Access Control Using Portal Teams
Published by Rob Watt on November 24, 2020
What is access control
Access control in the OrderCloud Portal is the concept of managing a relationship between a Marketplace you administer and a Portal user or team of users. Each relationship has a set of permissions related to features in the Portal and a list of OrderCloud API roles for controlling data access.
Upon choosing to invite a new Portal user or team to contribute to your Marketplace, you will be asked to define these relationships. Once the invitee accepts your request, they will be able to view and/or manage your Marketplace and the data within it, depending on their level of access.
Marketplace access controls
A typical Marketplace access form in the OrderCloud Portal.
This permission will allow managing everything in the Marketplace: team and user access (including their own), permissions, and the name of the Marketplace.
Marketplace administrators do NOT have access to transfer or delete the Marketplace. These actions are limited to the Marketplace Owner.
These permissions are directly related to features in the API Console. Marketplace Administrators can control the types of OrderCloud Users that a contributing party can impersonate (act on behalf of). Without any of these turned on, the contributing party can only access the console as themselves.
Impersonate Seller Users
Impersonate Supplier Users
Impersonate Buyer Users
OrderCloud data access
These are the API Roles that a contributing party has access to when using the API console as themselves. They also will restrict data access when impersonating users with more available roles in their assigned security profiles. Meaning, when impersonating users in the API Console, the available roles are an intersection of the impersonatee's roles and the Portal User impersonating them.
The OrderCloud Portal provides the ability to create teams. A Portal team is a group of users that share a common relationship with one or more Marketplaces. Individual Portal users can also have their own relationship with a Marketplace. This means that a single contributing user might inherit access from multiple sources, so how does a Marketplace administrator know where this access is provisioned when changes need to be made?
The contributors list is a flattened view of each Portal user that has accepted access to a Marketplace, whether that be through a direct user assignment, teams, or both. When viewing an individual contributor, you will see exactly which relationships that user has with your Marketplace, followed by the "inherited" permissions and data access. This "inherited" access is an inclusive merging of settings from all of the relationships listed at the top.
Individual contributor view for Example Marketplace. User B inherits access from a single team (Example Team) and direct user assignment.
Each inheritance listed provides a link to where you can view and manage (if you have permission) the Marketplace access controls for that specific relationship.
Direct user assignments will bring you to user access. Here you create or cancel pending user invitations and manage the users who have accepted individual access to your Marketplace.
User B's direct user access view for Example Marketplace.
Team assignments will bring you to team access. Here you create or cancel pending team invitations and manage the teams that have accepted access to your Marketplace.
Example Teams's access view for Example Marketplace.
In general, it is best to provide more limited access for teams, as the members of each team are managed separately by the team administrators. There is no guarantee that the members of a contributing team won't change. After you've established team access, as certain contributors require additional permissions or data access, invite them in the user access view.