customized user roles ... Administrator site

[bobr2k]

We've set up a store manager with these capabilities:
Manage Orders, Manage Catalog, View Reports

This is NOT a person who should have website and other admin, jr. admin capabilities but a store manager SHOULD be able to identify featured items, coupons, and other items listed in the Marketing drop down list. How can we add marketing to the store manager's roles?

[AbleMods]

Bob,

The ~/Admin/menu.sitemap file defines what menu options are available to what security roles. Edit that file and you should see how it's being done well enough to make changes.

Be sure to back it up before you change it, and remember it could be overwritten with a future upgrade.

EDIT file is menu.sitemap, not admin.sitemap. My bad.

[bobr2k]

The ~/Admin/menu.sitemap file defines what menu options are available to what security roles. Edit that file and you should see how it's being done well enough to make changes.

Thanks Joe ... that worked -- although your suggestion almost scared me to death.
I know a little bit about a lotta things and now that list includes xml and sitemaps.

It's in and WORKING!!

[AbleMods]

Good to hear you got it.

Just remember to back that file up somewhere. When an AC7 update is installed, it might get overwritten and you'll need your backup copy to re-apply the changes.

[bobr2k]

Good to hear you got it.

I *thought* I had it but made a bit of an assumption without testing
I got the menus to show what I wanted, for example: allow catalog manager to manage gift certificates but when Gift Certificates is selected she's pushed to Merchant Login which tells me she doesn't have enough *power* to manage gift certificates. Here's my before and after for the sitemenu.
before:

siteMapNode title="Gift Certificates" url="~/Admin/Payment/GiftCertificates.aspx" roles="System,Admin,Jr. Admin"

after:

siteMapNode title="Gift Certificates" url="~/Admin/Payment/GiftCertificates.aspx" roles="System,Admin,Jr. Admin,Manage Catalog"

Can anyone suggest what might be going wrong or is there another step I need to take to implement this capability?
Thanks,

[AbleMods]

Each primary menu section in AC7 Admin has an associated sub-folder in the ~/Admin/ directory. In each of those sub-folders is a web.config file that coordinates with the security settings in the menu file.

In other words, if you change a permissions structure in the menu file, you must also change it in the appropriate sub-folder web.config file. That's how .Net manages folder security permissions.

[bobr2k]

so I added this role to the web config in payments folder now gift certificates can be added or edited.

allow roles="System,Admin,Jr. Admin,Manage Catalog"

however, I need to review the site admin menu to assure I don't give catalog managers rights to gateways and other functions in the payment folder. correct?

[AbleMods]

Correct.

Keep in mind that you're only going to be able to go "so deep" with your permission restrictions. You can control the menu options down to the menu option level, but the sub-folders and the pages in those folders can only be restricted on a folder-by-folder basis.

[bobr2k]

thx for all your help on this Joe.

[AbleMods]

Any time, glad to help

[bobr2k]

We need to extend this discussion. We have a Store Manager role which combines Catalog Manager, Order Manager, and Reports. We've modified the menu.sitemap to limit the menu items this store manager sees. We need to allow the store manager to reset user passwords etc. but without visibility to user groups, vendors, and manufacturers so adding Jr. Admin doesn't fit. We don't want a store manager to shoot himself or herself in the foot by extending the ability to modify store configs, conlibs, etc. We don't want to allow the Catalog Manager to have all the authority the Store Manager has. We need a Store Manager role which we can then add to various functions in the menu.sitemap. Is it possible to add a new role to the basic list of role/permissions?

[AbleMods]

Yes. Create a new user group under Users, User Groups. That new user group will automatically be defined as a "Role" in the customized security provider that AC7 implements.

Once you have created the new group, you will need to "define" what options are available to that group. Just add that group to the "Roles=" for the respective menu options in the ~/Admin/menu.sitemap file. That will dictate what overall menu options are possible for the new group you've created.

Finally, you'll want to add that same group name to the Web.config file located in the respective sub-folders beneath ~/Admin/. For example, if you want the new group to have access to the Catalog, you'll need to modify the ~/Admin/Catalog/web.config file to allow the new group to access the pages located in the ~/Admin/Catalog/ folder. If you wanted the new group to add/edit users, modify the ~/Admin/People/web.config file AND ~/Admin/People/Users/web.config. Remember: there are two sets of permissions control, one at the menu level and another at the file level. This prevents someone without the appropriate permissions hitting the URL directly and gaining unauthorized access.

To summarize:

IIS security works in two ways and thus requires two seperate changes...
1. The first way involves just the ability to see the menu option via the menu.sitemap file.
2. The second is the respective web.config file in the folder that contains the pages you want that group to access. Each folder in an IIS app can/does have a respective web.config file that dictates what security "roles" have access.

[bobr2k]

Just noted this in my new Admin\web.config

===> <pages masterPageFile="~/Admin/Admin.Master" theme="AbleCommerceAdmin" />
===> <allow roles="System,Admin,Jr. Admin,Manage Orders,Manage Catalog,Manage Website,View Reports,Store Manager"/>

Do I understand this correctly? If we're using a different admin theme this change will not apply?

If so, is it possible to change the pages line to be:
<pages masterPageFile="~/Admin/Admin.Master" theme="AbleCommerceAdmin,OurAdmin" />

will this apply it to either theme?

[AbleMods]

No, the themes do not have anything to do with security.

Themes are what decide the appearance of the site. Colors, fonts etc.

roles are what you are looking for.....

[bobr2k]

Create a new user group under Users, User Groups. That new user group will automatically be defined as a "Role" in the customized security provider that AC7 implements.

Joe, this creates a new Group ... what I really need is a new permission. I've gone thru all the logic in web.config files admin folders and subfolders.
If we take this example: Catalog Admins ... Manage Catalog from the user groups page,
The xml files refer to <allow roles="System,Admin,Jr. Admin,Manage Catalog" />

but when you refer to the group page Manage Catalog is a "permission" ... how can I add a permission called "Manage Store"?

[AbleMods]

Bob, permissions are defined by the groups created in the system.

There's is no "Manage Store" permission, so you have to create one yourself. You do that by first creating a group called "Manage Store", and then you add that "Manage Store" group to the respective menu options you want the members of that group to be able to access.

Which menu options you decide to allow the "Manage Store" group access will decide what features are available to a member of the "Manage Store" group.

In ASP.Net permissions, these groups are known as "roles".

[bobr2k]

no "Manage Store" permission, so you have to create one yourself. You do that by first creating a group called "Manage Store", and then you add that "Manage Store" group to the respective menu options you want the members of that group to be able to access.

I've done that long ago ... that's what creates the Group column on the Administration > People > User Groups page. That's not what is used in the web config files ... those use the "Permissions" column as we see them displayed on the User Groups page. I found EditGroupDialog.ascx initialize rolelist ... I think a direct add to the database is what creates this permissions column. Wish I'd known that before ... would have saved a lot of time. (I guess I learned a little more though)
Thanks for all your help Joe.

[mfreeze]

So how do I add a group with no admin permissions?

In 5.5, you could use groups to set pricing for selected user by group membership. These groups had no access to any administration functions.

We need the ability to create groups in order to set up discount pricing but giving the user no admin rights. I am not finding this capability in 7.0. When I add a group, it only gives a list of rights associated with administration access.

[bobr2k]

So how do I add a group with no admin permissions?

Have you tried Add Group on the Administration > People > User Groups page without selecting any of the "Permissions"? I believe you could use this new group (or groups) for setting up your discounts.

Administration > Marketing > Volume Discounts > New Discount then select the group(s) that apply.

[mfreeze]

Never Mind. I found it. I just had to unhighlight the selected right and I added it with no rights.