As long as you are running the latest version of Episerver Commerce then you can set permissions to catalog nodes up using normal roles you set up in admin mode. Catalog permissons were first introduced in Episerver Commerce v11.6.0.

See here for more information: http://webhelp.episerver.com/latest/commerce/access-rights.htm and search for "Controlling access to catalogs and categories". The important part is setting the Visible to property on the catalog node:

David

Ps this post also explains the feature https://world.episerver.com/blogs/Quan-Mai/Dates/2017/12/catalog-content-permission-handling 

Thanks for the information. Is the same applicable of products under it or just for catalog nodes.

It’s just for catalog nodes.

The entries (products, variants...) will inherit the permission settings of their true parent category (non linked ones). We might add specific settings for entries in the future if there are enough requests for it

Old thread, but hopefully someone is still here :)

I'm not getting inheritance to work. Products, bundles and variants are still visible to everyone when I change the settings on the catalog they have as primary, which I'm guessing is the "true parent". Is this not what "true parent" is or is there some other setting that I'm missing? Or is it not working like this anymore? (Commerce 13)

It's category, not catalog. Note that it depends on the code you are using to filter the content. If you want to hide those entries, you have to use FilterForVisitor() 

Sorry, I ment Category not Catalog. On my Category I have Visible to Restricted:

On my bundle/product/variant it still says Visible to Everyone:

Or is it just the UI that is not correct? 

It is actually just the UI that is confusing. The access rights are correct!

I see. Actually that is a "missing feature" that we did not implement (went with MVP approach). It might be fixed in the future, but I won't bet on it. The filtering at API level should still work, though