Entities in the catalog needs to have proper permission handling.

Fixed in

EPiServer.Commerce 11.6.0

Created

Oct 12, 2015

Updated

Dec 22, 2017

State

Closed, Acceptance tests pass


Description

Members of user groups have default access rights to catalog content. You can override these settings, and grant groups and users access to individual catalogs and categories.
For example, a Site_Editors group has change permission for the entire catalog, while members of the Fashion_Editors group only have change permission for the Fashion catalog, and Automotive_Editors group members only have change permission for the Automotive catalog.
Note that you cannot set access rights for individual products. Products inherit permissions from their direct parents (but not "linked" parents).
Access rights set in the Catalog do not carry over to Commerce Manager (CM). So, users with CM access can still edit entries there despite the catalog settings. You can restrict access to CM through Customizing group access to functions. However, most users who edit catalogs cannot access CM.

To assign access rights for a catalog or category to a user or group:

  1. Navigate to the catalog or category for which you want to grant access to groups or users.
  2. Go to All properties view.
  3. Next to Visible to, click Manage. The Set Access Rights screen appears.
  4. Uncheck Inherit settings from parent item.
  5. Assign groups and users to appropriate actions.

Note: This feature is only supported when using the IContent model (IContentLoader/IContentRepository). If you use the older, Dto-based APIs, the access right settings are ignored.