SAP Commerce Cloud User Management | OpsBlu Docs

SAP Commerce Cloud User Management

SAP Commerce Cloud (Hybris) user management covering employee types, user groups, access rights, and analytics backoffice permissions.

SAP Commerce Cloud (formerly Hybris) uses a type-system-driven user model where users, user groups, and access rights are defined as platform types with full inheritance hierarchies. The permission system combines user groups, access rights on types and attributes, and restrictions (search/read/write constraints based on conditions). This is one of the most granular permission systems in enterprise commerce, but also one of the most complex to configure correctly.

Permission model

SAP Commerce operates at four permission layers:

  • Users and User Groups -- users (of type Employee, Customer, or custom subtypes) belong to one or more user groups. User groups can be nested, and permissions are inherited from parent groups.
  • Access Rights -- granted per type (e.g., Product, Order, CatalogVersion) and per attribute. Four right types: read, change, create, remove. Applied to user groups, resolved by checking the user's full group membership chain.
  • Restrictions -- conditional access rules using FlexibleSearch queries. A restriction can say "users in group X can only read Products where catalogVersion = Online." Restrictions enable row-level security.
  • Cockpit/Backoffice permissions -- the Backoffice UI has its own permission layer controlled through backoffice-config.xml and widget visibility rules.

Common user types and groups

Type / Group Purpose Typical access
Employee Back-office users (admin, content managers) Backoffice access, type depends on group membership
Customer Storefront shoppers Account, orders, wishlist. No backoffice access
admingroup Platform administrators All access rights on all types, full Backoffice
employeegroup Base employee group Basic Backoffice access, no type-level rights by default
cmsmanagergroup Content management Read/write on CMS types (ContentPage, CMSComponent, ContentSlot)
productmanagergroup Catalog management CRUD on Product, Category, CatalogVersion (Staged)
csagentgroup Customer service Assisted Service Module access, read customer/order data
marketingmanagergroup Promotions and campaigns CRUD on Promotion, Campaign, PromotionGroup types
backofficeadmingroup Backoffice configuration Manage Backoffice layouts, saved queries, roles

Custom groups are created as instances of UserGroup type, typically via ImpEx:

INSERT_UPDATE UserGroup;uid[unique=true];groups(uid);locname[lang=en]
;analyticsviewergroup;employeegroup;Analytics Viewer

Admin UI paths

Task Location
User management Backoffice > System > Users > Employees
User Group management Backoffice > System > User Groups
Access Rights configuration Backoffice > System > Types > [Type] > Access Rights tab
Restrictions Backoffice > System > Restrictions (or HAC > Console > FlexibleSearch)
Backoffice role configuration backoffice-config.xml in extension or Backoffice > Administration
Password policy project.properties > user.password.* settings
SSO/SAML configuration ccv2.portal > Environments > [Env] > SSO or samlsinglesignon extension
HAC (admin console) https://<host>/hac -- requires admingroup membership

API access management

OCC (Omni Commerce Connect) API:

  • RESTful storefront API at /occ/v2/
  • OAuth2 client credentials for server-to-server calls
  • Customer authentication via password or OTP grant types
  • Client IDs registered as OAuthClientDetails in the platform
  • Scopes control resource access (e.g., basic, extended)

Integration APIs:

  • Inbound integrations use Integration Objects defined in the integrationbackoffice
  • Each Integration Object exposes specific type attributes
  • Authentication via OAuth2 with client credentials
  • Scoped to specific Integration Objects -- a client cannot access types outside its assigned objects

ImpEx:

  • Bulk data import/export via ImpEx scripts
  • Executed in HAC or via hotfolder directory
  • No per-user scoping -- anyone with HAC access can run ImpEx
  • Sensitive operations: restrict HAC access to admingroup only

Analytics-specific permissions

SAP Commerce has built-in analytics and integrates with SAP Analytics Cloud:

  • Backoffice Reports -- built-in reports accessible via Backoffice > Reports. Access controlled by user group membership and Backoffice widget visibility in backoffice-config.xml.
  • CMS tracking -- page and component impression tracking when configured. CMS content managers (cmsmanagergroup) can modify tracking attributes on CMS components.
  • Promotion analytics -- promotion performance data accessible to marketingmanagergroup. Read access to PromotionResult and AbstractOrder types needed.
  • SAP Analytics Cloud integration -- the sapanalyticscloud extension pushes commerce data to SAC. Configuration requires admingroup access. Dashboard viewing is managed in SAC's own permission system.
  • Google Analytics / GTM -- typically integrated via SmartEdit or CMS components. The GA tracking ID is stored as a site property or CMS component attribute. Users in cmsmanagergroup can modify these values in SmartEdit.

To create an analytics-only role:

  1. Create analyticsviewergroup as a child of employeegroup
  2. Grant read access rights on reporting-related types (Order, Product, PromotionResult)
  3. Add a Restriction to limit reads to Online CatalogVersion only
  4. Configure Backoffice visibility in backoffice-config.xml to show only report widgets
  5. Deny change, create, remove on all types
返回顶部