This content is archived. See latest version here


This section provides an introduction to the authentication and authorization model in EPiServer Commerce. The authentication and authorization system uses the default membership and role system in ASP.NET. Configuration of membership and role providers is done in web.config file for the website. The EPiServer Commerce sample site has a number of predefined users, groups and roles, both for managing editorial content as well as for administering the e-commerce tasks.


Authentication and authorization is used by the system to identify users and user groups, and determining what they are allowed to do. These are some common terms used in this context:

  • Authentication. The process of identifying a user. The usual way of doing this is with a username and a password.
  • Authorization. The process of determining the specific actions a user is allowed to perform.
  • Provider. A module that is called by ASP.NET to provide an underlying service.
  • Membership provider. The module that handles authentication in the security model in ASP.NET.
  • Role provider. The module that gives the base data for authorization in the new security model in ASP.NET.
  • Profile provider. The module that stores and retrieves personalized data in ASP.NET.

Administering security and access rights

When you administer access rights you will use some distinct components that are tied very loosely together. The components are as follows:

  • Users (delivered by the current membership provider).
  • Roles (delivered by the current role provider and the virtual roles).
  • Access control lists (ACLs).

An ACL is simply a list of SecurityEntities and an access level. The security entity is a name and information stating if the name represents a role or a user. Once you have a security entity in an ACL, it will not be affected by changes in the membership or role provider. One aspect of this is that when you delete a role and then look at an ACL that had an access entry for this role, the role will still be displayed in the ACL. Membership providers have APIs for creating, editing and deleting users, but not all providers support updates of the user database. The SQL membership provider allows you to modify the user database, but the Windows membership provider does not.

Commerce-specific virtual roles

In addition to the default EPiServer groups (WebAdmins, WebEditors etc.), Commerce has a set of specific virtual roles that can be used for controlling access to parts of the user interface.

  • CommerceAdmins - provides access to the Commerce Manager back-end system (but not the administration view in EPiServer).
  • CommerceSettingsAdmins - provides access to Settings menu for administering for instance dictionary values. [Added in 7.7]
  • CatalogManagers - provides access to the Catalogs user interface. [Added in 7.7]

These virtual roles are configured in EPiServerFramework.config, for example:

<add name="CommerceAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />

See also

Last updated: Oct 21, 2014