In CloudBlue Commerce different categories of users can perform different operations on system objects. The system of roles and privileges is a mechanism for managing user permissions.
Each operation involves certain objects. The users must have specific permissions to perform certain operations on the objects involved. For example, to create a new domain, a user must be granted the necessary permissions, including the permission to create domains.
There are basic security notions that you must be familiar with when dealing with permissions and operations:
-
Privilege is a named permission to execute certain operations on certain objects. For example, the All Domains privilege enables you to create and manage domains. Privileges are defined system-wide during the initial installation or upgrade of CloudBlue Commerce and cannot be modified. CloudBlue Commerce provides different sets of privileges: Operations privileges and Billing privileges.
-
Role is a set of privileges. It is used for grouping privileges and assigning them to different users. One role can be assigned to several users and several roles can be assigned to the same user simultaneously. If a role is modified, all users with this role are influenced correspondingly at the same time.
Note: After a user role is modified, changes take effect only after the user's next login to CloudBlue Commerce.
Operations privilege can be included in different Service Management roles in different modes:
- Disabled (no operations are available)
- View (provides read-only access to managed objects)
- Manage (enables you to manage the existing objects)
- Admin (enables you to manage the existing objects and create the new ones)
The resulting set of privileges the staff member gets is a combination of all privileges assigned to all roles that are assigned to the staff member.
The Billing privilege can be included in different Billing roles. There are no such modes for Operations privileges.
The following built-in Service Management roles are created by the system:
- Account Administrator: this role provides the full list of administrative privileges to the first staff member of any account. This role exists in each group of roles.
- Staff member defaults: all privileges are disabled by default for this role. If you create an additional provider staff member via CloudBlue Commerce, this role is automatically assigned to the staff member. We recommend that you create a provider staff member via the Billing control panel.
The following built-in Billing roles are created by the system:
- Full Access: grants full control over Billing.
- Reseller Full Access: this role is almost identical to the above Full Access role, but a user with this role assigned does not have the privilege to configure Billing service gates. A newly created reseller inherits this role.
- Customer Full Access: this role has limited privileges compared to Full Access or Reseller Full Access; users with this role assigned have access only to their own data in CCP. A newly created customer inherits this role.
The scheme below shows relations among users, roles and privileges.
For more detailed information about roles and privileges, please refer to the Privileges Reference.
Note: When you switch between the Billing part and the Operations part of Provider, Reseller, or Customer Panel, the system uses the credentials, settings, and privileges of an account's staff member for the redirection. By default, the first staff member account (with the lowest ID) that was created under a user account is used. The system picks that user automatically. If that staff member is not granted the Account Administrator privilege, the redirection between Control Panels and their parts might not be fully functional: some operations might not be available to users after redirection. Please keep this in mind when creating staff member accounts for users.