customized user roles ... Administrator site
customized user roles ... Administrator site
We've set up a store manager with these capabilities:
Manage Orders, Manage Catalog, View Reports
This is NOT a person who should have website and other admin, jr. admin capabilities but a store manager SHOULD be able to identify featured items, coupons, and other items listed in the Marketing drop down list. How can we add marketing to the store manager's roles?
Manage Orders, Manage Catalog, View Reports
This is NOT a person who should have website and other admin, jr. admin capabilities but a store manager SHOULD be able to identify featured items, coupons, and other items listed in the Marketing drop down list. How can we add marketing to the store manager's roles?
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
Bob,
The ~/Admin/menu.sitemap file defines what menu options are available to what security roles. Edit that file and you should see how it's being done well enough to make changes.
Be sure to back it up before you change it, and remember it could be overwritten with a future upgrade.
EDIT file is menu.sitemap, not admin.sitemap. My bad.
The ~/Admin/menu.sitemap file defines what menu options are available to what security roles. Edit that file and you should see how it's being done well enough to make changes.
Be sure to back it up before you change it, and remember it could be overwritten with a future upgrade.
EDIT file is menu.sitemap, not admin.sitemap. My bad.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Thanks Joe ... that worked -- although your suggestion almost scared me to death.The ~/Admin/menu.sitemap file defines what menu options are available to what security roles. Edit that file and you should see how it's being done well enough to make changes.
I know a little bit about a lotta things and now that list includes xml and sitemaps.
It's in and WORKING!!
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
Good to hear you got it.
Just remember to back that file up somewhere. When an AC7 update is installed, it might get overwritten and you'll need your backup copy to re-apply the changes.
Just remember to back that file up somewhere. When an AC7 update is installed, it might get overwritten and you'll need your backup copy to re-apply the changes.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
I *thought* I had it but made a bit of an assumption without testingSolunarServices wrote:Good to hear you got it.
I got the menus to show what I wanted, for example: allow catalog manager to manage gift certificates but when Gift Certificates is selected she's pushed to Merchant Login which tells me she doesn't have enough *power* to manage gift certificates. Here's my before and after for the sitemenu.
before:
after:siteMapNode title="Gift Certificates" url="~/Admin/Payment/GiftCertificates.aspx" roles="System,Admin,Jr. Admin"
Can anyone suggest what might be going wrong or is there another step I need to take to implement this capability?siteMapNode title="Gift Certificates" url="~/Admin/Payment/GiftCertificates.aspx" roles="System,Admin,Jr. Admin,Manage Catalog"
Thanks,
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
Each primary menu section in AC7 Admin has an associated sub-folder in the ~/Admin/ directory. In each of those sub-folders is a web.config file that coordinates with the security settings in the menu file.
In other words, if you change a permissions structure in the menu file, you must also change it in the appropriate sub-folder web.config file. That's how .Net manages folder security permissions.
In other words, if you change a permissions structure in the menu file, you must also change it in the appropriate sub-folder web.config file. That's how .Net manages folder security permissions.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
so I added this role to the web config in payments folder now gift certificates can be added or edited.
however, I need to review the site admin menu to assure I don't give catalog managers rights to gateways and other functions in the payment folder. correct?allow roles="System,Admin,Jr. Admin,Manage Catalog"
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
Correct.
Keep in mind that you're only going to be able to go "so deep" with your permission restrictions. You can control the menu options down to the menu option level, but the sub-folders and the pages in those folders can only be restricted on a folder-by-folder basis.
Keep in mind that you're only going to be able to go "so deep" with your permission restrictions. You can control the menu options down to the menu option level, but the sub-folders and the pages in those folders can only be restricted on a folder-by-folder basis.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Any time, glad to help
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: customized user roles ... Administrator site
We need to extend this discussion. We have a Store Manager role which combines Catalog Manager, Order Manager, and Reports. We've modified the menu.sitemap to limit the menu items this store manager sees. We need to allow the store manager to reset user passwords etc. but without visibility to user groups, vendors, and manufacturers so adding Jr. Admin doesn't fit. We don't want a store manager to shoot himself or herself in the foot by extending the ability to modify store configs, conlibs, etc. We don't want to allow the Catalog Manager to have all the authority the Store Manager has. We need a Store Manager role which we can then add to various functions in the menu.sitemap. Is it possible to add a new role to the basic list of role/permissions?
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
Re: customized user roles ... Administrator site
Yes. Create a new user group under Users, User Groups. That new user group will automatically be defined as a "Role" in the customized security provider that AC7 implements.
Once you have created the new group, you will need to "define" what options are available to that group. Just add that group to the "Roles=" for the respective menu options in the ~/Admin/menu.sitemap file. That will dictate what overall menu options are possible for the new group you've created.
Finally, you'll want to add that same group name to the Web.config file located in the respective sub-folders beneath ~/Admin/. For example, if you want the new group to have access to the Catalog, you'll need to modify the ~/Admin/Catalog/web.config file to allow the new group to access the pages located in the ~/Admin/Catalog/ folder. If you wanted the new group to add/edit users, modify the ~/Admin/People/web.config file AND ~/Admin/People/Users/web.config. Remember: there are two sets of permissions control, one at the menu level and another at the file level. This prevents someone without the appropriate permissions hitting the URL directly and gaining unauthorized access.
To summarize:
IIS security works in two ways and thus requires two seperate changes...
1. The first way involves just the ability to see the menu option via the menu.sitemap file.
2. The second is the respective web.config file in the folder that contains the pages you want that group to access. Each folder in an IIS app can/does have a respective web.config file that dictates what security "roles" have access.
Once you have created the new group, you will need to "define" what options are available to that group. Just add that group to the "Roles=" for the respective menu options in the ~/Admin/menu.sitemap file. That will dictate what overall menu options are possible for the new group you've created.
Finally, you'll want to add that same group name to the Web.config file located in the respective sub-folders beneath ~/Admin/. For example, if you want the new group to have access to the Catalog, you'll need to modify the ~/Admin/Catalog/web.config file to allow the new group to access the pages located in the ~/Admin/Catalog/ folder. If you wanted the new group to add/edit users, modify the ~/Admin/People/web.config file AND ~/Admin/People/Users/web.config. Remember: there are two sets of permissions control, one at the menu level and another at the file level. This prevents someone without the appropriate permissions hitting the URL directly and gaining unauthorized access.
To summarize:
IIS security works in two ways and thus requires two seperate changes...
1. The first way involves just the ability to see the menu option via the menu.sitemap file.
2. The second is the respective web.config file in the folder that contains the pages you want that group to access. Each folder in an IIS app can/does have a respective web.config file that dictates what security "roles" have access.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: customized user roles ... Administrator site
Just noted this in my new Admin\web.config
===> <pages masterPageFile="~/Admin/Admin.Master" theme="AbleCommerceAdmin" />
===> <allow roles="System,Admin,Jr. Admin,Manage Orders,Manage Catalog,Manage Website,View Reports,Store Manager"/>
Do I understand this correctly? If we're using a different admin theme this change will not apply?
If so, is it possible to change the pages line to be:
<pages masterPageFile="~/Admin/Admin.Master" theme="AbleCommerceAdmin,OurAdmin" />
will this apply it to either theme?
===> <pages masterPageFile="~/Admin/Admin.Master" theme="AbleCommerceAdmin" />
===> <allow roles="System,Admin,Jr. Admin,Manage Orders,Manage Catalog,Manage Website,View Reports,Store Manager"/>
Do I understand this correctly? If we're using a different admin theme this change will not apply?
If so, is it possible to change the pages line to be:
<pages masterPageFile="~/Admin/Admin.Master" theme="AbleCommerceAdmin,OurAdmin" />
will this apply it to either theme?
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
Re: customized user roles ... Administrator site
No, the themes do not have anything to do with security.
Themes are what decide the appearance of the site. Colors, fonts etc.
roles are what you are looking for.....
Themes are what decide the appearance of the site. Colors, fonts etc.
roles are what you are looking for.....
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: customized user roles ... Administrator site
Joe, this creates a new Group ... what I really need is a new permission. I've gone thru all the logic in web.config files admin folders and subfolders.Create a new user group under Users, User Groups. That new user group will automatically be defined as a "Role" in the customized security provider that AC7 implements.
If we take this example: Catalog Admins ... Manage Catalog from the user groups page,
The xml files refer to <allow roles="System,Admin,Jr. Admin,Manage Catalog" />
but when you refer to the group page Manage Catalog is a "permission" ... how can I add a permission called "Manage Store"?
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
Re: customized user roles ... Administrator site
Bob, permissions are defined by the groups created in the system.
There's is no "Manage Store" permission, so you have to create one yourself. You do that by first creating a group called "Manage Store", and then you add that "Manage Store" group to the respective menu options you want the members of that group to be able to access.
Which menu options you decide to allow the "Manage Store" group access will decide what features are available to a member of the "Manage Store" group.
In ASP.Net permissions, these groups are known as "roles".
There's is no "Manage Store" permission, so you have to create one yourself. You do that by first creating a group called "Manage Store", and then you add that "Manage Store" group to the respective menu options you want the members of that group to be able to access.
Which menu options you decide to allow the "Manage Store" group access will decide what features are available to a member of the "Manage Store" group.
In ASP.Net permissions, these groups are known as "roles".
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: customized user roles ... Administrator site
I've done that long ago ... that's what creates the Group column on the Administration > People > User Groups page. That's not what is used in the web config files ... those use the "Permissions" column as we see them displayed on the User Groups page. I found EditGroupDialog.ascx initialize rolelist ... I think a direct add to the database is what creates this permissions column. Wish I'd known that before ... would have saved a lot of time. (I guess I learned a little more though)no "Manage Store" permission, so you have to create one yourself. You do that by first creating a group called "Manage Store", and then you add that "Manage Store" group to the respective menu options you want the members of that group to be able to access.
Thanks for all your help Joe.
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
- mfreeze
- Commodore (COMO)
- Posts: 421
- Joined: Mon Jan 24, 2005 2:07 pm
- Location: Washington, NJ
- Contact:
Re: customized user roles ... Administrator site
So how do I add a group with no admin permissions?
In 5.5, you could use groups to set pricing for selected user by group membership. These groups had no access to any administration functions.
We need the ability to create groups in order to set up discount pricing but giving the user no admin rights. I am not finding this capability in 7.0. When I add a group, it only gives a list of rights associated with administration access.
In 5.5, you could use groups to set pricing for selected user by group membership. These groups had no access to any administration functions.
We need the ability to create groups in order to set up discount pricing but giving the user no admin rights. I am not finding this capability in 7.0. When I add a group, it only gives a list of rights associated with administration access.
Mary E Freeze
Freeze Frame Graphics
Web Hosting and Design, ASP and CFMX Development
http://www.ffgraphics.com
Freeze Frame Graphics
Web Hosting and Design, ASP and CFMX Development
http://www.ffgraphics.com
Re: customized user roles ... Administrator site
Have you tried Add Group on the Administration > People > User Groups page without selecting any of the "Permissions"? I believe you could use this new group (or groups) for setting up your discounts.So how do I add a group with no admin permissions?
Administration > Marketing > Volume Discounts > New Discount then select the group(s) that apply.
Bob R.
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
"Bills travel through the mail at twice the speed of checks." -- Steven Wright
- mfreeze
- Commodore (COMO)
- Posts: 421
- Joined: Mon Jan 24, 2005 2:07 pm
- Location: Washington, NJ
- Contact:
Re: customized user roles ... Administrator site
Never Mind. I found it. I just had to unhighlight the selected right and I added it with no rights.
Mary E Freeze
Freeze Frame Graphics
Web Hosting and Design, ASP and CFMX Development
http://www.ffgraphics.com
Freeze Frame Graphics
Web Hosting and Design, ASP and CFMX Development
http://www.ffgraphics.com