Permissions

The purpose of this document is to describe the available individual permissions that can be enabled for each role and how you manage these roles in Admin.

Admin menu

Managing permissions

In System > Permissions you can access both the Users, where you create a new user, and Roles, where you set permissions for a user, sections. Both roles and users are fully configurable to meet your unique permissions needs.

Roles

A role defines which actions a user is able to execute within the system. Create roles first, then users assigned to those roles.

Hierarchy

An administrator should be granted a role with a value of 1 in the Hierarchy field, which gives them the permissions to create additional roles for others as needed. With this permission they can define role names and check permissions to be granted to users per role (via the tickbox in the Resources section).

The following rules apply to hierarchy levels:

  • Roles with a hierarchy of 1 have the ability to view other roles with a hierarchy of 1, as well as all roles with a hierarchy greater than 1.
  • Roles with a hierarchy of 2 are not able to view roles with a hierarchy of 1 or other roles with a hierarchy of 2. They can only see roles with a hierarchy of 3.
  • Roles with a hierarchy of 3 are not able to view any roles in the Roles view.

Once roles have been defined (see the Add a role section below) a new user can be created and assigned to the role.

Add a role

  1. Click System > Roles.
  2. Click Add Role.

    Add Role

  3. Add a name for this role and set the hierarchy.
  4. Tick the applicable Resources options for this role.
  5. Tick None, All Sales Channels, or Specific Sales Channels to select which, if any, sales channels this role should have access to.

If Specific Sales Channels is selected, search for and select, or tick, the desired channel options and click Done.

If All Sales Channels is selected for a role and a new sales channel is created on the system, all users with this role will have access to it automatically without having to update the list of sales channel for that role

  1. Click Create.

    When you navigate back to the Roles page a list of all the Roles that have been created will be displayed.

    Roles

Delete a role

To delete a role:

  1. Click System > Roles.
  2. Click Delete for the role you want to remove.

    Delete Button

Modify a role

To modify an existing role:

  1. Click the name of the role in the left-hand column of the Roles page.
  2. Edit the Name, Hierarchy, Resources, or Stores options as desired.
  3. Click Update.

    Update button

You cannot filter information by source and store, so you must define one of them. If a user has one or more sources selected as part of their defined role, all active pages as defined for the role will only show details for the selected sources.

Typically, omnichannel users are interested in source filters and single channels in store-level filters.

Users

A user is an individual that has a particular role within an specific environment. A user can perform specific actions based on their configured role, and they can see relevant information based on the permissions assigned to them (via their role).

Once a new role is created you can create a new user and assign a role to the user.

When creating a user, it is important to specify which sources the user has access to: None, All Sources or Specific Sources.

If Specific Sources is selected, search for and select, or tick, the desired channel options and click Done.

If All Sources is selected for a user and a new source is created on the system, the user will have access to it automatically without having to update the list of sources for that user

For instance, a store associate role will most likely be interested in only seeing orders that have been sourced to their applicable source (the one designated for their store), so will only need access to that source.

You can add a user via:

  • The Admin panel.
  • An uploaded template.

Add user through Admin panel

To add a user in the Admin panel:

  1. Click System > Users.
  2. Click Add User.

    Add User

  3. Fill in the following information per the user’s specifics:

    • Copy from (optional) - Copy user information from an existing user
    • User name - Create a user name
    • E-mail - Add user email
    • Timezone - Configure the appropriate timezone
    • Role - Choose their role, such as Super Admin, admin, Store assistant, Customer service agent, etc.
    • Allow access Sources - Select the applicable sources for the user: None, All Sources, or Specific Sources. By default, None will be selected.

      If you selected None, the user will not have access to any source and pages with source filtering capabilities will display an error message.

      If you selected All Sources, there is no source restriction for the user. When a new source is created, the user will automatically have permissions to see related data for the pages they have access to.

    a. If you selected Specific Sources, search for and select, or tick, the desired options and click Done.

    When assigning sources to a user (or updating a current user), you will only see sources available for the User role you selected.

    The new user will receive an email from Backoffice User Service containing a password reset link. In order to access the admin interface new users are required to reset their password.

When you navigate back to the Users page you will see a searchable list of all configured users, showing user name, e-mail, User role, and whether or not they are active roles.

Add/update user by uploading template

This option is ideal if you want to create many users at one time.

To add a user by uploading a template:

  1. Click System > Users.
  2. Click Upload users.

    Upload Users

  3. Click Download template and populate it with multiple user’s information to do a bulk upload and configuration of a set of users, or to update existing users.

    CSV template file fields

    Columns Description Example Important
    Username Name the user will use to access the UI storeAssistant21 Do not use spaces
    E-mail Email that will be use to manage the user’s account, reset the password, and send any email storeAssistant21@site.com -
    Enabled Defines whether user is active; for use in deactivating multiple users at the same time 1/0 Available values are 0 (not active) or 1 (active)
    Access all sources Define user access to all sources for this client to avoid having to select from many sources 1/0 Available values are 0 (source restriction) or 1; access to all sources requires ALL_SOURCES, access
    Timezone Timezone in which the user is located UTC -
    Role Defines the actions the user can perform and available access to the UI Corporate Super Admin roles are for use by internal Magento users
    Sources Comma separated list of sources the user will have access to (external ID) WAREHOUSE, test-store Column must list external ID of sources
    Action Indicates whether you are updating or creating a new user Create/Update -

    Upload Users View

  4. Click Choose File, select your edited template, and click Upload.

    The new users will receive an email from Backoffice User Service containing a password reset link. In order to access the admin interface new users are required to reset their password.

You can also edit existing users by clicking Download CSV and editing the information as explained.

When you navigate back to the Users page you will see a searchable list of all configured users, showing user name, e-mail, User role, and whether or not they are active roles.

Configuration

Currently, there are two different permissions models: User Restriction Filter and Restriction based on both, Sources and Sales Channels settings.

User restriction filter

The UserRestrictionFilter configuration, for which the value can be source or store, will define which of the values will be used to filter the information in Backoffice. You cannot filter information by source and store, so you must define one of them. If a user has one or more sources selected as part of their defined role, all active pages as defined for the role will only show details for the selected sources.

Typically, omnichannel users are interested in source filters and single channels in store-level filters.

Restrict Access Considering both, Sources, and Sales Channels settings

This new configuration allows for the flexible assignment of sources and channels. Backoffice pages are filtered based on User - source permissions and Role - sales channel permission when the new RestrictionBySourceAndSalesChannel configuration is enabled.

This is the filter applied to each page:

By Source By Sales Channel By Source OR Sales Channel
Dashboard—(in-store pickup (ISPU), ship from store (SFS), Sales Operations, and Pending Arrival)
- Sales Reports—Pick declined
System Fulfillment—Sources
Product Inventory—Manual Stock Update
Sales—Operations (Pre-order, Backorder, Exception & Sourcing Queue, and Refund intervention) Dashboard—Operations dashboard
Order details view
Sales—Orders
Customer Service—Orders

It is easy to see when a page is filtered only by Source (column one) and only by Sales Channel (column two) but, what does it mean when a page is filtered by Source or Sales Channel (column 3)?

  • We validate if the user has access to the Sales Channel of the order. If this validation fails, then we check the user access to any of the sources of the order by using the shipment requests.
  • If a user has a role with access to the Sales Channel of the order, they will see the details of the entire order (regardless of their access to the source).
  • If an order has at least one line that is ISPU with collection in the source, then the user will have access to the full order.
  • If an order has at least one line that is/was sourced to the source (and not pick declined) then the user will see the details of the entire order (regardless of their access to the source). If the shipment request was fully pick declined, it shouldn’t be considered.

    Example: The Store A store associate, who only has access to source A and no Sales Channel can see orders that were allocated to source A. If the order is fully pick declined from source A, this store associate will not see it.

  • If a user has a role with no access to any Sales Channel and the order is in the “Pending First Shipment Request” status, the user will see a 403 error.

These definitions are configured, and can be enabled, in your System Integrator (SI) Portal, which is not accessible externally yet. Contact your Customer Success Manager (CSM) or Technical Account Manager (TAM) for assistance.

Examples of typical configurations for different personas

Role Sources Sales Channel Filters
Omnichannel Manager All All Sees everything
Sales Channel Manager or Customer Service Representative No 1 - Sees only orders affected to his Sales Channel.
- Will not use the store fulfilment screens.
- The CSR has more restrictions on pages than the SCM.
Store Associate (Internal) 1 All - Uses store fulfilment screens for their own store.
- Will be able to see all the orders.
- Sees the source inventory of all sources (if given access to the Source Stock page).
Store Associate (Franchise) 1 1 - Uses store fulfilment screens for theikr own store.
- Sees only orders that are affect their store or were shipped/collected from their store (partially or fully).
- Sees the source inventory of all sources (if given access to the Source Stock page).

Available individual permissions

There are eight different areas of permission: Sales Management, Customer Service, Order Modification, Stock Management, Omnichannel Management, Reports, Configuration, Internal Tools.

See the permissions their descriptions below.

Sales Management

Manage orders Access to the Sales > Orders page
Manage pre-orders Access to see the pre-order dashboard
Export order data Capability to export information XML/CSV on the Sales section (/admin/sales/orders/)
Manage payment authorizations  
Manage backorder Access to see the backorder dashboard

Customer Service

Manage Orders Access to the Customer service > Orders pages
Export order data Capability to export information XML/CSV on the Customer service section (/admin/customer-service/orders/)
Cancel line Display cancel button and allow to cancel order lines
Request returns Access and permission to manually initiate a return from OMS Admin
Approve returns Access and permission to manually initiate approve a return if the flow is configured to require an approval
Request appeasement Access and permission to manually request an appeasement of a specified amount
Request reshipment Access and permission to request an order re-shipment
Request exchange Access and permission to request an order exchange
Release refunds Permission to request a release of a refund
Exchanges  
Resend emails Access and permission to resend any selected email

Order Modification

Update Shipping Address Capability to manually update shipping address
Update Custom Attributes Capability to manually update custom attributes

Stock Management

Source Engine Provides visibility into:
- the queue of orders pending sourcing
- display exception of the orders pending sourcing as overdue
Manage inventory Display the stock information for each SKU and source. The user can see also historical information for any stock change (i.e.: past updates to the stock quantities)
Manage stock aggregates Allows the user to display, create and update the configured sales channels and stock aggregates.
From the stock aggregates page the user can update which sources are associated to the aggregate (meaning will provide the stock to be aggregated for the final available to sell stock for the frontend provider).
Here the safeties stock at aggregate level can be configured for each item status (default, outlet, end of life).
Manage sources Access to create new source, update existing source information, upload from a csv a list of sources, define the allocation waves per each source
Manual stock update Allows a user to manually change the stock of any given SKU for a specific source from Admin. This feature should be used for very specific updates, given the stock snapshot processes will override the manual changes

Omnichannel Management

Manage ship from store orders Access to:
Home page > Ship From Store Dashboard
Dashboard > Ship From Store Dashboard
Sales > Ship From Store
Manage ISPU orders Access to:
Home page > In-store Pickup Dashboard
Sales > In Store Pick Up
Sales > Orders: from this page on the pick list “view” page users will be redirected to the ISPU pick list
Sales > Orders > Order overview: access to the pick list(s) from several links
Pending arrival Access to:
Sales > Pending arrival page that is required for Ship to Store (STS)
ISPU dashboard Access to:
Dashboard > In-Store Pickup (ISPU) Dashboard
ISPU Configuration Access to:
System > I configurations to define pick and customer decline reasons

Reports

Reports Access to download csv reports within a defined date range. Available reports are:
- master order
- shipments
- returns
- refunds

Configuration

Manage catalogue Provides visibility into all items and options created in the OMS catalog and allows to manually create new items/options.
From the item page the user can see the stock available for the specific SKU for each one of the sources
Manage users Access to:
System > Users page
Manage roles Access to:
System > Roles page, users with permissions to this page will be able to update roles with the limitation of the hierarchy as a user will never be able to make a role with a higher hierarchy as his own.

Internal Tools

Developer Tools -
Events -
Message Log -
Force Shipment -
Force Soft Allocation -
Extensions -

Visibility to AccessToAllSalesChannelsAndSources user view

In the past, if a role needed to have visibility to orders that have not yet been sourced (such as orders pending sourcing, backorders, and pre-orders) the role was required to have access to all Sales Channels/Sources. To achieve this, there was a Allow access to all Sales Channels/Sources configuration in the user view, which allowed visibility to those orders without applying filters.

New clients will not have access to this configuration. They will have access to the new way of configuring User Roles and Permissions instead:

  • Existing clients will have the configuration enabled but hidden in Backoffice. The AccessToAllSources option will be enabled (not the AccessToAllSalesChannels, because it could give additional permissions to other users that the merchant does not want because the Sales Channels are configured at the role level insteasd of the user level).
  • If an existing user with this enabled configuration changes from All to None or Specific User, the AccessToAllSalesChannelsAndSources option will be disabled and this user will need to use the new configuration.
  • If an existing role with this enabled configuration changes from All to None or Specific Role, the AccessToAllSalesChannelsAndSources option will be disabled and this user will need to use the new configuration.