Access Controls

The Access Controls view lets tenant administrators combine scopes into reusable access sets for user groups.

Each access control consists of a set of scopes that define what a user group is permitted to do. The predefined access controls align with the default navigation tree setup, where each domain corresponds to a specific navigation node.

Instead of setting permissions one by one, you assign a prepared access control to the right group. When a custom access control is assigned to a group, users in that group receive:

• Platform default scopes (baseline access expected for the product), and

• Tenant-specific custom scopes included in that access control (including scopes generated for custom entities when you add them to the access control).

Access controls are used for people in your tenant:

• Employee access - internal users (for example by team or region).

• Customer access - external users such as B2B buyers or partners.

For integrations, the same scope names are used in API credentials and tokens, but they are managed outside user groups.

Example:

You can create an access control such as Order Fulfillment Manager that includes order-related manage scopes and read access to supporting entities. Assign it to employee groups by region (for example DE Fulfillment Managers and FR Fulfillment Managers) so each group gets the same access model and only their group membership differs.

Managing access controls

From the Access Controls view you can do the following:

• Create and edit access controls

• Filter or search access controls by name.

• Open an access control to review or adjust the list of scopes.

• Remove access controls that are obsolete or no longer used.

Creating an access control

To define a new access control:

1

Choose to create access control

In the Administration module, go to Access Controls and select the Create Access Control action.

2

Provide the access control details

Provide a Name and optional description that clearly state the purpose of the access control, for example order_manager or catalog_viewer.

3

Select the scopes for the access control

Scopes are listed in the Scopes - they may include platform scopes, tenant-defined scopes, and scopes generated for custom entities.

For example, if a group is supposed to manage products but only view categories, include the corresponding product manage scope and category read scope within the same access control.

4

Save your changes

When you're done, choose Save. The access control is added to the list.

Custom entities and access controls

If an access control is assigned to a user group, users can see the corresponding node in the Management Dashboard navigation.

However, if a custom entity is created, and the access control does not include the required scopes for that area, the users can open the node but the view is empty. The content becomes visible only after the required scopes are included in the assigned access control.

For custom entities:

• Global scopes for the entity, such as <entity>.<entity>_read and <entity>.<entity>_manage, provide access to all instances in that custom entity, regardless of who created them.

• Ownership-limited scopes, such as <entity>.<entity>_readOwn and <entity>.<entity>_manageOwn, provide access only to instances created by the user.

If a user has global scopes for a custom entity, they can see all records in that entity instance. If they only have _own scopes, they see only records assigned to them or created by them.