Restrictions are another approach to controlling what data a given user has access to on the site. Where type-based access rights are mainly used with internal users, restrictions are used for both internal and external users. In the latter case, restrictions affect what they are shown on the website.
While both type-based access rights and restrictions are used to control what data a user has access to, their mechanics differ. Type-based access rights are checked by the system every time a user tries to access an item, but restrictions focus on restricting the data returned from database queries.
You may be familiar with SQL, the most common language used to get data from a database. SQL queries are formatted as follows:
SELECT something FROM a table WHERE some condition is true
For instance, to select only products whose active property has the value TRUE, you might use:
SELECT product FROM product_table WHERE product.active = true
Restrictions in SAP Commerce Cloud are a WHERE clause added to any search of a given item type, when performed by a user belonging to a specific user group. Like type-based access rights, restrictions can also be applied to individual users, but it is more common (and efficient) to do so via user groups.
Defining Restrictions in Backoffice
Navigate to the System > Personalization page to see existing restrictions or create your own. Each restriction specifies the item type being restricted, the principal (user or user group) it affects, and a filter.
The restriction shown in the screenshot below adds the content of the filter to the WHERE clause of SQL searches performed by a member of employeegroup on the type CatalogVersion. That WHERE clause says to only return CatalogVersion items whose primary key (pk) is found in the catalogversions property of the employee’s session object.
The session object is created by SAP Commerce Cloud whenever a user logs in and contains information relevant to that user’s current session on your site, such as a list of catalog versions that user is allowed to view.
As you can see, creating restrictions requires knowledge of SQL, the query language that underlays direct database access in SAP Commerce Cloud. This is likely a job for your developers, but if you’re familiar with how SAP Commerce queries its database, you can create your own restrictions. Just be sure to test them thoroughly before deploying them!
However, even if you never create a restriction, it is still important you understand they’re there and affect search results for both internal and external users.
Disabling Restrictions
Any restriction can be disabled by toggling its Active property to false. You may also avoid all restrictions by logging into SAP Commerce Cloud as the admin user, or as a user that belongs to admingroup. Restrictions never affect these users.
Let’s look at an existing restriction and witness its effect in the system.