This topic describes the authentication and authorization model in Episerver Commerce. The authentication and authorization system uses the default membership and role system in ASP.NET. Configuration of membership and role providers is done in web.config file for the website. The Episerver Commerce sample site has a number of predefined users, groups and roles, both for managing editorial content and for administering the e-commerce tasks.
Authentication and authorization is used by the system to identify users and user groups, and determining what they are allowed to do. These are some common terms used in this context:
- Authentication. The process of identifying a user. The usual way of doing this is with a username and a password.
- Authorization. The process of determining the specific actions a user is allowed to perform.
- Provider. A module that is called by ASP.NET to provide an underlying service.
- Membership provider. The module that handles authentication in the security model in ASP.NET.
- Role provider. The module that gives the base data for authorization in the new security model in ASP.NET.
- Profile provider. The module that stores and retrieves personalized data in ASP.NET.
Administering security and access rights
When you administer access rights, use the following distinct components that are tied loosely together.
- Users. Delivered by the current membership provider).
- Roles. Delivered by the current role provider and the virtual roles).
- Access control lists (ACLs).
An ACL is simply a list of SecurityEntity classes and an access level. The security entity is a name and information stating if the name represents a role or a user. When you have a security entity in an ACL, it is not affected by changes in the membership or role provider. One aspect of this is that when you delete a role and then look at an ACL that had an access entry for this role, the role is still displayed in the ACL. Membership providers have APIs for creating, editing and deleting users, but not all providers support updates of the user database. The SQL membership provider lets you modify the user database, but the Windows membership provider does not.
Commerce-specific virtual roles
In addition to the default EPiServer groups (WebAdmins, WebEditors etc.), Commerce has a set of specific virtual roles that can be used for controlling access to parts of the user interface.
- CommerceAdmins. Provides access to the Commerce Manager back-end system (but not the administration view in Episerver).
- CommerceSettingsAdmins. Provides access to Settings menu for administering for instance dictionary values. [Added in 7.7]
- CatalogManagers. Provides access to the Catalogs user interface. [Added in 7.7]
These virtual roles are configured in EPiServerFramework.config, for example:
<add name="CommerceAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />