Hi,
Unfortunately, all apis with base path "/csr/api" requires role "CommerceAdmins, CustomerServiceRepresentatives" except "/csr/api/ColumnSettings/". This "/csr/api/ColumnSettings/" requires Customers Policy. It means a user need to belongs CustomerManagers as well by default to get full access to Order Management or you can update CustomerRoles like this:
services.Configure<CommercePolicyOptions>(options => options.CustomersRoles = new string[] { "Administrators", "CommerceAdmins", "CustomerManagers", "YourSomeCustomeRole" });
That's work! Binh Nguyen Thi but user also got access to Customers tab which ideally user with CatalogMangers & CustomerServiceRepresentatives role should not get. Any idea to fix it without giving access to Customers Tab?
Hi,
I am afraid that there is no other way. Column settings api requires Customer access, it means if we fix to allow to access column settings then the users could access to Customers tab as well. They are using same Customers authorize policy.
I am facing this issue on Commerce 14.24 version. I am logged in with Auth0 authentication with CatalogMangers & CustomerServiceRepresentatives role assigned to user in claims. According to roles user getting access to Catalog & Order Management tab. Issue is with the Order Management where I can see blank data.
However when checking in network tab I found one of the api call is giving Access Denied error
Api call which is returning access denied error for CustomerServiceRepresentatives role
Cart Tab - https://localhost:44323/csr/api/ColumnSettings/ExtendedColumns?tableName=ShoppingCart
Orders tab - https://localhost:44323/csr/api/ColumnSettings/ExtendedColumns?tableName=PurchaseOrder
Subscription tab - https://localhost:44323/csr/api/ColumnSettings/ExtendedColumns?tableName=PaymentPlan
Also I notice the other “csr/api” api works fine for CustomerServiceRepresentatives role for example
https://localhost:44323/csr/api/countries
https://localhost:44323/csr/api/markets
https://localhost:44323/csr/api/shippingMethods
https://localhost:44323/csr/api/orderstatuses
https://localhost:44323/csr/api/shipmentstatuses/
https://localhost:44323/csr/api/extensions
https://localhost:44323/csr/api/customers/iscustomerexisted
https://localhost:44323/csr/api/sites
Note: It works with user with Admins role that means some issue with CustomerServiceRepresentatives role
Is there any settings required in appsettings or any code to add in startup.cs to allow access to all csr/api call to CustomerServiceRepresentatives or other custom roles?
This csr/api I guess belongs to Episerver.Commerce.UI.CustomerService package and we are using version 14.24.0