Salesforce Commerce Cloud (SFCC) B2C Commerce uses a role-based access control system managed through Business Manager (BM) and the Account Manager portal. Permissions are scoped to organizations and sites, with roles controlling access to specific Business Manager modules. The system is deeply integrated with Salesforce's broader identity infrastructure, including Account Manager for SSO across Salesforce products.
Permission model
SFCC access control has three layers:
- Account Manager (organization-level) -- manages user identity, SSO, and organization membership. Users are created here and assigned to organizations. This is the Salesforce-wide identity layer.
- Business Manager roles -- within an organization, users are assigned roles that control access to BM modules. Roles are scoped per site or across all sites in the organization.
- OCAPI / SCAPI permissions -- API access is controlled through client credentials and permission documents that define which resources and methods each API client can access, independent of BM roles.
A user must exist in Account Manager AND have BM roles assigned to access the storefront admin. The two systems are connected but managed separately.
Built-in Business Manager roles
| Role | Access level | Key modules |
|---|---|---|
| Administrator | Full access to all BM modules across all sites | All modules, user management, code deployment |
| Business Manager User | Base role required for any BM access | Grants login capability; no module access alone |
| Merchant | Catalog, pricing, promotions, content | Products, Catalogs, Price Books, Promotions, Content |
| Marketer | Campaigns, SEO, analytics, A/B tests | Campaigns, SEO, Analytics, Active Data |
| Merchandiser | Product assortment and search configuration | Search, Sorting Rules, Recommendations |
| Customer Service | Customer lookup and order management | Customer Service Center, Order Management |
Roles are additive -- assign multiple roles to combine permissions. Custom functional roles can be created by Salesforce support or via metadata deployment.
Admin UI paths
| Task | Location |
|---|---|
| Create/manage users | Account Manager (account.demandware.com) > Users |
| Assign organization roles | Account Manager > [User] > Roles > Organization Roles |
| Assign BM roles | Business Manager > Administration > Organization > Roles |
| Site-specific role assignment | BM > Administration > Organization > Roles > [Role] > Site Assignment |
| Manage API clients | Account Manager > API Client |
| BM module permissions | BM > Administration > Organization > Roles > [Role] > Module Permissions |
| User session management | BM > Administration > Organization > Users > Active Sessions |
| Two-factor authentication | Account Manager > Security Policies |
API access management
OCAPI (Open Commerce API):
- REST API with two surfaces: Shop API (storefront) and Data API (back-office)
- Client ID + client secret created in Account Manager under API Client
- Permissions defined in
ocapi_settings.jsonor BM > Administration > Site Development > Open Commerce API Settings - Granular resource-level permissions: specify allowed resources, HTTP methods, and read/write access per client ID
- Separate permission documents for Shop API and Data API
SCAPI (Salesforce Commerce API):
- Newer headless API replacing OCAPI for storefront use
- Uses SLAS (Shopper Login and API Access Service) for authentication
- Client credentials managed in Account Manager
- Scopes define access boundaries (e.g.,
sfcc.products.rw,sfcc.orders.ro)
Webdav/Code deployment:
- Code versions deployed via WebDAV or UX Studio
- Access requires the
WebDAV_Clientrole or equivalent in BM - Certificates or client credentials authenticate deployment tools
Analytics-specific permissions
SFCC has built-in analytics capabilities with specific permission controls:
- Analytics module -- BM > Merchant Tools > Analytics. Access controlled by the "Analytics" module permission on the user's role. The Marketer role includes this by default.
- Active Data -- SFCC's real-time analytics feature tracking active sessions, baskets, and conversion. Access at BM > Merchant Tools > Analytics > Reports. Requires Analytics module permission.
- Einstein Analytics -- AI-driven product recommendations and predictive insights. Configuration at BM > Merchant Tools > Einstein. Requires Merchandiser or Administrator role.
- A/B Testing -- at BM > Merchant Tools > Analytics > A/B Tests. Creating and managing tests requires Marketer role or explicit A/B Test module permission.
- Google Analytics integration -- configured in storefront cartridge code (e.g.,
int_google_analytics). Modifying the cartridge requires developer access (code deployment permissions). Configuration values may be stored in BM Site Preferences, editable by anyone with Custom Preferences access. - Tag Manager -- SFCC sites commonly use GTM via a custom cartridge. The container ID is typically a site preference. Grant Custom Preferences view/edit to marketing users who need to update the GTM container ID.
To create a reporting-only user:
- Create the user in Account Manager
- Assign the Business Manager User base role
- Add module permission for Analytics only
- Scope to specific sites if needed
- Do not assign Merchant, Administrator, or any other role