You would have to create a new group, and assign these permissions to it 

Except any permission with ":admin:" part (which corresponding to Administration part in Commerce Manager) 

Then create virtual roles and assign it to your new group 

For catalog - CatalogManagers

For Marketing - MarketingManagers

Thank you for your quick response Quan!

I have created a group calls "CommerceSales" and edit in the Permission for Functions.

I am not sure if I created virtual role correctly. Would you like to check in the screenshots?

• created a VirtualRoleInitializer class
• created a virtual role "CommerceSalesRole

How do I assgin CommerceSalesRole to the new group CommerceSales?

Add these to <episerver.framework>/<virtualRoles>/<providers>

<add name="CatalogManagers" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="CommerceSales" mode="Any" />
<add name="MarketingManagers" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="CommerceSales" mode="Any" />

Do you know why the GetDefault is incorrect? 

Do I need to add any logic to IsInVirtualRole method?

public override bool IsInVirtualRole(IPrincipal principal, object context)
{
throw new NotImplementedException();
}

Hi

I just want to to add that there is a section in the user documentation that describes how to set up access rights to different views in Commerce. You can find it here, http://webhelp.episerver.com/latest/commerce/access-rights.htm.

Edit: There should be no need for you to create your own virtual role type. The only thing that matters is that the user is part of a role with the names that you can see in documentation above. If that is a role provided by our virtual role type mapped role, or just a role from the AD, or anywhere else, doesn't matter. The system only does an is in role check for any role by that name.

Regards

Per Gunsarfs

No, you don't have to, just add the virtual roles as I suggested.

If you want to create the virtual roles progammatically, you are doing it wrong. You would have to use context.Locate.Advanced.GetInstance<IVirtualRoleRepository>() to get an instance of the virtual role repository, and continue from there. 

Yes. I have added the virtual  roles to the web.config.

<add name="CatalogManagers" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="CommerceSales" mode="Any" />
<add name="MarketingManagers" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="CommerceSales" mode="Any" />

Unfortunately I still couldn't log in with the user account that I created.

Do I miss anything else? 

BR, 

ChiChing

Did you mean you can't login to CM? Did you assign core:mng:login permission to that account? 

I mean I couldn't log in to ../Util/login.aspx

Yes, I assigned core:mng:login permission to CommerceSales.

By default that path is only allowed to specific roles WebEditors, WebAdmins, Administrators. Your account was logged in successfully, but was denied access so the framework asks for login a gain.

You would have to add the roles here

<location path="episerver">
<system.web>
<httpRuntime maxRequestLength="1000000" requestValidationMode="2.0" />
<pages enableEventValidation="true" enableViewState="true" enableSessionState="true" enableViewStateMac="true">
<controls>
<add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI" />
<add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer.Cms.AspNet" />
<add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI" />
</controls>
</pages>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<authorization>
<allow roles="WebEditors, WebAdmins, Administrators" />
<deny users="*" />
</authorization>

Thank you so much Quan! It works :)