AI OnAI Off

Commerce edit access not working for CommerceAdmins Role

iliyas shaikh
iliyas shaikh
Vote:
 

Hi,

We have recently migrated our CMS 11 and Commerce 13 application to CMS 12 & Commerce 14.

We are authenticating user with Auth0 and CommerceAdmins role has been added through claims. However user with CommerceAdmins roles not getting any access to  Commerce edit mode as mentioned in below article

https://support.optimizely.com/hc/en-us/articles/4413192098573-Access-rights-for-Commerce-Connect

Also previously in ASP.net MVC in webconfig we have option to provide access to certain groups/roles to location for example 

<location path="episerver/Commerce">
    <system.web>
        <authorization>
            <allow roles="Administrators, CommerceAdmins, SomeCustomeRole" />
            <deny users="*" />
        </authorization>
    </system.web>
</location>

How to achieve the same in current .net core version?

Any help with solution on CommerceAdmins Roles access and the location tag in new .net core version would be helpful!

#326305
Jul 31, 2024 12:04
Binh Nguyen Thi
Binh Nguyen Thi
Vote:
 

As same as CMS, you can set up access roles for Commerce via code in startup or in appSettings. json. The option setting name for commerce access is CommercePolicy". I do not find the document about Commerce Policy settings. Here is the detail:

#326477
Edited, Aug 03, 2024 2:38
Stefan Holm Olsen
Stefan Holm Olsen
Vote:
 

Hi Iliyas

By default, any user with CommerceAdmins claim have access to all parts of the Commerce UI. I your user do not have any access, it might not have the role claim.

Can you confirm that you user does in fact have CommerceAdmins as a claim? Hit a breakpoint in any given controller action and check that User has a claim with CommerceAdmins.

#326481
Aug 03, 2024 17:12
iliyas shaikh
iliyas shaikh
Vote:
 

Thanks Binh Nguyen Thi. Where did you find this custompolicy list? can you share the link? will check with support how to override default value.

Hi Stefan, I checked User has CommerceAdmins role. Also checkUserInRole("CommerceAdmins") and its returnoing true. As CommerceAdmins is virtual Role not default role. It needs to be i guess added as Virtual Role. Found this https://docs.developers.optimizely.com/customized-commerce/docs/authorization-and-authentication

But There is example given on how to add virtual roles and its in complete. 

#326557
Aug 05, 2024 7:35
Binh Nguyen Thi
Binh Nguyen Thi
Vote:
 

Hi,

I do not find document for Commerce Policy section. I noted by myself when looking in code core. You can override default value by setting in Startup file as following:

services.Configure<CommercePolicyOptions>(options => options.CommerceAdminRoles = new string[] { "Administrators", "CommerceAdmins", "SomeCustomeRole" });

Or in AppSettings.json as following:

"EPiServer": {
   "Commerce": {
          "CommercePolicy": {
               "CommerceAdminRoles": ["Administrators", "CommerceAdmins", "SomeCustomerRole"]
          }
    }
}
#326559
Aug 05, 2024 7:52
iliyas shaikh - Aug 05, 2024 9:14
Thanks, I'll try this with adding some custom roles
Stefan Holm Olsen
Stefan Holm Olsen
Vote:
 

If the user gets the CommerceAdmins role from Auth0, then no virtual role is needed.

Do you have claims synchronization running upon returning from Auth0 authentication? The code that is shown in "options.Events.OnSignedIn" event in the code samples.

#326561
Aug 05, 2024 8:26
iliyas shaikh - Aug 05, 2024 9:22
From Auth0 we get some client defined roles and based on that we are adding Roles in claims like WebAdmins, Administratorsand CommerceAdmins through code on OnSecurityTokenValidated event for example
((ClaimsIdentity)context.Principal.Identity).AddClaims(new Claim(ClaimTypes.Role, "CommerceAdmins));

This works for other roles like WebAdmins, Administrators but not for CommerceAdmins
Stefan Holm Olsen - Aug 05, 2024 10:02
Oh, you don’t apply the roles in Auth0? Anyway, end result will be the same.

Is there any difference between the lines that add CommerceAdmins and the other roles?
iliyas shaikh
iliyas shaikh
Vote:
 

Hi,

I am able to fix this by adding CommerceAdmins Role in EditRoles of CMSPolicy settings.

Thanks Stefan and Binh Nguyen Thi for taking out time looking into this issue. Binh Nguyen Thi thanks for details about CommercePolicy as this will help further assigning different access. Unfortunately I am not able to find more details about this policy setting on Optimizely site. I am even not able to find the link for the list of policy on website which u have shared.

#326611
Aug 06, 2024 10:17
Binh Nguyen Thi
Binh Nguyen Thi
Vote:
 

Hi,

Nice to hear that. Yeah, I cannot find any document relates to CommercePolicy. I thought that you could access to cms edit but could not access to commerce edit. If you even cannot access to cms edit then yes, we need to set access to CMS first via CmsPolicy. By default, only CmsAdmins, Administrators, CmsEditors could access to cms edit mode as this link for cms policy guide https://docs.developers.optimizely.com/content-management-system/docs/configuring-cms

#326612
Aug 06, 2024 11:09
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.