for your Retail Digital Commerce profile.
4. Log into the Commerce administration interface with your username, password, and a one-time passcode generated by Mobile Authenticator.

Keep the following information about the email in mind:

• You will receive a separate email for each of your environments and must follow this procedure for each one. For example, if you have three environments, you will need to follow the procedure three times – once for each environment – in order to access the administration interface in each environment.
• If you did not receive the automated email, check your spam or junk mail folder.

Download Oracle Mobile Authenticator

Oracle Mobile Authenticator (OMA) is a free app that generates the one-time passcodes (unique, random numbers) you enter each time you log into the Retail Digital Commerce administration interface. OMA does not require cell service or an internet connection to generate one-time passcodes.

OMA is available for Android, iOS, and Windows devices, including PCs running Windows 8.1+. The iOS app is available at the Apple app store, the Android app is available at the Google Play store, and the Windows app is available at the Microsoft store, all under the name Oracle Mobile Authenticator. Visit the appropriate app store for your device to learn about system requirements and download the app.

Download OMA to your device, launch it, and accept the end user license agreement. Then follow the instructions in Add your Commerce profile to Oracle Mobile Authenticator to link your Commerce profile to OMA.

Add your Retail Digital Commerce profile to Oracle Mobile Authenticator

After you install the Oracle Mobile Authenticator (OMA), you need to link it to your Retail Digital Commerce profile. You do this by adding your profile’s secret key to OMA. Make sure you have the email you received when your profile was created; it contains everything you need to access the Authenticator Details page, where you add your profile to OMA in one of the following ways:

Scan the QR code

Click the Create an OMA Entry link

Enter the key manually

Scan the QR code

If you are viewing the email on a device where OMA is not installed, such as your computer, you can open OMA on your mobile device and scan the QR code that you access from the email. If you are unable to successfully scan the code, see Click the Create an OMA Entry link or Enter the key manually for alternate ways to add your profile to OMA.

1. Open the OMA app on your mobile device, then tap Add Account.
2. Open the Set Up Your Retail Digital Commerce Login email and click the Oracle Mobile Authenticator Setup link to open the Authenticator Details page.
3. Scan the QR code that appears on the page using your device’s camera.

   Depending on your mobile device’s security settings, you may be prompted to enter your user name and password.

   After configuration is complete, the passcode generator screen begins displaying one-time passcodes.

If you scan an expired QR code, Retail Digital Commerce displays an error page. Contact your Retail Digital Commerce administrator, who can reset the secret key. Once the key is reset, you will receive another email.

Now you can continue to the steps in the next section, Create your password.

Click the Create an OMA Entry link

If you are viewing the Retail Digital Commerce email on the same device where OMA is installed, you can simply click an enrollment link that opens the OMA app on your device and starts the configuration process.

1. Open the Set Up Your Retail Digital Commerce Login email on the device where OMA is installed and tap the Oracle Mobile Authenticator Setup link to open the Authenticator Details page.

2. Tap the Retail Digital Commerce link.

   Depending on your mobile device’s security settings, you may be prompted to enter your user name and password.

   After configuration is complete, the passcode generator screen begins displaying one-time passcodes.

If you click an expired link, Retail Digital Commerce displays an error page. Contact your Retail Digital Commerce administrator, who can reset the secret key. Once the key is reset, you will receive another email.

Now you can continue to the steps in the next section, Create your password.

Enter the key manually

You can manually type or cut and paste the secret key into OMA.

To see the secret key, open the Set Up Your Retail Digital Commerce Login email and click the Oracle Mobile Authenticator Setup link to open the Authenticator Details page. The secret key is displayed at the bottom of the page.

To enter the secret key into OMA:

1. Open the OMA app on your device, then tap Add Account.

   Depending on your mobile device’s security settings, you may be prompted to enter your user name and password.

2. Tap Enter key manually.
3. Under Select Account Type, tap Oracle.
4. In the Account field, enter Commerce.
5. In the Key field, enter the secret key.
6. Tap Save.

   After configuration is complete, the passcode generator screen begins displaying one-time passcodes.

Create your Password

Administrators do not assign login passwords to new user profiles. To create a password for your new profile, open the Set Up Your Retail Digital Commerce Login email and click the Create Password link. (If the link has expired when you click it, Retail Digital Commerce displays a page where you can request a new link. You will need to supply a one-time passcode when you reset your password. See Log into the Retail Digital Commerce administration interface for more information.)

Your password must be at least eight characters long and contain at least one number, one uppercase letter, and one lowercase letter. It cannot contain your email address. The password is also checked against a list of weak passwords that Commerce maintains. If you try to create a password that matches one of the entries in this dictionary, the password is rejected.

Now you can log into Retail Digital Commerce. See Log into the Commerce administration interface for details.

Log into the Retail Digital Commerce Administration Interface

Once you have linked your Retail Digital Commerce profile to Oracle Mobile Authenticator (OMA) and created your password, you are ready to log into the administration interface.

Important:

You must generate a new one-time passcode each time you log into the administration interface. This includes logging back in if you have been automatically logged out. Retail Digital Commerce does not currently mark a device as safe or save passcodes across sessions.

To log into the administration interface, follow these steps:

1. Navigate to the Retail Digital Commerce sign in page with the URL provided to you by your administrator.
2. Enter your username and password.
3. Launch the OMA app on the device where you installed it.

   A one-time passcode appears and the countdown begins until a new passcode is automatically generated.

4. On the Retail Digital Commerce sign in page, enter the code into the One-Time Passcode box and click Log In.