Users and Groups
Manage access rights for users and groups.
The Users and Groups module allows you to manage the data of all the users and groups that belong to your tenant. To authorize the users in the system, add them to the tenant and create relevant user groups with sets of access rights. Then, link the users with the user groups to make the access rights work.
The Management Dashboard views are dependent on the user's permissions. If you don't see a particular node, or section described in the Emporix documentation, or are not able to modify an entity, it might mean you don't have sufficient permissions set. Contact the administrator if you need additional access.
Definitions
User - an employee using the Emporix Management Dashboard.
User Group - a group of users that share some common characteristics, like performing similar job. User group defines access controls for the users. It can define site permissions or custom restrictions to limit visibility for members to only entities assigned to particular sites/restriction values. See more in Restrictions.
Role - a combination of predefined permissions that allow users to perform some actions on resources within the system. You can apply a role to a user group.
Permission - a mechanism for limiting what actions a user belonging to a role can perform on specific resources.
Access controls - a combination of roles and resources. For example, a user with a manage access control on product resources can view, create, delete, and edit product entities.
Resource or Entity - the object type within the Emporix Management Dashboard.
Action - the ability to perform an action on entities of specific type.
Restriction - the condition applied on entities and employee groups to manage access or roles separation. Most commonly, restrictions are identical to sites, but can also apply to custom keys.
Users
You can filter or sort the users list by first name, last name, email address, department or status.
There are two status types:
The Green dot shows the user is active
The Grey dot shows that the user was added and provisioned, but has not registered their account yet
Create a user
The user receives an email invitation to join the tenant. Note the email has to be a company email address.
If at any point you decide to stop adding the new user, you can use the Discard option. It clears all the fields and removes the data you’ve entered for the user.
Groups
You can filter and sort groups by the group name.
Set the relevant users permissions at the group level. Users can belong to several groups with different access rights. By assigning users to relevant groups, you control what they are able to see and/or edit in the Management Dashboard. Bear in mind that if you assign a user to two groups that have different permissions set for a specific resource, the manage overwrites read permission and the user is able to manage the resource, not only view it.
Create a user group
Provide the group's details
In General section, provide the group's ID, name and description.
Only the Group Name is mandatory for a user group creation. You can decide to edit other details later. You can also set up a custom user group ID in the Id field. Otherwise, a unique ID is automatically generated when the group is created.
Optional: Define the group site/custom restrictions
This step applies if you'd like to restrict access control to the entities that are site-aware, such as companies (legal entities), customers, carts, orders, or quotes. Choose one or multiple sites or custom restrictions from the list.
The sites and restrictions list depends on the configuration settings in the System Preferences. If the site sync is enabled, you are able to assign site-related permissions to a group; if the sync is off and you have defined custom restrictions, the groups can be assigned with the relevant restrictions values.
The restrictions regulate access to entities associated with particular sites in your tenant, or to other custom-defined restrictions.
Learn more in the Restrictions section.
Optional: Choose the group role
Choose the Role for the group, you can select between:
Standard role for Management Dashboard users: Viewer, Manager, or Admin.
One of the Templates for Manager roles with specific access rights.
Vendors role for a created vendor with orders or products read/manage access rights.
In the case when you have both Commerce Engine and Orchestration Engine setup in your tenant, firstly choose which product you want to define the group for. The available options for roles and permissions depend on this choice.
For more information, see Predefined roles.
Based on your choice of Role, you can see that the access controls in Management Dashboard Settings section get selected automatically.
Set access rights
Set up the group access rights in the Management Dashboard Settings section:
read access selected - a user is able to see entities of a specific type
manage access selected - a user is able to see, edit, create, and delete entities of a specific type
none selected - a user is not able to see entities of a specific type
Use the checkboxes to define the access rights only for the particular types the group is supposed to have access to. If a group is not supposed to manage or even see a particular entity in the Management Dashboard, don't select any permission.
The site-aware (or restriction-aware for custom setup) entities are marked with the checkmark ✓ next to the entity so that you know which entities are affected when you apply any site permissions or other restrictions to the employee group.
Selecting manage automatically deselects view access and the other way round. To disable existing access rights for an entity, uncheck the checkbox.
Setting permissions
There are some resource types within CE that you access through other resources only and that don't have a separate view in the Management Dashboard, for example media, or payment gateway. Access to such resources depends on the permissions defined for the parent entity. For example, if you have read access to products, you get read access to media.
There are also resources that do have a separate view in the Management Dashboard but you also access them through other entities, for example categories in products. Access to such resources depends on the permissions you define at a group level for the particular resource. For example, if a group has manage access for products and read access for categories, the users are able to edit products, but not the categories within products. Or, if a group has manage access to products but no access to categories, the users don't have permission to see categories assigned to products. In that case, the users see No permissions message on a particular field.
For more information, see Permissions.
Assign users to a group
To allow a user to work within the tenant, assign the user to a user group with a set of specific access rights. You can do it in two ways: from the user perspective and from the user group perspective.
From the user perspective
From the user group perspective
From the user group edit mode
Predefined roles
You can choose from the predefined roles for a user group or define manually the relevant access controls. Note that manage access control contains read, create, edit, and delete actions.
Viewer
Viewer Access Matrix
Customer Management
✓
Companies
✓
Customer
✓
Coupons
✓
Quotes
✓
Quotes
✓
Status Quotes
✓
Orders
✓
Orders
✓
SEPA
✓
Returns
✓
Catalogs
✓
Catalogs
✓
Categories
✓
Products
✓
Products
✓
Product Templates
✓
Labels
✓
Suppliers
✓
Brands
✓
Pricing
✓
Price Models
✓
Price Lists
✓
Settings
✓
Sites
✓
Delivery Methods
✓
Delivery Times
✓
Units
✓
Tax
✓
Countries
✓
Currencies
✓
Languages
✓
System Preferences
✓
Mixin Schemas
✓
Extensions
✓
e.g. site settings
✓
Administration
✓
Users and Groups
✓
Webhooks
✓
Extensions
✓
Manager
Manager Access Matrix
Customer Management
✓
Companies
✓
Customer
✓
Coupons
✓
Quotes
✓
Quotes
✓
Status Quotes
✓
Orders
✓
Orders
✓
SEPA
✓
Returns
✓
Catalogs
✓
Catalogs
✓
Categories
✓
Products
✓
Products
✓
Product Templates
✓
Labels
✓
Suppliers
✓
Brands
✓
Pricing
✓
Price Models
✓
Price Lists
✓
Settings
✓
Sites
✓
Delivery Methods
✓
Delivery Times
✓
Units
✓
Tax
✓
Countries
✓
Currencies
✓
Languages
✓
System Preferences
✓
Mixin Schemas
✓
Extensions
✓
e.g. site settings
✓
Administration
Users and Groups
✓
Webhooks
✓
Extensions
✓
Administrator
Administrator Access Matrix
Customer Management
✓
Companies
✓
Customer
✓
Coupons
✓
Quotes
✓
Quotes
✓
Status Quotes
✓
Orders
✓
Orders
✓
SEPA
✓
Returns
✓
Catalogs
✓
Catalogs
✓
Categories
✓
Products
✓
Products
✓
Product Templates
✓
Labels
✓
Suppliers
✓
Brands
✓
Pricing
✓
Price Models
✓
Price Lists
✓
Settings
✓
Sites
✓
Delivery Methods
✓
Delivery Times
✓
Units
✓
Tax
✓
Countries
✓
Currencies
✓
Languages
✓
System Preferences
✓
Mixin Schemas
✓
Extensions
✓
e.g. site settings
✓
Administration
✓
Users and Groups
✓
Webhooks
✓
Extensions
✓
Catalog Manager
Catalog Manager Access Matrix
Catalogs
✓
Catalogs
✓
Categories
✓
Products
✓
Products
✓
Product Templates
✓
Labels
✓
Suppliers
✓
Brands
✓
Administration
Webhooks
✓
Pricing Manager
Pricing Manager Access Matrix
Pricing
Price Models
✓
Price Lists
✓
Settings
Tax
✓
Units
✓
Countries
✓
Currencies
✓
Products
Products
✓
Product templates
✓
Catalogs
Catalogs
✓
Categories
✓
Administration
Users and Groups
✓
Order Fulfillment Manager
Order Fulfillment Manager Access Matrix
Customer Management
Customer
✓
Orders
✓
Orders
✓
SEPA
✓
Returns
✓
Settings
Sites
✓
Compare role templates
Customer Management
Companies
Read
Manage
Manage
✗
✗
✗
Customer
Read
Manage
Manage
✗
✗
Read
Coupons
Read
Manage
Manage
✗
✗
✗
Quotes
Quotes
Read
Manage
Manage
✗
✗
✗
Status Quotes
Read
Manage
Manage
✗
✗
✗
Orders
Orders
Read
Manage
Manage
✗
✗
Manage
SEPA
Read
Manage
Manage
✗
✗
Manage
Returns
Read
Manage
Manage
✗
✗
Manage
Catalogs
Catalogs
Read
Manage
Manage
Manage
Read
✗
Categories
Read
Manage
Manage
Manage
Read
✗
Products
Products
Read
Manage
Manage
Manage
Manage
✗
Product Templates
Read
Manage
Manage
Manage
Read
✗
Labels
Read
Manage
Manage
Manage
✗
✗
Suppliers
Read
Manage
Manage
Manage
✗
✗
Brands
Read
Manage
Manage
Manage
✗
✗
Pricing
Price Models
Read
Manage
Manage
✗
Manage
✗
Price Lists
Read
Manage
Manage
✗
Manage
✗
Settings
Sites
Read
Manage
Manage
✗
✗
Read
Delivery Methods
Read
Manage
Manage
✗
✗
✗
Delivery Times
Read
Manage
Manage
✗
✗
✗
Units
Read
Manage
Manage
✗
Manage
✗
Tax
Read
Manage
Manage
✗
Manage
✗
Countries
Read
Manage
Manage
✗
Manage
✗
Currencies
Read
Manage
Manage
✗
Manage
✗
Languages
Read
Manage
Manage
✗
✗
✗
System Preferences
Read
Manage
Manage
✗
✗
✗
Mixin Schemas
Read
Manage
Manage
✗
✗
✗
Extensions
e.g. site settings
Read
Manage
Manage
✗
✗
✗
Administration
Users and Groups
Read
Read
Manage
✗
Read
✗
Webhooks
Read
Manage
Manage
Manage
✗
✗
Extensions
Read
Read
Manage
✗
✗
✗
Permissions
As particular resources have references to other resources, you need to take that into account when setting the relevant access controls for the groups you create. We've prepared a matrix of possible functions in a company and expected permissions in Management Dashboard. You might use it as a baseline for managing permissions for particular groups.
Example
You want to create a user group responsible for managing quotes in the system. Therefore, you select manage access control for quotes resources, however that might not be enough. Most probably, you also have to select at least read access control for companies resources, and you'd also need manage access for products so that the group members are able to manage price resources (which they access through products). Without these additional read and manage access, the users are not able to view the relevant resources that are related in one way or another to quotes, and are not able to process quotes accordingly.
The manage permission for a particular entity also gives a possibility for a user to configure the table columns for the list view by using the orchestration icon. They can adjust which columns are visible and which are hidden for the particular resource view in Management Dashboard that they have manage right to.
Take a look at the matrix to see what to take into account.
Role/Permission Matrix
Manage customer management
customers (user and groups)
customers companies coupons
Manage companies
customers (assigning customers to a company only)
companies customers (including creating contacts, customers functionality)
Manage coupon
categories
coupons
Manage quotes
companies
quotes products
Manage orders
orders
Manage SEPA
SEPA
Manage returns
customers orders products
returns
Manage catalogs
categories
catalogs
Manage categories
media
categories
Manage products
product templates suppliers categories price models price lists taxes
products
Manage product templates
product templates
Manage labels
labels
Manage suppliers
suppliers
Manage brands
brands
Manage price models
price models products
Manage price lists
catalogs categories customers (user and groups)
price lists price models products tax unites countries currencies
Manage sites
currencies payment methods countries languages
sites
Manage delivery methods
sites
delivery methods
Manage delivery times
sites
delivery time
Manage units
units
Manage tax
tax
Manage countries
countries
Manage currencies
currencies
Manage system preferences
system preferences
Manage mixin schemas
categories companies coupons customers customer.addresses orders products quotes returns
mixin schemas
For more information about the access controls, see the Identity and Access Management tutorial related to the Emporix API IAM Service.
Restrictions
An employee group can limit visibility of site-aware entities based on specific restriction values they are assigned with. This separates responsibility of your employees to certain sites or markets. For example, you want to have separate employee groups of Order Fulfillment Managers for each site (DE, FR, NL, US). Typically, restrictions are associated with sites, or storefronts you run your business at, but you can also create your custom restrictions, for example, regional groupings like West-EU, APAC or other.
The custom restrictions functionality (when the sites sync is disabled) requires implementing automatic restriction assignment to the relevant entities at the Backend for Frontend (BFF) level. This step is essential because, for example, the end customers that make purchases in your store do not have the scopes or permissions needed to apply restrictions during registration or cart creation.
Since the exact implementation depends on your setup, ensure you have an appropriate solution in place to use this feature effectively.
On the other hand, when the sites sync is enabled, no further implementation is required as new data inherit the site codes from the customer or cart entities.
To learn more about site permissions and restrictions management, see the Site Permissions.
Assigning site permissions to groups
If you want to use sites as group restrictions, make sure you have the enableSyncBetweenRestrictionsAndSiteCodes setting enabled in the System Preferences.
This takes care of making site-aware entities bear relevant site codes as restrictions. Also, it automatically populates site codes as possible restriction values on user groups.
To create a group with a particular site or multiple sites permissions, add the site code value in the Restriction field. The employees belonging to such a group are only able to see and/or manage (depending on access control permissions) the site-aware entities that have the same restriction.
For example, the DE Order Fulfillment Manager employee group has assigned DE site permission, while the US Order Fulfillment Manager employee group has assigned US site permission. The groups have the same access permissions for cart, order, and quote entities defined for its members.
The visibility of the site-aware entities is different for the employees from these groups. DE group members see only entities with DE restriction, while US group employees view only US entities. They are not able to view nor manage any entity that has a different restriction or no restriction assigned. However, employees that have no restrictions assigned to their groups see all the entities.
Employees who belong to user groups that have no site permissions or restrictions assigned can view and/or manage all entities, regardless of the site or restriction values associated with those entities. For example, in addition to site-specific groups, you can grant unrestricted access to all entities to admin or global manager groups. Ensure your group configuration applies restrictions at the appropriate level to achieve the degree of control you intend.
Assigning custom restrictions to groups
For the cases when you want to use restrictions in another context outside the sites scope, you have an option to use custom-defined restriction values. To make it work, firstly make sure you have the right configuration in the System Preferences:
disable the sync between sites and restrictions, that is set the
enableSyncBetweenRestrictionsAndSiteCodessetting tofalse
define the possible values list in the
restrictionssetting
Then, you can use these restrictions on the user groups level. Select one or more restriction values in the Restrictions field.
When the proper implementation is in place, the employees from the restricted employee group view and/or manage restriction-aware entities with the same set of restrictions only. They don't have access to the restricted entities with different values and get relevant notification in the Management Dashboard.
Vendor groups
Vendor groups are specifically related to Vendor Management. When a vendor is created, it automatically creates four new user groups for your tenant - vendor.order.manager, vendor.order.viewer, vendor.product.manager, vendor.product.viewer.
In the example based on ABC Company the groups are as below and they can be already visible in the users and groups view.
ABC Company Vendor Product Manager
ABC Company Vendor Product Viewer
ABC Company Vendor Order Manager
ABC Company Vendor Order Viewer
Each group has the role and access rights already configured during creation, the role is Vendor and the access rights depend on the type of group. For example, for ABC Company Vendor Order Manager the access rights are Orders - Manage.
The specific vendor group access rights are:
Vendor order manager
Manage orders
✗
–
Vendor order viewer
Read orders
✗
–
Vendor product manager
✗
Manage products, including prices, availability, and media
Can also be granted permissions to publish/unpublish products.
Vendor product viewer
✗
Read products, including prices, availability, and media
Cannot be granted publishing rights.
As in the standard user group management, in the group's Members tab you can view and manage the group members.
For more details about vendors, see the following guides:
Last updated
Was this helpful?