Member subsystem roles
WebSphere Commerce defines a default set of roles that govern what a user is allowed to access in the system. In the access control system, policies are typically set up so that each role has access to a specified set of actions, such as executing commands and views or displaying data beans.Roles can be assigned to users and organizational entities.
- A user that has a role in a particular organization would be allowed to perform certain actions on assets that are owned by that organization.
- Roles in WebSphere Commerce are always assigned in the context of an organizational entity.
- Role assignment is hierarchical in nature, so that a user that has a role for an organization can also perform actions on assets that are owned by that organization's descendant organizations.
- Users can have roles in their own parent organization or in other organizations as well.
- Roles are assigned to an organization to indicate which roles users can have for that organization. Note that an organization can only have roles that its parent organization supports.
- For example, user X that belongs to organization Y can have a role in another organization, Z. Specifically, user X can have any role in organization Z that organization Z supports.
Role assignment data is stored in the MBRROLE table.
The WebSphere Commerce system provides a default set of roles for the following groups:
- Customer service roles
- Marketing roles
- Operational roles
- Product management and merchandising roles
- Technical operations roles
- Supplemental roles
Registered Customer role is a special role that customers receive in the store's organization when they register. Use MemberRegistrationAttributes.xml to configure what other roles are assigned to users during registration and what roles are assigned to new organizations.
By default, only users with specific roles are authorized to perform role assignment, as follows:
- A Site Administrator is the only role that has the authority to create, assign, or unassign roles to and from all users or organizational entities. To maintain access control defined by roles, while roles can be added, they cannot be removed or renamed.
- A Seller Administrator or Buyer Administrator has the authority to do the following:
- Assign or unassign roles to the organizational entity for which they are the Seller Administrator or Buyer Administrator, and to organizational entities below that organizational entity. However, the organizational entity for which the administrator performs the assignment or unassignment must not be the administrator's parent or ancestor in the membership hierarchy.
- Assign or unassign roles to users who belong to the organizational entity for which they are the Seller Administrator or Buyer Administrator, or who belong to the organizational entities below this organizational entity.
- Assign roles to themselves.
- An organizational entity can only be assigned roles which its parent organizational entity has been assigned.
Every user in the Member subsystem has an attribute called RegisterType, which can have one of the following values:
RegisterType Description S User has been assigned the Site Administrator role. A User has been assigned certain roles within the Seller organization, such as Operations Manager, Customer Service Representative, or Seller Administrator. A default implicit member group called Administrators is shipped with WebSphere Commerce with the preceding list of roles defined as criteria.
During role assignment and unassignment, if the role being assigned or unassigned is an administrative role, the value of RegisterType will be set accordingly to maintain consistency.
R Registered customer. A customer who has registered and provided WebSphere Commerce with some profile data. G Guest customer. A customer who has not registered.
The values of 'S' and 'A' are role-related while the values of 'R' and 'G' are related to whether or not the user has registered. Although 'S' and 'A' are supported as valid values for RegisterType, they are deprecated and separated from RegisterType and are values of a different attribute. Consequently, code should not be written to depend on 'S' or 'A' being the value of the RegisterType attribute. If code needs to be written to examine the role or registration type of a user, such code should be replaced by access control policies or written to use appropriate APIs instead.
All roles are defined in the ROLE table, and are automatically assigned to the Root Organization. The MBRROLE table contain role assignment information for users and organizational entities. In addition, the MBRGRP and MBRGRPCOND database tables store other role related information.
Related concepts
Member subsystem
Users
Membership hierarchy
RolesRelated reference
Member subsystem URLs