Users and Groups

Manage access rights for users and groups.

The Users and Groups module allows you to manage the data of all the users and groups that belong to your tenant. To give users access to the system, add them to the tenant, create the relevant groups, and assign users to those groups. A user’s effective access is determined by the access controls assigned to their groups and the scopes included in those access controls. Groups can also include site-based or custom restrictions to limit visibility to specific data sets where supported.

How authorization works

User access in the platform follows a consistent model:

Users belong to one or more groups
Groups are assigned one or more access controls
Access controls contain lists of scopes
Scopes determine what users can view or manage

This means Users and Groups is the place where you connect people to the access model. For more information about the underlying authorization objects, see Access Controls and Scopes.

The Management Dashboard views are dependent on the user's permissions. If you don't see a particular node, or section described in the Emporix documentation, or are not able to modify an entity, it might mean you don't have sufficient permissions set. Contact the administrator if you need additional access.

Definitions

User - an employee using the Emporix Management Dashboard.

User Group - a group of users that share some common characteristics, like performing similar job. User group defines access controls for the users. It can define site permissions or custom restrictions to limit visibility for members to only entities assigned to particular sites/restriction values. See more in Restrictions.

Role - a combination of predefined access controls that allow users to perform some actions on resources within the system. You can apply a role to a user group.

Access control - a combination of scopes that allows performing specific actions on specific resources.

Scope - a single permission for a specific action on a resource, for example, viewing orders. Available scopes in your tenant include platform scopes, tenant-defined scopes, and scopes generated for custom entities.

Restriction - the condition applied on entities and employee groups to manage access or roles separation. Most commonly, restrictions are identical to sites, but can also apply to custom keys.

Users

You can filter or sort the users list by first name, last name, email address, department or status.

There are two status types:

The Green dot shows the user is active
The Grey dot shows that the user was added and provisioned, but has not registered their account yet

Create a user

Go to the users view

In the Administration module, go to Users and Groups.

Choose to create a user

In the Users tab, choose Create New User.

Provide the user details

Provide all the requested information. All fields are mandatory.

Save your configuration

Saving your changes adds the new user to the users list straight away.

The user receives an email invitation to join the tenant. Note the email has to be a company email address.

If at any point you decide to stop adding the new user, you can use the Discard option. It clears all the fields and removes the data you’ve entered for the user.

Groups

You can filter and sort groups by the group name.

Set the relevant users permissions at the group level. Users can belong to several groups with different access rights. By assigning users to relevant groups, you control what they are able to see and/or edit in the Management Dashboard. Bear in mind that if you assign a user to two groups that have different permissions set for a specific resource, the manage overwrites read permission and the user is able to manage the resource, not only view it.

Create a user group

Go to Users and Groups

In the Administration module, go to Users and Groups dashboard.

Choose to create a new group

Go to the Groups tab and click the Create New Group.

Provide the group's details

In General section, provide the group's ID, name and description.

Only the Group Name is mandatory for a user group creation. You can decide to edit other details later. You can also set up a custom user group ID in the Id field. Otherwise, a unique ID is automatically generated when the group is created.

Optional: Define the group restrictions

This step applies if you'd like to restrict access control to the entities that are site-aware, such as companies (legal entities), customers, carts, orders, or quotes. Choose one or multiple sites or custom restrictions from the list.

The sites and restrictions list depends on the configuration settings in the System Preferences. If the site sync is enabled, you are able to assign site-related permissions to a group; if the sync is off and you have defined custom restrictions, the groups can be assigned with the relevant restrictions values.

The restrictions regulate access to entities associated with particular sites in your tenant, or to other custom-defined restrictions.

Learn more in the Restrictions section.

Optional: Choose the group role

Choose the Role for the group, you can select between:

Standard role for Management Dashboard users: Viewer, Manager, or Admin.
One of the Templates for Manager roles with specific access rights.
Vendors role for a created vendor with orders or products read/manage access rights.

In the case when you have both Commerce Engine and Orchestration Engine setup in your tenant, firstly choose which product you want to define the group for. The available options for roles and permissions depend on this choice.

For more information, see Predefined roles.

Based on your choice of Role, you can see that the pre-defined access controls in Management Dashboard Settings section get selected automatically.

Set access rights

Set up the group access rights in the Access Controls Assignment section:

Choose +Assign Access Controls to select access controls from the list of available options. Access controls are created in the Access Controls view and include the scopes selected for each control.

The site-aware (or restriction-aware for custom setup) entities are marked with the checkmark ✓ if you expand the access control, so that you know which entities are affected when you apply any site or other restrictions to the employee group.

Confirm with Save

Setting permissions

There are some resource types within CE that you access through other resources only and that don't have a separate view in the Management Dashboard, for example media, or payment gateway. For Category Manager, Category Viewer, Product Manager, and Product Viewer access controls, the system automatically assigns the matching Media Manager or Media Viewer access control—you do not need to add media permissions separately. For other resources (for example payment gateway), access may still depend on permissions defined for the parent entity.

There are also resources that do have a separate view in the Management Dashboard but you also access them through other entities, for example categories in products. Access to such resources depends on the permissions you define at a group level for the particular resource. For example, if a group has manage access for products and read access for categories, the users are able to edit products, but not the categories within products. Or, if a group has manage access to products but no access to categories, the users don't have permission to see categories assigned to products. In that case, the users see No permissions message on a particular field.

For more information, see Permissions.

Assign users to a group

To allow a user to work within the tenant, assign the user to a user group with a set of specific access rights. You can do it in two ways: from the user perspective and from the user group perspective.

From the user perspective

Go to users view

In the Administration module, go to Users and Groups -> Users.

Choose the user

To open the edit mode, select the relevant user row.

Assign the user group

Go to the Access tab and select the relevant user group.

Save your changes

Choose Save to keep your configuration.

From the user group perspective

Go to the groups view

In the Administration module, go to Users and Groups -> Groups.

Go to the members management

Open the group you want to add members to and go to Members tab. Choose Add members.

Add the members

Select the users to add, you can search by first name, last name, email or department. Confirm with Add members.

From the user group edit mode

Go to the groups view

In the Administration module, go to Users and Groups -> Groups.

Choose the group

To open the edit mode, select the relevant group.

Assign the members

Go to the Members tab and choose Add Members. Select the users that you want to add to the group, you can search by first name, last name, email or department.

Save your changes

Choose Save to keep your configuration.

Select user roles

User roles can be configured either with the predefined roles that are automatically available to choose from, or by creating custom roles which you can use for more complex and specific system access requirements.

Predefined roles

You can choose from the predefined roles for a user group or define manually the relevant access controls. Note that manage access control contains read, create, edit, and delete actions.

Viewer

Viewer Access Matrix

Service

Resource

Read

Manage

Agentic

✓

Agents

✓

Customer Management

✓

Companies

✓

Customer

✓

Groups

✓

Segments

✓

Coupons

✓

Quotes

✓

Quotes

✓

Status Quotes

✓

Orders

✓

Orders

✓

SEPA

✓

Returns

✓

Carts

✓

Carts

✓

Catalogs

✓

Catalogs

✓

Categories

✓

Classifications

✓

Products

✓

Products

✓

Product Templates

✓

Labels

✓

Suppliers

✓

Brands

✓

Pricing

✓

Price Models

✓

Price Lists

✓

Settings

✓

Sites

✓

Delivery Methods

✓

Delivery Times

✓

Units

✓

Tax

✓

Countries

✓

Currencies

✓

Languages

✓

System Preferences

✓

Mixin Schemas

✓

Extensions

✓

e.g. site settings

✓

Administration

✓

Users and Groups

✓

Webhooks

✓

Extensions

✓

Modules

✓

Perspectives

✓

Hosting

✓

Statistics

✓

Manager

Manager Access Matrix

Service

Resource

Read

Manage

Agentic

✓

Agents

✓

Customer Management

✓

Companies

✓

Customer

✓

Groups

✓

Segments

✓

Coupons

✓

Quotes

✓

Quotes

✓

Status Quotes

✓

Orders

✓

Orders

✓

SEPA

✓

Returns

✓

Carts

✓

Carts

✓

Catalogs

✓

Catalogs

✓

Categories

✓

Classifications

✓

Products

✓

Products

✓

Product Templates

✓

Labels

✓

Suppliers

✓

Brands

✓

Pricing

✓

Price Models

✓

Price Lists

✓

Settings

✓

Sites

✓

Delivery Methods

✓

Delivery Times

✓

Units

✓

Tax

✓

Countries

✓

Currencies

✓

Languages

✓

System Preferences

✓

Mixin Schemas

✓

Extensions

✓

e.g. site settings

✓

Administration

Users and Groups

✓

Webhooks

✓

Extensions

✓

Modules

✓

Perspectives

✓

Hosting

✓

Statistics

✓

Administrator

Administrator Access Matrix

Service

Resource

Read

Manage

Agentic

✓

Agents

✓

Customer Management

✓

Companies

✓

Customer

✓

Groups

✓

Segments

✓

Coupons

✓

Quotes

✓

Quotes

✓

Status Quotes

✓

Orders

✓

Orders

✓

SEPA

✓

Returns

✓

Carts

✓

Carts

✓

Catalogs

✓

Catalogs

✓

Categories

✓

Classifications

✓

Products

✓

Products

✓

Product Templates

✓

Labels

✓

Suppliers

✓

Brands

✓

Pricing

✓

Price Models

✓

Price Lists

✓

Settings

✓

Sites

✓

Delivery Methods

✓

Delivery Times

✓

Units

✓

Tax

✓

Countries

✓

Currencies

✓

Languages

✓

System Preferences

✓

Mixin Schemas

✓

Extensions

✓

e.g. site settings

✓

Administration

✓

Users and Groups

✓

Webhooks

✓

Extensions

✓

Modules

✓

Perspectives

✓

Hosting

✓

Statistics

✓

Catalog and Product Manager

Catalog and Product Manager Access Matrix

Service

Resource

Read

Manage

Catalogs

✓

Catalogs

✓

Categories

✓

Classification

✓

Products

✓

Products

✓

Product Templates

✓

Labels

✓

Suppliers

✓

Brands

✓

Administration

Webhooks

✓

Pricing Manager

Pricing Manager Access Matrix

Service

Resource

Read

Manage

Pricing

Price Models

✓

Price Lists

✓

Settings

Tax

✓

Units

✓

Countries

✓

Currencies

✓

Products

Products

✓

Product templates

✓

Catalogs

Catalogs

✓

Categories

✓

Administration

Users and Groups

✓

Order Fulfillment Manager

Order Fulfillment Manager Access Matrix

Service

Resource

Read

Manage

Customer Management

Customer

✓

Orders

✓

Orders

✓

SEPA

✓

Returns

✓

Settings

Sites

✓

Compare role templates

Role Templates Comparison Matrix

Service

Resource

Viewer

Manager

Administrator

Catalog Manager

Pricing Manager

Order Fulfillment Manager

Customer Management

Companies

Read

Manage

✗

Customer

Read

Manage

✗

Read

Coupons

Read

Manage

✗

Quotes

Quotes

Read

Manage

✗

Status Quotes

Read

Manage

✗

Orders

Orders

Read

Manage

✗

Manage

SEPA

Read

Manage

✗

Manage

Returns

Read

Manage

✗

Manage

Carts

Carts

Read

Manage

✗

Catalogs

Catalogs

Read

Manage

Read

✗

Categories

Read

Manage

Read

✗

Products

Products

Read

Manage

✗

Product Templates

Read

Manage

Read

✗

Labels

Read

Manage

✗

Suppliers

Read

Manage

✗

Brands

Read

Manage

✗

Pricing

Price Models

Read

Manage

✗

Manage

✗

Price Lists

Read

Manage

✗

Manage

✗

Settings

Sites

Read

Manage

✗

Read

Delivery Methods

Read

Manage

✗

Delivery Times

Read

Manage

✗

Units

Read

Manage

✗

Manage

✗

Tax

Read

Manage

✗

Manage

✗

Countries

Read

Manage

✗

Manage

✗

Currencies

Read

Manage

✗

Manage

✗

Languages

Read

Manage

✗

System Preferences

Read

Manage

✗

Mixin Schemas

Read

Manage

✗

Extensions

e.g. site settings

Read

Manage

✗

Administration

Users and Groups

Read

Manage

✗

Read

✗

Scopes

Read

Manage

✗

Access Controls

Read

Manage

✗

Webhooks

Read

Manage

✗

Extensions

Read

Manage

✗

Modules

Read

Manage

✗

Perspectives

Read

Manage

✗

Hosting

Read

Manage

✗

Statistics

Read

Manage

✗

Permissions

As particular resources have references to other resources, you need to take that into account when setting the relevant access controls for the groups you create. We've prepared a matrix of possible functions in a company and expected permissions in Management Dashboard. You might use it as a baseline for managing permissions for particular groups.

Example

You want to create a user group responsible for managing quotes in the system. Therefore, you select manager access control for quotes resources, however that might not be enough. Most probably, you also have to select at least viewer access control for companies resources, and you'd also need manager access for products so that the group members are able to manage price resources (which they access through products). Without these additional viewer and manager access, the users are not able to view the relevant resources that are related in one way or another to quotes, and are not able to process quotes accordingly.

The manager permission for a particular entity also gives a possibility for a user to configure the table columns for the list view by using the orchestration icon. They can adjust which columns are visible and which are hidden for the particular resource view in Management Dashboard that they have manager right to.

For more information about the access controls, see the Identity and Access Management tutorial related to the Emporix API IAM Service.

User-specific roles configuration

In addition to using the predefined set of roles and permissions, you can build your own user roles and assign them to relevant users or groups. This is done by defining scopes and grouping them in the access controls you can assign to users and user groups.

First define the permissions you need as scopes, then combine scopes into access controls and assign those access controls to user groups.

Check the examples matrix below to see how scopes, access controls, and roles can fit together.

User-specific Examples Matrix

Role

Access controls

Resource

Read

Manage

Agentic Manager

Agent Manager

Agents

✓

Customer and Company Manager

Customer Manager

Customer

✓

Company Manager

Companies

✓

—

Coupons

✗

Segment Manager

Segments Manager

Segments

✓

Customers Viewer

Customer

✓

✗

Coupon Manager

Coupons

✓

Categories Viewer

Categories

✓

✗

Products Viewer

Products

✓

✗

Product Templates Viewer

Product Templates

✓

✗

Vendor Manager

Vendors Manager

Vendors

✓

Customers Viewer

Customer

✓

✗

Users and Groups Viewer

Users and Groups

✓

✗

Vendor Viewer

Vendors Viewer

Vendors

✓

✗

Customers Viewer

Customer

✓

✗

Users and Groups Viewer

Users and Groups

✓

✗

Order Manager

Order Manager

Orders

✓

—

Returns

✗

Country Manager

Country Manager

Countries

✓

—

Currencies

✗

Statistic Manager

Statistic Manager

Statistics

✓

✗

Customer User Group Manager

Users and Groups Manager

Users and Groups

✓

Access Controls Manager

Access Controls

✓

Companies Viewer

Companies

✓

✗

Coupon Manager

Coupon Manager

Coupons

✓

Category Manager

Categories

✓

Customers Viewer

Customer

✓

✗

Segments Viewer

Segments

✓

✗

Quote Manager

Quotes Manager

Quotes

✓

Status Codes Manager

Status Quotes

✓

Companies Viewer

Companies

✓

✗

Customers Viewer

Customer

✓

✗

Categories Viewer

Categories

✓

✗

Cart Manager

Carts Manager

Carts

✓

Companies Viewer

Companies

✓

✗

Customers Viewer

Customer

✓

✗

Price Lists Viewer

Price Lists

✓

✗

Price Models Viewer

Price Models

✓

✗

Return Manager

Returns Manager

Returns

✓

Customers Viewer

Customer

✓

✗

Orders Viewer

Orders

✓

✗

Products Viewer

Products

✓

✗

Product Templates Viewer

Product Templates

✓

✗

Catalog Manager

Catalog Manager

Catalog

✓

Category Manager

Categories

✓

Category Manager

Classifications

✓

Media Manager (auto-assigned)

Media

✓

Mixin Schema Manager

Mixin Schemas

✓

Product Manager

Products Manager

Products

✓

Product Template Manager

Product Templates

✓

Media Manager (auto-assigned)

Media

✓

Categories Viewer

Categories

✓

✗

Price Lists Viewer

Price Lists

✓

✗

Price Models Viewer

Price Models

✓

✗

Taxes Viewer

Tax

✓

✗

Price Manager

Price Lists Manager

Price Lists

✓

Price Models Manager

Price Models

✓

Catalogs Viewer

Catalogs

✓

✗

Categories Viewer

Categories

✓

✗

Companies Viewer

Companies

✓

✗

Countries Viewer

Countries

✓

✗

Currencies Viewer

Currencies

✓

✗

Products Viewer

Products

✓

✗

Product Templates Viewer

Product Templates

✓

✗

Users and Groups Viewer

Users and Groups

✓

✗

Site Manager

Site Manager

Sites

✓

Shipping Zones & Delivery Times Manager

Delivery Methods Manager

Delivery Methods

✓

Delivery Times Manager

Delivery Times

✓

Countries Viewer

Countries

✓

✗

Taxes Viewer

Tax

✓

✗

Settings Manager

Units Manager

Units

✓

Taxes Manager

Tax

✓

Countries Manager

Countries

✓

Languages Manager

Languages

✓

System Preferences Manager

System Preferences

✓

Custom Entity & Mixin Manager

Custom Entities Manager

Custom Entities

✓

Mixin Manager

Mixin Schemas

✓

Media Manager

Media

✓

Admin Manager

Access Control Manager

Access Controls

✓

Scopes Manager

Scopes

✓

Users and Groups Manager

Users and Groups

✓

Webhook Manager

Webhooks

✓

Extensions Manager

Extensions

✓

Hosting Manager

Hosting

✓

Modules Manager

Modules

✓

Perspective Manager

Perspectives

✓

Statistics Manager

Statistics

✓

Currencies Viewer

Currencies

✓

✗

Languages Viewer

Languages

✓

✗

Depending on the assigned access controls, users see only related modules in the Management Dashboard.

Restrictions

An employee group can limit visibility of site-aware entities based on specific restriction values they are assigned with. This separates responsibility of your employees to certain sites or markets. For example, you want to have separate employee groups of Order Fulfillment Managers for each site (DE, FR, NL, UK). Typically, restrictions are associated with sites, or storefronts you run your business at, but you can also create your custom restrictions, for example, regional groupings like West-EU, APAC or other.

The custom restrictions functionality (when the sites sync is disabled) requires implementing automatic restriction assignment to the relevant entities at the Backend for Frontend (BFF) level. This step is essential because, for example, the end customers that make purchases in your store do not have the scopes or permissions needed to apply restrictions during registration or cart creation.

Since the exact implementation depends on your setup, ensure you have an appropriate solution in place to use this feature effectively.

On the other hand, when the sites sync is enabled, no further implementation is required as new data inherit the site codes from the customer or cart entities.

To learn more about site permissions and restrictions management, see the Site Permissions.

Assigning site restrictions to groups

If you want to use sites as group restrictions, make sure you have the enableSyncBetweenRestrictionsAndSiteCodes setting enabled in the System Preferences.

This takes care of making site-aware entities bear relevant site codes as restrictions. Also, it automatically populates site codes as possible restriction values on user groups.

To create a group with a particular site or multiple sites permissions, add the site code value in the Restriction field. The employees belonging to such a group are only able to see and/or manage (depending on access control permissions) the site-aware entities that have the same restriction.

For example, the DE Order Fulfillment Manager employee group has assigned DE site permission, while the UK Order Fulfillment Manager employee group has assigned UK site permission. The groups have the same access permissions for cart, order, and quote entities defined for its members.

The visibility of the site-aware entities is different for the employees from these groups. DE group members see only entities with DE restriction, while UK group employees view only UK entities. They are not able to view nor manage any entity that has a different restriction or no restriction assigned. However, employees that have no restrictions assigned to their groups see all the entities.

User's view with restricted order access

Employees who belong to user groups that have no site permissions or restrictions assigned can view and/or manage all entities, regardless of the site or restriction values associated with those entities. For example, in addition to site-specific groups, you can grant unrestricted access to all entities to admin or global manager groups. Ensure your group configuration applies restrictions at the appropriate level to achieve the degree of control you intend.

Assigning custom restrictions to groups

For the cases when you want to use restrictions in another context outside the sites scope, you have an option to use custom-defined restriction values. To make it work, firstly make sure you have the right configuration in the System Preferences:

disable the sync between sites and restrictions, that is set the enableSyncBetweenRestrictionsAndSiteCodes setting to false

define the possible values list in the restrictions setting

List of custom restrictions list setting

Then, you can use these restrictions on the user groups level. Select one or more restriction values in the Restrictions field.

When the proper implementation is in place, the employees from the restricted employee group view and/or manage restriction-aware entities with the same set of restrictions only. They don't have access to the restricted entities with different values and get relevant notification in the Management Dashboard.

Vendor groups

Vendor groups are specifically related to Vendor Management. When a vendor is created, it automatically creates four new user groups for your tenant - vendor.order.manager, vendor.order.viewer, vendor.product.manager, vendor.product.viewer.

In the example based on ABC Company the groups are as below and they can be already visible in the users and groups view.

ABC Company Vendor Product Manager
ABC Company Vendor Product Viewer
ABC Company Vendor Order Manager
ABC Company Vendor Order Viewer

Each group has the role and access rights already configured during creation, the role is Vendor and the access rights depend on the type of group. For example, for ABC Company Vendor Order Manager the access rights are Manage orders and Read products.

The specific vendor group access rights are:

Group

Order Access

Product Access

Notes

Vendor order manager

Manage orders

✗

–

Vendor order viewer

Read orders

✗

–

Vendor product manager

✗

Manage products, including prices, availability, and media

Can also be granted permissions to publish/unpublish products.

Vendor product viewer

✗

Read products, including prices, availability, and media

Cannot be granted publishing rights.

As in the standard user group management, in the group's Members tab you can view and manage the group members.

For more details about vendors, see the following guides:

PreviousAdministration NextScopes

Last updated 3 days ago

Was this helpful?