# Users and Groups The **Users and Groups** module allows you to manage the data of all the users and groups that belong to your tenant.\ To authorize the users in the system, add them to the tenant and create relevant user groups with sets of access rights. Then, link the users with the user groups to make the access rights work. {% hint style="danger" %} The Management Dashboard views are dependent on the user's permissions. If you don't see a particular node, or section described in the Emporix documentation, or are not able to modify an entity, it might mean you don't have sufficient permissions set. Contact the administrator if you need additional access. {% endhint %} ## Definitions **User** - an employee using the Emporix Management Dashboard. **User Group** - a group of users that share some common characteristics, like performing similar job. User group defines access controls for the users. It can define site permissions or custom restrictions to limit visibility for members to only entities assigned to particular sites/restriction values. See more in [Restrictions](#restrictions). **Role** - a combination of predefined permissions that allow users to perform some actions on resources within the system. You can apply a role to a user group. **Permission** - a mechanism for limiting what actions a user belonging to a role can perform on specific resources. **Access controls** - a combination of roles and resources. For example, a user with a `manage` access control on product resources can view, create, delete, and edit product entities. **Resource** or **Entity** - the object type within the Emporix Management Dashboard. **Action** - the ability to perform an action on entities of specific type. **Restriction** - the condition applied on entities and employee groups to manage access or roles separation. Most commonly, restrictions are identical to sites, but can also apply to custom keys. ## Users You can filter or sort the users list by first name, last name, email address, department or status.

There are two status types: * The **Green** dot shows the user is active * The **Grey** dot shows that the user was added and provisioned, but has not registered their account yet ### Create a user {% stepper %} {% step %} #### Go to the users view In the **Administration** module, go to **Users and Groups**. {% endstep %} {% step %} #### Choose to create a user In the **Users** tab, choose **Create New User**. {% endstep %} {% step %} #### Provide the user details Provide all the requested information. All fields are mandatory. {% endstep %} {% step %} #### Save your configuration Saving your changes adds the new user to the users list straight away. {% endstep %} {% endstepper %} {% hint style="info" %} The user receives an email invitation to join the tenant. Note the email has to be a company email address. {% endhint %} If at any point you decide to stop adding the new user, you can use the **Discard** option. It clears all the fields and removes the data you’ve entered for the user.

## Groups You can filter and sort groups by the group name.

{% hint style="info" %} Set the relevant users permissions at the group level. Users can belong to several groups with different access rights. By assigning users to relevant groups, you control what they are able to see and/or edit in the Management Dashboard. Bear in mind that if you assign a user to two groups that have different permissions set for a specific resource, the manage overwrites read permission and the user is able to manage the resource, not only view it. {% endhint %} ### Create a user group {% stepper %} {% step %} #### Go to Users and Groups In the **Administration** module, go to **Users and Groups** dashboard. {% endstep %} {% step %} #### Choose to create a new group Go to the **Groups** tab and click the **Create New Group**. {% endstep %} {% step %} #### Provide the group's details In **General** section, provide the group's ID, name and description. {% hint style="warning" %} Only the **Group Name** is mandatory for a user group creation. You can decide to edit other details later.\ You can also set up a custom user group ID in the **Id** field. Otherwise, a unique ID is automatically generated when the group is created. {% endhint %} {% endstep %} {% step %} #### Optional: Define the group site/custom restrictions This step applies if you'd like to restrict access control to the entities that are site-aware, such as companies (legal entities), customers, carts, orders, or quotes. Choose one or multiple sites or custom restrictions from the list.

{% hint style="warning" %} The sites and restrictions list depends on the configuration settings in the [**System Preferences**](https://developer.emporix.io/ce/management-dashboard/settings/system-preferences). If the site sync is enabled, you are able to assign site-related permissions to a group; if the sync is off and you have defined custom restrictions, the groups can be assigned with the relevant restrictions values. The restrictions regulate access to entities associated with particular sites in your tenant, or to other custom-defined restrictions. Learn more in the [Restrictions](#restrictions) section. {% endhint %} {% endstep %} {% step %} #### Optional: Choose the group role Choose the **Role** for the group, you can select between: * **Standard** role for Management Dashboard users: **Viewer**, **Manager**, or **Admin**. * One of the **Templates** for Manager roles with specific access rights. * **Vendors** role for a created vendor with orders or products read/manage access rights. {% hint style="warning" %} In the case when you have both Commerce Engine and Orchestration Engine setup in your tenant, firstly choose which product you want to define the group for. The available options for roles and permissions depend on this choice. {% endhint %}

{% hint style="info" %} For more information, see [Predefined roles](#predefined-roles). {% endhint %} Based on your choice of Role, you can see that the access controls in **Management Dashboard Settings** section get selected automatically. {% endstep %} {% step %} #### Set access rights Set up the group access rights in the **Management Dashboard Settings** section: * **read** access selected - a user is able to see entities of a specific type * **manage** access selected - a user is able to see, edit, create, and delete entities of a specific type * none selected - a user is not able to see entities of a specific type Use the checkboxes to define the access rights only for the particular types the group is supposed to have access to. If a group is not supposed to manage or even see a particular entity in the Management Dashboard, don't select any permission. {% hint style="success" %} The site-aware (or restriction-aware for custom setup) entities are marked with the checkmark ✓ next to the entity so that you know which entities are affected when you apply any site permissions or other restrictions to the employee group. Site-aware entities

{% endhint %}

{% hint style="warning" %} Selecting **manage** automatically deselects **view** access and the other way round.\ To disable existing access rights for an entity, uncheck the checkbox. {% endhint %} {% endstep %} {% step %} #### Confirm with **Save** {% endstep %} {% endstepper %} {% hint style="danger" %} Setting permissions There are some resource types within CE that you access through other resources only and that don't have a separate view in the Management Dashboard, for example media, or payment gateway. Access to such resources depends on the permissions defined for the parent entity. For example, if you have read access to products, you get read access to media. There are also resources that do have a separate view in the Management Dashboard but you also access them through other entities, for example categories in products. Access to such resources depends on the permissions you define at a group level for the particular resource. For example, if a group has `manage` access for products and `read` access for categories, the users are able to edit products, but not the categories within products. Or, if a group has `manage` access to products but no access to categories, the users don't have permission to see categories assigned to products. In that case, the users see `No permissions` message on a particular field. For more information, see [Permissions](#permissions). Not sufficient permissions

{% endhint %} ## Assign users to a group To allow a user to work within the tenant, assign the user to a user group with a set of specific access rights. You can do it in two ways: from the user perspective and from the user group perspective. ### From the user perspective {% stepper %} {% step %} #### Go to users view In the **Administration** module, go to **Users and Groups** -> **Users**. {% endstep %} {% step %} #### Choose the user To open the edit mode, select the relevant user row. {% endstep %} {% step %} #### Assign the user group Go to the **Access** tab and select the relevant user group. {% endstep %} {% step %} #### Save your changes Choose **Save** to persist your edits.

{% endstep %} {% endstepper %} ### From the user group perspective {% stepper %} {% step %} #### Go to the groups view In the **Administration** module, go to **Users and Groups** -> **Groups**. {% endstep %} {% step %} #### Go to the members management Open the group you want to add members to and go to **Members** tab. Choose **Add members**. {% endstep %} {% step %} #### Add the members Select the users to add, you can search by first name, last name, email or department. Confirm with **Add members**. {% endstep %} {% endstepper %} ### From the user group edit mode {% stepper %} {% step %} #### Go to the groups view In the **Administration** module, go to **Users and Groups** -> **Groups**. {% endstep %} {% step %} #### Choose the group To open the edit mode, select the relevant group. {% endstep %} {% step %} #### Assign the members Go to the **Members** tab and choose **Add Members**. Select the users that you want to add to the group, you can search by first name, last name, email or department. {% endstep %} {% step %} #### Save your changes Choose **Save** to persist your edits. {% endstep %} {% endstepper %}

### Predefined roles You can choose from the predefined roles for a user group or define manually the relevant access controls. Note that `manage` access control contains read, create, edit, and delete actions. **Viewer**

Viewer Access Matrix

| Service | Resource | Read | Manage | | :-------------------------------------------------------------: | :----------------: | :--: | :----: | |

Customer
Management

| | ✓ | | | | Companies | ✓ | | | | Customer | ✓ | | | | Coupons | ✓ | | | **Quotes** | | ✓ | | | | Quotes | ✓ | | | | Status Quotes | ✓ | | | **Orders** | | ✓ | | | | Orders | ✓ | | | | SEPA | ✓ | | | | Returns | ✓ | | | **Catalogs** | | ✓ | | | | Catalogs | ✓ | | | | Categories | ✓ | | | **Products** | | ✓ | | | | Products | ✓ | | | | Product Templates | ✓ | | | | Labels | ✓ | | | | Suppliers | ✓ | | | | Brands | ✓ | | | **Pricing** | | ✓ | | | | Price Models | ✓ | | | | Price Lists | ✓ | | | **Settings** | | ✓ | | | | Sites | ✓ | | | | Delivery Methods | ✓ | | | | Delivery Times | ✓ | | | | Units | ✓ | | | | Tax | ✓ | | | | Countries | ✓ | | | | Currencies | ✓ | | | | Languages | ✓ | | | | System Preferences | ✓ | | | | Mixin Schemas | ✓ | | | **Extensions** | | ✓ | | | | e.g. site settings | ✓ | | | **Administration** | | ✓ | | | | Users and Groups | ✓ | | | | Webhooks | ✓ | | | | Extensions | ✓ | |

**Manager**

Manager Access Matrix

| Service | Resource | Read | Manage | | :-------------------------------------------------------------: | :----------------: | :--: | :----: | |

Customer
Management

| | | ✓ | | | Companies | | ✓ | | | Customer | | ✓ | | | Coupons | | ✓ | | **Quotes** | | | ✓ | | | Quotes | | ✓ | | | Status Quotes | | ✓ | | **Orders** | | | ✓ | | | Orders | | ✓ | | | SEPA | | ✓ | | | Returns | | ✓ | | **Catalogs** | | | ✓ | | | Catalogs | | ✓ | | | Categories | | ✓ | | **Products** | | | ✓ | | | Products | | ✓ | | | Product Templates | | ✓ | | | Labels | | ✓ | | | Suppliers | | ✓ | | | Brands | | ✓ | | **Pricing** | | | ✓ | | | Price Models | | ✓ | | | Price Lists | | ✓ | | **Settings** | | | ✓ | | | Sites | | ✓ | | | Delivery Methods | | ✓ | | | Delivery Times | | ✓ | | | Units | | ✓ | | | Tax | | ✓ | | | Countries | | ✓ | | | Currencies | | ✓ | | | Languages | | ✓ | | | System Preferences | | ✓ | | | Mixin Schemas | | ✓ | | **Extensions** | | | ✓ | | | e.g. site settings | | ✓ | | **Administration** | | | | | | Users and Groups | ✓ | | | | Webhooks | | ✓ | | | Extensions | ✓ | |

**Administrator**

Administrator Access Matrix

| Service | Resource | Read | Manage | | :-------------------------------------------------------------: | :----------------: | :--: | :----: | |

Customer
Management

| | | ✓ | | | Companies | | ✓ | | | Customer | | ✓ | | | Coupons | | ✓ | | **Quotes** | | | ✓ | | | Quotes | | ✓ | | | Status Quotes | | ✓ | | **Orders** | | | ✓ | | | Orders | | ✓ | | | SEPA | | ✓ | | | Returns | | ✓ | | **Catalogs** | | | ✓ | | | Catalogs | | ✓ | | | Categories | | ✓ | | **Products** | | | ✓ | | | Products | | ✓ | | | Product Templates | | ✓ | | | Labels | | ✓ | | | Suppliers | | ✓ | | | Brands | | ✓ | | **Pricing** | | | ✓ | | | Price Models | | ✓ | | | Price Lists | | ✓ | | **Settings** | | | ✓ | | | Sites | | ✓ | | | Delivery Methods | | ✓ | | | Delivery Times | | ✓ | | | Units | | ✓ | | | Tax | | ✓ | | | Countries | | ✓ | | | Currencies | | ✓ | | | Languages | | ✓ | | | System Preferences | | ✓ | | | Mixin Schemas | | ✓ | | **Extensions** | | | ✓ | | | e.g. site settings | | ✓ | | **Administration** | | | ✓ | | | Users and Groups | | ✓ | | | Webhooks | | ✓ | | | Extensions | | ✓ |

**Catalog Manager**

Catalog Manager Access Matrix

| Service | Resource | Read | Manage | | :----------------: | :---------------: | :--: | :----: | | **Catalogs** | | | ✓ | | | Catalogs | | ✓ | | | Categories | | ✓ | | **Products** | | | ✓ | | | Products | | ✓ | | | Product Templates | | ✓ | | | Labels | | ✓ | | | Suppliers | | ✓ | | | Brands | | ✓ | | **Administration** | | | | | | Webhooks | | ✓ |

**Pricing Manager**

Pricing Manager Access Matrix

| Service | Resource | Read | Manage | | :----------------: | :---------------: | :--: | :----: | | **Pricing** | | | | | | Price Models | | ✓ | | | Price Lists | | ✓ | | **Settings** | | | | | | Tax | | ✓ | | | Units | | ✓ | | | Countries | | ✓ | | | Currencies | | ✓ | | **Products** | | | | | | Products | | ✓ | | | Product templates | ✓ | | | **Catalogs** | | | | | | Catalogs | ✓ | | | | Categories | ✓ | | | **Administration** | | | | | | Users and Groups | ✓ | |

**Order Fulfillment Manager**

Order Fulfillment Manager Access Matrix

| Service | Resource | Read | Manage | | :-------------------------------------------------------------: | :------: | :--: | :----: | |

Customer
Management

| | | | | | Customer | ✓ | | | **Orders** | | | ✓ | | | Orders | | ✓ | | | SEPA | | ✓ | | | Returns | | ✓ | | **Settings** | | | | | | Sites | ✓ | |

**Compare role templates** | Service | Resource | Viewer | Manager | Administrator | Catalog Manager | Pricing Manager | Order Fulfillment Manager | | :---------------------: | :----------------: | :----: | :-----: | :-----------: | :-------------: | :-------------: | :-----------------------: | | **Customer Management** | | | | | | | | | | Companies | Read | Manage | Manage | ✗ | ✗ | ✗ | | | Customer | Read | Manage | Manage | ✗ | ✗ | Read | | | Coupons | Read | Manage | Manage | ✗ | ✗ | ✗ | | **Quotes** | | | | | | | | | | Quotes | Read | Manage | Manage | ✗ | ✗ | ✗ | | | Status Quotes | Read | Manage | Manage | ✗ | ✗ | ✗ | | **Orders** | | | | | | | | | | Orders | Read | Manage | Manage | ✗ | ✗ | Manage | | | SEPA | Read | Manage | Manage | ✗ | ✗ | Manage | | | Returns | Read | Manage | Manage | ✗ | ✗ | Manage | | **Catalogs** | | | | | | | | | | Catalogs | Read | Manage | Manage | Manage | Read | ✗ | | | Categories | Read | Manage | Manage | Manage | Read | ✗ | | **Products** | | | | | | | | | | Products | Read | Manage | Manage | Manage | Manage | ✗ | | | Product Templates | Read | Manage | Manage | Manage | Read | ✗ | | | Labels | Read | Manage | Manage | Manage | ✗ | ✗ | | | Suppliers | Read | Manage | Manage | Manage | ✗ | ✗ | | | Brands | Read | Manage | Manage | Manage | ✗ | ✗ | | **Pricing** | | | | | | | | | | Price Models | Read | Manage | Manage | ✗ | Manage | ✗ | | | Price Lists | Read | Manage | Manage | ✗ | Manage | ✗ | | **Settings** | | | | | | | | | | Sites | Read | Manage | Manage | ✗ | ✗ | Read | | | Delivery Methods | Read | Manage | Manage | ✗ | ✗ | ✗ | | | Delivery Times | Read | Manage | Manage | ✗ | ✗ | ✗ | | | Units | Read | Manage | Manage | ✗ | Manage | ✗ | | | Tax | Read | Manage | Manage | ✗ | Manage | ✗ | | | Countries | Read | Manage | Manage | ✗ | Manage | ✗ | | | Currencies | Read | Manage | Manage | ✗ | Manage | ✗ | | | Languages | Read | Manage | Manage | ✗ | ✗ | ✗ | | | System Preferences | Read | Manage | Manage | ✗ | ✗ | ✗ | | | Mixin Schemas | Read | Manage | Manage | ✗ | ✗ | ✗ | | **Extensions** | | | | | | | | | | e.g. site settings | Read | Manage | Manage | ✗ | ✗ | ✗ | | **Administration** | | | | | | | | | | Users and Groups | Read | Read | Manage | ✗ | Read | ✗ | | | Webhooks | Read | Manage | Manage | Manage | ✗ | ✗ | | | Extensions | Read | Read | Manage | ✗ | ✗ | ✗ | ### Permissions As particular resources have references to other resources, you need to take that into account when setting the relevant access controls for the groups you create. We've prepared a matrix of possible functions in a company and expected permissions in Management Dashboard. You might use it as a baseline for managing permissions for particular groups. {% hint style="success" %} Example You want to create a user group responsible for managing quotes in the system. Therefore, you select `manage` access control for quotes resources, however that might not be enough. Most probably, you also have to select at least `read` access control for companies resources, and you'd also need `manage` access for products so that the group members are able to manage price resources (which they access through products). Without these additional `read` and `manage` access, the users are not able to view the relevant resources that are related in one way or another to quotes, and are not able to process quotes accordingly. The `manage` permission for a particular entity also gives a possibility for a user to configure the table columns for the list view by using the orchestration icon. They can adjust which columns are visible and which are hidden for the particular resource view in Management Dashboard that they have `manage` right to.

{% endhint %} Take a look at the matrix to see what to take into account.

Role/Permission Matrix

| Function/role | Read | Manage | | -------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | | Manage customer management | customers (user and groups) |

customers
companies
coupons

| | Manage companies | customers (assigning customers to a company only) |

companies
customers (including creating contacts, customers functionality)

quotes
products

customers
orders
products

product templates
suppliers
categories
price models
price lists
taxes

price models
products

| | Manage price lists |

catalogs
categories
customers (user and groups)

price lists
price models
products
tax
unites
countries
currencies

| | Manage sites |

currencies
payment methods
countries
languages

categories
companies
coupons
customers
customer.addresses
orders
products
quotes
returns

| mixin schemas |

{% hint style="info" %} For more information about the access controls, see the [Identity and Access Management](https://developer.emporix.io/ce/system-management/authentication-and-authorization/authorization/iam) tutorial related to the Emporix API IAM Service. {% endhint %} ## Restrictions An employee group can limit visibility of site-aware entities based on specific restriction values they are assigned with. This separates responsibility of your employees to certain sites or markets. For example, you want to have separate employee groups of Order Fulfillment Managers for each site (`DE`, `FR`, `NL`, `US`). Typically, restrictions are associated with sites, or storefronts you run your business at, but you can also create your custom restrictions, for example, regional groupings like `West-EU`, `APAC` or other. {% hint style="danger" %} The custom restrictions functionality (when the sites sync is **disabled**) requires implementing automatic restriction assignment to the relevant entities at the Backend for Frontend (BFF) level. This step is essential because, for example, the end customers that make purchases in your store do not have the scopes or permissions needed to apply restrictions during registration or cart creation. Since the exact implementation depends on your setup, ensure you have an appropriate solution in place to use this feature effectively. On the other hand, when the sites sync is **enabled**, **no further** implementation is required as new data inherit the site codes from the customer or cart entities. To learn more about site permissions and restrictions management, see the [Site Permissions](https://developer.emporix.io/ce/system-management/authentication-and-authorization/authorization/site-permissions). {% endhint %} ### Assigning site permissions to groups If you want to use **sites** as group restrictions, make sure you have the `enableSyncBetweenRestrictionsAndSiteCodes` setting enabled in the **System Preferences**.

Sites and restrictions sync on setting — Enable sites and restrictions sync setting

This takes care of making site-aware entities bear relevant site codes as restrictions. Also, it automatically populates site codes as possible restriction values on user groups. To create a group with a particular site or multiple sites permissions, add the site code value in the **Restriction** field. The employees belonging to such a group are only able to see and/or manage (depending on access control permissions) the site-aware entities that have the same restriction. For example, the `DE Order Fulfillment Manager` employee group has assigned `DE` site permission, while the `US Order Fulfillment Manager` employee group has assigned `US` site permission. The groups have the same access permissions for cart, order, and quote entities defined for its members.

The visibility of the site-aware entities is different for the employees from these groups. `DE` group members see only entities with `DE` restriction, while `US` group employees view only `US` entities. They are not able to view nor manage any entity that has a different restriction or no restriction assigned. However, employees that have no restrictions assigned to their groups see all the entities.

User's view with restricted order access

{% hint style="warning" %} Employees who belong to user groups that have no site permissions or restrictions assigned can view and/or manage all entities, regardless of the site or restriction values associated with those entities. For example, in addition to site-specific groups, you can grant unrestricted access to all entities to admin or global manager groups. Ensure your group configuration applies restrictions at the appropriate level to achieve the degree of control you intend. {% endhint %} ### Assigning custom restrictions to groups For the cases when you want to use restrictions in another context outside the sites scope, you have an option to use **custom-defined restriction** values. To make it work, firstly make sure you have the right configuration in the **System Preferences**: * disable the sync between sites and restrictions, that is set the `enableSyncBetweenRestrictionsAndSiteCodes` setting to `false`

* define the possible values list in the `restrictions` setting

List of custom restrictions list setting

Then, you can use these restrictions on the user groups level. Select one or more restriction values in the **Restrictions** field.

When the proper implementation is in place, the employees from the restricted employee group view and/or manage restriction-aware entities with the same set of restrictions only. They don't have access to the restricted entities with different values and get relevant notification in the Management Dashboard. ## Vendor groups Vendor groups are specifically related to [Vendor Management](https://developer.emporix.io/ce/management-dashboard/vendors). When a vendor is created, it automatically creates four new user groups for your tenant - `vendor.order.manager`, `vendor.order.viewer`, `vendor.product.manager`, `vendor.product.viewer`. In the example based on ABC Company the groups are as below and they can be already visible in the users and groups view. * ABC Company Vendor Product Manager * ABC Company Vendor Product Viewer * ABC Company Vendor Order Manager * ABC Company Vendor Order Viewer

Each group has the role and access rights already configured during creation, the role is **Vendor** and the access rights depend on the type of group. For example, for ABC Company Vendor Order Manager the access rights are Orders - Manage.

The specific vendor group access rights are: | Group | Order Access | Product Access | Notes | | ---------------------- | ------------- | ---------------------------------------------------------- | -------------------------------------------------------------- | | Vendor order manager | Manage orders | ✗ | – | | Vendor order viewer | Read orders | ✗ | – | | Vendor product manager | ✗ | Manage products, including prices, availability, and media | Can also be granted permissions to publish/unpublish products. | | Vendor product viewer | ✗ | Read products, including prices, availability, and media | Cannot be granted publishing rights. | As in the standard user group management, in the group's **Members** tab you can view and manage the group members.

{% hint style="info" %} For more details about vendors, see the following guides: * [Vendor Management](https://developer.emporix.io/ce/management-dashboard/vendors) * [Vendor Products](https://developer.emporix.io/ce/products-module/products#vendor-related-products) * [Vendor Order Split](https://developer.emporix.io/ce/orders-module/orders#vendors-order-splitting) * [Vendor Service](https://app.gitbook.com/s/d4POTWomuSS7d3dnh4Dg/api-guides/companies-and-customers/vendor-service) {% endhint %}