Five New Optimizely Certifications are Here! Validate your expertise and advance your career with our latest certification exams. Click here to find out more
Five New Optimizely Certifications are Here! Validate your expertise and advance your career with our latest certification exams. Click here to find out more
This topic describes the authentication and authorization model in Episerver Commerce. The authentication and authorization system uses the default membership and role system in ASP.NET. Configuration of membership and role providers is done in web.config file for the website. The Episerver Commerce sample site has a number of predefined users, groups and roles, both for managing editorial content and for administering the e-commerce tasks.
Authentication and authorization is used by the system to identify users and user groups, and determining what they are allowed to do. These are some common terms used in this context:
When you administer access rights, use the following distinct components that are tied loosely together.
An ACL is simply a list of SecurityEntity classes and an access level. The security entity is a name and information stating if the name represents a role or a user. When you have a security entity in an ACL, it is not affected by changes in the membership or role provider. One aspect of this is that when you delete a role and then look at an ACL that had an access entry for this role, the role is still displayed in the ACL. Membership providers have APIs for creating, editing and deleting users, but not all providers support updates of the user database. The SQL membership provider lets you modify the user database, but the Windows membership provider does not.
In addition to the default EPiServer groups (WebAdmins, WebEditors etc.), Commerce has a set of specific virtual roles that can be used for controlling access to parts of the user interface.
These virtual roles are configured in EPiServerFramework.config, for example:
<add name="CommerceAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
Last updated: Oct 12, 2015