Sitecore
contains a number of security tools to configure authorization for roles and users on content
items.
Sitecore Commerce 7.5, powered by Commerce Server and Commerce Server
11.1 distills
authorization down to these simple rules:
- Business Users should only be able to view data they’re granted access to view (down to the
field level)
- Business Users should only be able to edit data they’re granted access to edit (down to the
field level)
- Business Users should only be able to create entities that they’re granted access to
create
- Business Users should only be able to delete entities that they’ve been granted access to
delete
- Business Users should only be able to perform operations that they’ve been granted access to
execute
Note: Access to Sitecore Commerce 7.5, powered by Commerce Server and Commerce Server
11.1
data and operations are secure by default -unless a Business User is explicitly granted access to
data or an operation, they will not be allowed to manipulate that data or perform the
operation.
Note: Security administrators should assign access rights by a role, and not at the individual
user level. While user level authorization is supported, it can make management of access rights
more difficult.
Important: Administrators need to manage and coordinate authorization within Sitecore
and AzMan. These authorization rights are independently managed and are not synchronized between
the two systems in any way.
Inheritance in Sitecore
Sitecore supports
inheritance as part of its security model. This allows an administrator to apply access rights
to content in the tree, and have those access rights be applied to all child items. This is
predicated on the assumption that every item in Sitecore has exactly ONE parent item. Since a
category or product may be contained by many categories, an item could have MULTIPLE parents.
When attempting to evaluate whether a user has an access right on an item, Sitecore will recurse
backward up the tree, checking to see whether a parent item has an access right that should be
inherited by the child item. Since a Sitecore Commerce 7.5, powered by Commerce Server and Commerce Server
11.1item can have
multiple parents, it’s possible that the item has been granted an access right in one category
and not another. This can cause a user to lose rights to a content item even though they should
have them.
The rules to evaluate parent items with Sitecore Commerce 7.5, powered by Commerce Server and Commerce Server
11.1data are:
- If the category has a primary parent category assigned, Sitecore authorization
checks will recurse parents starting from the primary parent category
- If the category does not have a primary parent category, the first parent category assigned
to the category is used
Note: The Sitecore access
viewer is a useful tool to determine if access rights are assigned at the right location in the
content tree.
Note: Business Tools checks access to the Sitecore Media Library when attempting to assign/update
media assets to categories, products and variants.
Assigning Security Rights for Content Items
Standard Values are inherited by data templates. If a field in a content item breaks
inheritance, it can be reset through the Content Editor. You will need to do this if you:
- Change the security rights on a content item in the Content Editor (and break
inheritance).
- Subsequently change the access rights on the standard values of the data template for that
content item.