SAP hybris, User Account Management, User Group, Role, Permission, Restriction

1. SAP hybris Knowledge
Transfer Sessions
User Account Management
Joe Huang
joe@1solution.com

3. Single Sign On - Overview
• SP – Service Provider
• IDP – Identity Provider
• TAI – Trust Assertion Interceptor
SP
SP
IDP
TAI
TAI

4. SSO Integration
• User accesses a front end application.
• The application redirects user to IdP and user authenticates to IdP.
• IdP redirects user to Assertion Consumer Service (ACS) in SP by sending
Security Assertion(SA) response over HTTP POST inside a hidden form.
• SP processes SA response and creates security context.
• ACS adds security cookie to HTTP response and redirects request to web
resource or business application.
• SP intercepts request in TAI, and maps security cookie to security context
and authorizes user access to the requested web resource.
• Application sends HTTP response back to user

5. Single Sign-On (SSO) Consideration
• SSO between Web Application
• SSO between Cockpits
• The SSO cookie is only used for processing the authentication. The
related authorization should be realized by implementing a proper
role concept.

6. Using Single Sign-On in Cockpits
• Update spring-security-config.xml to include rememberMeServices.
• New SSO cookie will be created when user logs in.
• SSO cookie will be used to authenticate user when redirect to any
other cockpits.
• When a user explicitly logs out of the SSO aware cockpit, the SSO
cookie is removed.
• See
https://wiki.hybris.com/display/release5/How+To+Use+SSO+in+hybri
s+Cockpits for detail information.

7. Enable Single Sign-On for hybirs
• Single Sign-On can be implemented in several different ways.
• Single Sign-On can be implemented at different layers.
• SAML Single Sign-On is one supported with samlsignsignon extension.
Follow the this training trail to setup SAML Single Sign-On:
https://wiki.hybris.com/display/R5T/hybris+5+Developer+Training+Tr
ails+-+SAML+Single+Sign+On

8. Create User / User Group
• In hMC or BackOffice

9. User Group & Role
• In hybris, user roles are best represented in the form of user groups
• Roles are represented by userGroup entries in the database
• Usergroup types are similar to the User types. Both are extended
from the Principal type. – What that means?
• User groups are containers that hold users and user groups
• It is not possible to remove the system user group.

10. User Group Hierarchy

11. User Group Purpose
• Roles
• Permission Management
• Marketing Targeting
• Different Access
• Cockpit Customization
• Catalog Visibility

12. User, User Group, Permission
• User and User group = Principal
• Permission = Access Right
• System Accounts can NOT be modified nor deleted.
employee: admin
customer: anonymous
usergroup: admingroup
Recommend to review all factory default Employee Default Accounts
and disable which is not needed on QA and PROD Environment.

13. Permission – What is it? What it does?
• Permission is an abstract concept.
• Permission define access right, however –
• Permission do NOT automatically restrict access – why?
• Can specify detailed level of access to type, item and attributes.
• Permission can be granted/assigned to user or user group.

14. Permission Scope
• Global Permissions
- Assigned to principal, not related to any type, item or attribute
• Type Permissions
• Item Permissions
• Attribute Permissions

15. Type-Based Access Rights - Overview
• Access rights for hybris types and their attributes
• Access is granted to individual users and/or user groups
• Affect the entire type, not individual items
• Also can affect individual type attribute

16. Custom Access Rights - Overview
• Allows defining very fine-grained access control.
• You may define your own permission types.
• You can grant or deny permissions to the item instances.
• However.. don’t overuse
managing and checking permissions on item level can be expensive -
huge number of items is involved.
If possible use type-based permissions together with restrictions.
• Exposed API allows checking of both Item and Type permissions.

17. Access Right Importing
• Type access configuration can be imported by impex:
https://wiki.hybris.com/display/release5/ImpEx+API#ImpExAPI-
UserRights
$START_USERRIGHTS
Type;UID;MemberOfGroups;Password;Target;read;change;create;remove;change_perm
UserGroup;productManagerGroup;;;;;;;;
#Access Rights for Products & Catalog;;;;;;;;;
;;;;Product;+;+;+;+;+;
;;;;Product.ean;+;-‐;-‐;-‐;-‐;
;;;;Catalog;+;;;
;;;;Media;+;+;+;+;+;
$END_USERRIGHTS

18. API CRUD example
• Permissions are create though Impex or Permission services API
PermissionManagementService –
void createPermission(String permissionName);
i.e.:
permissionManagementService.createPermission(“MY_PERMISSION");
• For typical CRUD permission checking use:
PermissionCRUDService – a wrapper over PermissionCheckingService

19. Assign / Revoke Permission
• In hMC or BackOffice

20. Group Hierarchy User Account Access
UserGroup
UG_AZ
UserGroup
UG_FED
User
U1
UserGroup
UG_PHX
User
U2

21. Member of Multiple Group
User
U1
UserGroup
UG1
UserGroup
UG2

22. Permission Effective Priority
• The closest permission in the group hierarchy take effective.
• Most general priority has the lowest priority while the most specific
priority has the highest priority
• Permission assigned to user override the permission assigned to the
user group the user belongs to.

23. Permission Best Practices & Tips
• Grant permission at group level as possible.
• Avoid to use denial as possible – why?
• Avoid to grant/deny permission at user as possible.
• Design your permissions schema and keep it simple.
• Define custom permission for custom functionalities.
• Document all custom defined permission and where it is used.
• Permission are not automatically enforced. Your code does the job.

24. User Group Best Practices
• Design your group hierarchy clean and keep it simple.
• Separate functionalities to different group base on role or can be
reusable.
• Matches the groups closer to the real world functional role as
possible.
• Add user/group to different groups for different roles instead of
create a new group if possible.

25. HMC Access Levels
• There are list of OOTB employee accounts and user groups with
deferent level of the hMC access.
• Review those accounts and user groups and manage them per your
business needs.
• https://help.hybris.com/6.1.0/hcd/8c24121386691014b925a250976f
2851.html

26. Group Based Marketing
• Segment Customers into different groups
• Use segmentation for personalizing the content
• Target group based marketing
- BTG (Behavioral Targeting Groups)
-BTGCockpit
-SAP hybris Marketing
-C4C

27. URL Access Control
• Defines who have access to certain URL or URL pattern
• Defined in spring-security-config.xml, for example
<security:intercept-url pattern="/my-account*"
access="hasRole('ROLE_CUSTOMERGROUP')" />
• A role name in a Spring Security file is a concatenation of ROLE_ +
UserGroup.uid of a given usergroup stored in the database.

28. Restrictions
Restrictions are rules obeyed by FlexibleSearch which allow to
limit search results depending on which type is searched and
which user is currently logged in.
Where it apply:
In FlexibleSearch only. (Not effect to user in admingroup).
Not effect to external search engines like Lucene.
https://help.hybris.com/6.1.0/hcd/8c428f8286691014970cee
e87aa01605.html

29. Restrictions in Cockpits
• In cockpits restrictions are disabled by default
• To enable restrictions in cockpits search box:
cockpit.disableRestrictions=false

30. Create Restriction
• Restriction can be created through following ways:
• Hybris Commerce API
• Hybris Management Console
• Impex

31. Question & Answer
Further Question or need a private session?
Ask joe@1solution.com