Access Control Using Portal Teams

Suggest an edit
Robert Watt

Published by Robert Watt

November 24th, 2020

What is access control

Access control in the OrderCloud Portal is the concept of managing a relationship between a Marketplace you administer and a Portal user or team of users. Each relationship has a set of permissions related to features in the Portal and a list of OrderCloud API roles for controlling data access.

Upon choosing to invite a new Portal user or team to contribute to your Marketplace, you will be asked to define these relationships. Once the invitee accepts your request, they will be able to view and/or manage your Marketplace and the data within it, depending on their level of access.

Marketplace access controls

Marketplace access controls
A typical Marketplace access form in the OrderCloud Portal.

Marketplace admin

This permission will allow managing everything in the Marketplace: team and user access (including their own), permissions, and the name of the Marketplace.

Marketplace administrators do NOT have access to transfer or delete the Marketplace. These actions are limited to the Marketplace Owner.

Impersonation access

These permissions are directly related to features in the API Console. Marketplace Administrators can control the types of OrderCloud Users that a contributing party can impersonate (act on behalf of). Without any of these turned on, the contributing party can only access the console as themselves.

  • Impersonate Seller Users
  • Impersonate Supplier Users
  • Impersonate Buyer Users

OrderCloud data access

These are the API Roles that a contributing party has access to when using the API console as themselves. They also will restrict data access when impersonating users with more available roles in their assigned security profiles. Meaning, when impersonating users in the API Console, the available roles are an intersection of the impersonatee's roles and the Portal User impersonating them.

Access inheritance

The OrderCloud Portal provides the ability to create teams. A Portal team is a group of users that share a common relationship with one or more Marketplaces. Individual Portal users can also have their own relationship with a Marketplace. This means that a single contributing user might inherit access from multiple sources, so how does a Marketplace administrator know where this access is provisioned when changes need to be made?

Marketplace contributors

The contributors list is a flattened view of each Portal user that has accepted access to a Marketplace, whether that be through a direct user assignment, teams, or both. When viewing an individual contributor, you will see exactly which relationships that user has with your Marketplace, followed by the "inherited" permissions and data access. This "inherited" access is an inclusive merging of settings from all of the relationships listed at the top.

Marketplace contributor detail view
Individual contributor view for Example Marketplace. User B inherits access from a single team (Example Team) and direct user assignment.

Each inheritance listed provides a link to where you can view and manage (if you have permission) the Marketplace access controls for that specific relationship.

User Access

Direct user assignments will bring you to user access. Here you create or cancel pending user invitations and manage the users who have accepted individual access to your Marketplace.

Marketplace user access controls
User B's direct user access view for Example Marketplace.

Team Access

Team assignments will bring you to team access. Here you create or cancel pending team invitations and manage the teams that have accepted access to your Marketplace.

Marketplace team access controls
Example Teams's access view for Example Marketplace.

Best practices

In general, it is best to provide more limited access for teams, as the members of each team are managed separately by the team administrators. There is no guarantee that the members of a contributing team won't change. After you've established team access, as certain contributors require additional permissions or data access, invite them in the user access view.