Role-Based Security in the Commerce Manager

Each plugin must extend the authorizations extension point defined in the Eclipse RCP (Rich Client Platform) Core plugin to define the list of permissions. The plugin uses these permissions for filtering or modifying the UI based upon the current user’s assigned permissions.

Extending the authorizations extension point

Every plugin must maintain a list of all the permissions that it knows about, so that the User Administration and Role Administration screens can assign permissions to roles, and assign those roles to users.

In your plugin’s plugin.xml file, you need a new element defined like so:

<!-- Permissions -->
<extension point="com.elasticpath.cmclient.core.authorizations">
    <permissions>
           <permission
               activityId="com.elasticpath.cmclient.fulfillment.authorizations.activity.catalogManagement"
               key="MANAGE_PRODUCT_PRICING"
               name="%manageProductPricingPermission.name">
           </permission>
           <permission
               activityId="com.elasticpath.cmclient.fulfillment.authorizations.activity.catalogManagement"
               key="MANAGE_PRODUCT_SKU"
               name="%manageProductsAndSKUsPermission.name">
           </permission>
...
        </permissions>
        <activity
            id="com.elasticpath.cmclient.fulfillment.authorizations.activity.catalogManagement"
            name="%activityPermission.name">
        </activity>

</extension>

These permission keys should also be kept in a Class file (e.g. CatalogPermissions.java) as constants, similar to the way that ContextIdNames.java is used to keep constant string names for Spring beans. The name attribute references a property in plugin.properties The activityId attribute is used to group permissions in a set of permissions. It should reference an activity defined with the <activity> tag like in the example above.

Filtering the UI based on a user’s authorization

There are any number of ways to filter the UI based on a user’s permissions, but here’s a code snippet with one example:

if (AuthorizationService.getInstance().isAuthorizedWithPermission(CatalogPermissions.productEdit)) {
     //display an edit button
}

Assigning permissions to users

For an admin user, to add authorization for CATALOG_PRODUCT_EDIT, do the following:

Use the Admin perspective’s Roles manager to assign the permission to a role.
Use the Users manager to assign the role to a user.

Commerce

8.4.x

Core Engine

Commerce Manager

Search Server

Integration Server

Data Sync

Cross-Platform Technologies

Shopping Cart

Account Management

Building Projects

Extending The Platform

Extending Commerce Manager

Extending Search Server

Managing Database

Managing Assets

Event Messaging

Using Spring Beans

Testing the Code

Best Practices

Internationalization and Localization

Role-Based Security in the Commerce Manager

Extending the authorizations extension point

Filtering the UI based on a user’s authorization

Assigning permissions to users