Our business has continued to grow and we have more and more employees accessing our admin for shipping/customer service/etc.
The problem we are having is that I have not found a way to set them up so that they can view orders, catalog AND the user database without viewing sales reports. We REALLY need them to have access to our customer database but I have not found that this is possible unless an admin, jr admin, or superuser. All of those also give access to all our sales records, which we have noticed they have begun to discuss openly amongst themselves and also to friends/family outside of the business!! We would prefer to be the only ones who know what are sales levels are at!
Am I missing something or will this take customization?
I also was disturbed to find that the "superusers" have full access to all of our sales records, customer information, and their payment information!!
Any programmer that has worked on our site has requested to be set-up as a super-user. I assumed this just gave them access to the files and information necessary to do the custom programming we needed and was shocked to find out we have handed them the keys to our store!!
Am I wrong in that I am thinking they should not be set-up as super-users? What access do we need to give them to be able to do their thing??
User group question
Re: User group question
Kristi,
As a veteran programmer and career IT consultant, perhaps I can offer some understanding to ease your concerns.
The short answer is 'yes' - you should give your developer super-user access. There's no way around it. A developer works at some of the lowest levels of your system, and web servers secure these areas pretty tight.
But without the proper permissions to access these areas, the developers hands are tied. It'd be like asking the local flooring company to guarantee an installation price without ever having a chance to see the interior of your home. It's simply not feasible.
That was the good news. Now, for the bad news
As an expert AbleCommerce 7 developer, I'm often asked to make modifications to a store both on the front-end and the back-end. Sometimes these changes even involve going into the database.
So if you want me to make those changes for you, you are going to have to trust me. There's just no way for me to get to what you want me to change without the security privileges to do it. Don't get upset, but once I get access to the store database, I have access to everything about your store. I don't need the reports or the menu options any more - I can just browse and total all of your store data with a few simple commands if I chose to. I never do unless I am testing a requested change.
There are many changes that do not require super-user access. Unfortunately, AC7 is huge and there is no master list of what does and what does not require it. So to keep things simple (and thus less expensive) for you as the client, we ask for the keys.....
Once you hand me the keys, Yes I have full and unrestricted access to your entire store database. That includes your entire customer list. That includes every credit card number if card number storage is enabled. That includes your sales history, store catalog and product sales performance.
The solution? There are several things you can do to protect yourself and your business:
1. Wear cautious glasses when looking for someone to work on your site. Your neighbors cousin fresh out of college? Not a good choice. Someone you found for $ 13/hour on odoor.com. Again, not a good choice
2. Use an established AbleCommerce partner with a lengthy service record in the industry you found listed on the AbleCommerce Partners page - excellent choice. Not excellent because I'm listed there, but excellent because getting on that list isn't a small task. Those companies are recognized as legitimate businesses with established principles.
3. A reasonable and well-written confidentiality or non-disclosure agreement can go a long ways towards ensuring business security. Just be fair and reasonable. I sign them all the time but I read every single one because it's my butt that's on the line too here. I have actually declined work because the agreement provided by the client was too strongly worded. I've also had employees walk out on the job because my employee agreement requires them to take responsibility for their actions on client systems. I expect nothing short of professional, mature and responsible behavior at all times. I don't think that's too much to ask in my line of work.
4. Referrals, referrals and more referrals. Get 3. Get 5. Get 20 if you'll feel better. But at least get some, and actually call them. We developers live and die by referrals. If your developer can't give you 15 solid referrals on-the-spot, that's a concern. Why? They're supposed to be 'experts' and they can't feel comfortable letting you speak with a mere 15 other "successful" projects? Hmmmmmmm.
In the end, we as developers are not in the business of stealing data or information. Please don't take this personally, but the vast majority of us really don't care if you made 1,000 or 100,000 last month. That's none of our business. I've worked on clients making bazillions more than I do and still charge the measily $ 85/hour knowing full good and well they could afford more. Why? Because it's what I quoted them and it's the right thing to do. It's professional, mature and responsible.
What we do care about is providing you as the client the best possible experience with custom programming. We can only do that if you let us in your house.
As a veteran programmer and career IT consultant, perhaps I can offer some understanding to ease your concerns.
The short answer is 'yes' - you should give your developer super-user access. There's no way around it. A developer works at some of the lowest levels of your system, and web servers secure these areas pretty tight.
But without the proper permissions to access these areas, the developers hands are tied. It'd be like asking the local flooring company to guarantee an installation price without ever having a chance to see the interior of your home. It's simply not feasible.
That was the good news. Now, for the bad news
As an expert AbleCommerce 7 developer, I'm often asked to make modifications to a store both on the front-end and the back-end. Sometimes these changes even involve going into the database.
So if you want me to make those changes for you, you are going to have to trust me. There's just no way for me to get to what you want me to change without the security privileges to do it. Don't get upset, but once I get access to the store database, I have access to everything about your store. I don't need the reports or the menu options any more - I can just browse and total all of your store data with a few simple commands if I chose to. I never do unless I am testing a requested change.
There are many changes that do not require super-user access. Unfortunately, AC7 is huge and there is no master list of what does and what does not require it. So to keep things simple (and thus less expensive) for you as the client, we ask for the keys.....
Once you hand me the keys, Yes I have full and unrestricted access to your entire store database. That includes your entire customer list. That includes every credit card number if card number storage is enabled. That includes your sales history, store catalog and product sales performance.
The solution? There are several things you can do to protect yourself and your business:
1. Wear cautious glasses when looking for someone to work on your site. Your neighbors cousin fresh out of college? Not a good choice. Someone you found for $ 13/hour on odoor.com. Again, not a good choice
2. Use an established AbleCommerce partner with a lengthy service record in the industry you found listed on the AbleCommerce Partners page - excellent choice. Not excellent because I'm listed there, but excellent because getting on that list isn't a small task. Those companies are recognized as legitimate businesses with established principles.
3. A reasonable and well-written confidentiality or non-disclosure agreement can go a long ways towards ensuring business security. Just be fair and reasonable. I sign them all the time but I read every single one because it's my butt that's on the line too here. I have actually declined work because the agreement provided by the client was too strongly worded. I've also had employees walk out on the job because my employee agreement requires them to take responsibility for their actions on client systems. I expect nothing short of professional, mature and responsible behavior at all times. I don't think that's too much to ask in my line of work.
4. Referrals, referrals and more referrals. Get 3. Get 5. Get 20 if you'll feel better. But at least get some, and actually call them. We developers live and die by referrals. If your developer can't give you 15 solid referrals on-the-spot, that's a concern. Why? They're supposed to be 'experts' and they can't feel comfortable letting you speak with a mere 15 other "successful" projects? Hmmmmmmm.
In the end, we as developers are not in the business of stealing data or information. Please don't take this personally, but the vast majority of us really don't care if you made 1,000 or 100,000 last month. That's none of our business. I've worked on clients making bazillions more than I do and still charge the measily $ 85/hour knowing full good and well they could afford more. Why? Because it's what I quoted them and it's the right thing to do. It's professional, mature and responsible.
What we do care about is providing you as the client the best possible experience with custom programming. We can only do that if you let us in your house.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: User group question
Thanks for the affirmation!
Do you have any ideas on how to allow our employees access to customer information (user accounts) without also allowing them access to store sales data?
Do you have any ideas on how to allow our employees access to customer information (user accounts) without also allowing them access to store sales data?
Re: User group question
Out of the box, this isn't possible. The same user security groups that have access to Store Users also have access to the reports. These are the System, Admin, Jr Admin and View Reports groups.krittleb wrote:Do you have any ideas on how to allow our employees access to customer information (user accounts) without also allowing them access to store sales data?
However I did write an article a while back that fully explains how to customize admin-side permissions in AC7. It includes a walkthrough example that should give you enough knowledge to make changes yourself.
You can find the article in the Good Reference Posts section here: viewtopic.php?f=47&t=10045
Just remember, backups are your friend
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com