SAP Commerce Cloud's Backoffice accessibility control differs from the conventional access management implemented in the platform module. In this blog post, I'll delve into how to restrict access to a widget in Backoffice using a custom Backoffice role, offering a simple and effective example.
To start, let’s look at the fundamentals of a Backoffice Role:
- It is implemented as a subtype of UserGroup.
- It carries an 'authorities' attribute, a list of String, with each representing a unique authority right. This is why it is also called the “Authority Group”.
To limit access to any widget instance in Backoffice, the following steps can be taken:
- In any widget instance, select the 'access' attribute to specify an predefined or custom authority right.
- Create a Backoffice Role using a list of authorities that includes the one specified above.
- Assign the Backoffice Role to an existing or custom user so that they can gain access to the assigned authority right.
- When the user logs into Backoffice, they will be able to access the specified widget.
Let's unpack these steps further using a simple example, illustrating the method of restricting access to a custom-made Backoffice cockpit with an individual Backoffice role.
1. Restrict a Custom Cockpit with 'access'
For starters, I need to prepare a custom Backoffice cockpit. I can log into Backoffice as admin and enter the Application Orchestrator (AO) mode by pressing F4. In the Backoffice Perspective Container widget, I can add a new a new cockpit using the BorderLayout Widget:
After the new cockpit is created, I'll edit it and name it “demoCockpit”.
Upon exiting AO mode, I'll find the newly created cockpit visible on the interface.
Now i'll impose access restrictions on "demoCockpit", simply return to AO mode and edit the settings. I can find an 'access' tab, into which I can enter the term "viewDemoCockpit" as the authority right. This grants Backoffice users with "viewDemoCockpit" authority right the ability to view "demoCockpit".
Please note that if multiple authority rights are specified in the field, it indicates an "any" situation. This means that a user with any one of the listed authority rights can access this cockpit.
Now exit the AO mode again, and I can notice that the demoCockpit is no longer visible, even to the admin user.
Actually, for better practices, instead of doing all the steps described above, I can create a new Backoffice extension with the yBackoffice template and simply add a few lines of code to <mybackoffice>-backoffice-widgets.xml:
<widget-extension widgetId="backofficeMainSlot">
<widget id="demoCockpit"
widgetDefinitionId="com.hybris.cockpitng.borderlayout"
slotId="perspectives" title="demo Cockpit" template="false"
access="viewDemoCockpit">
</widget>
</widget-extension>
Then I'll rebuild my Commerce Cloud system including the newly created extension, and do a reset on the widgets.xml in AO mode to get my setting above loaded.
2. Create a Backoffice Role
The next step involves creating a new Backoffice role with the specified authority right. I can easily navigate to User | user groups to create a new Backoffice Role:
I'll name it "demoBackofficeRole" and hit "Finish" to create it:
I'll find the newly created Backoffice role and edit it, then switch to the administration tab to find the "Authorities" attribute:
I'll add a new authority right with the value "viewDemoCockpit", which was specified before in the custom demoCockpit widget:
Certainly, I can add more authority rights so that users with the Backoffice Role have complete access to all the authority rights mentioned in the "Authorities" list.
3. Assign a User to the Backoffice Role and Verify the Backoffice Access Restriction
Now, I can create a new user, e.g. under User | Employees:
I'll type “testUser” as the ID/name, and assign the user to the "demoBackofficeRole".
With the Backoffice Role assignment, the user is granted the right "viewDemoCockpit" specified before. Don't forget to set a password to the user and enable Backoffice login (in the administration tab of the user).
Let's verify everything together. I'll log out Backoffice as admin and log back in as the testUser. There you go, I can see the demoCockpit now, even if admin can't see it.
Perhaps you have also noticed that the testUser can see other cockpits in the Backoffice. What if you want to restrict the view for the testUser? No problem! You can control the context of the "perspective-chooser" component in order to limit the visibility of cockpits for all users with the authority of "viewDemoCockpit":
<context component="perspective-chooser">
<y:perspective-chooser xmlns:y="http://www.hybris.com/cockpitng/config/perspectiveChooser">
<y:authority name="viewDemoCockpit">
<y:perspective id="demoCockpit"/>
</y:authority>
</y:perspective-chooser>
</context>I can open the <mybackoffice>-backoffice-config.xml file and insert the above code. Then I'll log into the Backoffice as admin again, enter the AO mode and perform a reset on the "cockpit-config.xml" file, such that the changes will take effect and the testUser with the "viewDemoCockpit" authority will only be able to see the "demoCockpit" in Backoffice.
By following these straightforward steps, I can restrict the access of any widgets in Backoffice using custom Backoffice roles. While I've demonstrated a basic understanding of this process, you can delve deeper into advanced features with the help portal documentations: Business Roles in Backoffice.
As an important alternative, you could also consider enlisting in our expert deep dive live session on "Introducing Backoffice Access Management in SAP Commerce Cloud" to get live demos and comprehensive explanations from our team.
Here's looking forward to our next live sessions on optimal usage of the SAP Commerce Cloud platform. Remember, there are other Expert Deep Dive Live Sessions to help you unlock the full potential of SAP Commerce Cloud! (e.g., Integration API module, Dynatrace, Composable Storefront, Scripting Support, Hot Folders, Interceptors, etc.) See you soon!
- SAP Managed Tags:
