With the introduction of Experience Commerce (XC) 9.0.2 we’ve extended the Security roles available to restrict the actions that your merchandisers & marketers can complete in the Commerce Business Tools.
Once you install XC 9.0.2, if you take a look into the one of the engine instances then you’ll see a new configuration JSON file called PlugIn.AccessByRoles.PolicySet-1.0.0.json which is where the new roles and the functions they restrict are configured. All in all we now have 8 commerce-specific roles in the system:
These are each used to restrict different features and functions within the Commerce Business Tools. You can see what functionality each of these roles enables in the following table:
View Pricing Dashboard, Add Price Book, Request Snapshot Approval.
Reject Snapshot, Retract Snapshot, Approve Snapshot.
View Promotions Dashboard, Add Coupon, Add Promotion Book, Request Promotion Approval.
Reject Promotion, Approve Promotion, Retract Promotion, Disable Promotion.
View Composer Dashboard, Edit View, Remove View, Make Template, Add Property, Remove Property, Add Min Max Property Constraint, Add Selection Option Property Constraint, Add Child View, Add Child View From Template, Clear Templates, Remove Template, Manage Template Tags, Link Template To Entities
View Merchandising Dashboard, View Inventory Dashboard, Add Catalog, Add Inventory Set, Associate Entity, Disassociate Entity, Add Entity Version, Promote To Next State
sitecore\Customer Service Representative
View Customers Dashboard, View Orders Dashboard, View Orders List, Add Customer
View Relationships Dashboard, View Relationship Definitions, Add Relationship Definition
As you can see the list is fairly comprehensive, but these roles don’t have be assigned to different users if your business doesn’t require it, you can tailor the assignments to match your specific needs. In your instance it might be the same user who both creates and approves Promotions for example, so you would assign them both the sitecore\Promotioner and the sitecore\Promotioner Manager roles, or maybe you have two different people responsible for pricing with one user creating the data and another approving the changes. In this case you would assign the sitecore\Pricer role to the user creating the pricing data and the sitecore\Pricer Manager role to the user responsible for approving it.
The final very important thing to remember with these security settings is that, as with the security settings , if you are logged in as a user that is setup as an Administrator then they will bypass all of this security and have complete access to the system. do not recommend using any Administrator level accounts in production for day-to-day activities. You should instead control access using the roles defined above.