Today I am going to explain the security profiles and access rights available within Sitecore OrderCloud.
Sitecore OrderCloud is a cloud-based e-commerce platform that enables businesses to create and manage the online marketplace, manage customer data, and processes online transactions. Security profiles and access rights are crucial components of Sitecore OrderCloud as they help to ensure the security and integrity of the platform.
Security profiles in Sitecore OrderCloud are used to define the permissions and access rights for users or groups of users called user groups. Each security profile contains a set of permissions that determine what actions the users can perform within the system. These permissions can include reading, writing, creating, updating, deleting, and managing access to specific resources, such as products, orders, customers, and suppliers.
In Sitecore OrderCloud security profiles are groups of roles that define a user's permissions and the specific endpoints the user can access. Businesses protect the data of their marketplaces by assigning certain security roles to users and user groups.
Access rights in Sitecore OrderCloud are controlled through a combination of security profiles and roles. Roles are used to group users with similar responsibilities and interests, while security profiles define the permissions and access rights for those roles. For example, a user in a supplier's role might have a security profile that allows them to create and edit products, while a user in a buyer's role might have a security profile that allows them to view and edit orders and personal details.
Monitoring and updating security profiles and access rights on a regular basis is crucial to maintaining Sitecore OrderCloud's security. This entails continuously examining and revising user roles and permissions and making sure access is only given to those who need it.
Sitecore OrderCloud adds additional security capabilities, such as two-factor authentication, SSL encryption, and IP limitations, in addition to security profiles and access, to further safeguard the platform and its users.
Some key points provided by Sitecore on security roles and access are:
1. Reader and Admin roles are the most common categories in Sitecore OrderCloud.
2. The Shopper role provides users with minimum access to the shop.
3. Buyers will need to write access to certain /me endpoints to manage their personal data. For example, a marketplace administrator should assign /MeAddressAdmin to buyers so they can create, edit, and delete any of their address information.
4. Certain users might need to be assigned to the override roles to update an order's information. A specific instance is when a user with the /OverrideTax role can update the tax cost on orders.
5. Custom roles do not grant access to any API functionality. However, you can use them to control access to app-specific features.
References
Security Profiles - https://ordercloud.io/knowledge-base/security-profiles
Security in Sitecore OrderCloud and Access Tokens - https://ivanbrygar.com/2022/01/06/security-in-sitecore-order-cloud-and-access-token