Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. This Developer Center contains the guides for Commerce 6.13.0 through 7.4.1.Visit new site

This version of Elastic Path Commerce is no longer supported or maintained. To upgrade to the latest version, contact your Elastic Path representative.

Role-Based Security in the Commerce Manager

Role-Based Security in the Commerce Manager


Each plugin must extend the "authorizations" extension point defined in the RCP Core plugin, to define the list of permissions that the plugin will use for filtering or modifying the UI based upon the current user's assigned permissions.

Extending the authorizations extension point

Every plugin must maintain a list of all the permissions that it knows about, so that the User Administration and Role Administration screens can assign permissions to roles, and assign those roles to users.

In your plugin's plugin.xml file, you need a new element defined like so:

<!-- Permissions -->
<extension point="com.elasticpath.cmclient.core.authorizations">


These permission keys should also be kept in a Class file (e.g. as constants, similar to the way that is used to keep constant string names for Spring beans. The name attribute references a property in The activityId attribute is used to group permissions in a set of permissions. It should reference an activity defined with the <activity> tag like in the example above.

Filtering the UI based on a user's authorization

There are any number of ways to filter the UI based on a user's permissions, but here's a code snippet with one example:

if (AuthorizationService.getInstance().isAuthorized(CatalogPermissions.productEdit) {
     //display an edit button

Assigning permissions to users

The only way for a user to actually have authorization for "CATALOG_PRODUCT_EDIT" is for an Admin user to use the Admin perspective's "Roles" manager to assign the permission to a Role, and use the "Users" manager to assign that Role to a user.