Incorporating Additional Security Features​

In addition to the basic security functions introduced in the previous lessons, there are some additional security features provided out-of-the-box in SAP Commerce Cloud, such as:

• Predefined access rights and restrictions
• Predefined access rights regarding catalog versions and languages​
• Password policies
• Password change auditing​
• OAuth Management​

Let us examine each one individually next.

SAP Commerce Cloud provides predefined, type-based access rights and search restrictions to manage users' system privileges. For more details, please refer to the following video:

These predefined, type-based access rights and search restrictions are vital as they address common use cases. They should act as a basis for creating custom configurations that meet your specific requirements.

This feature enhances security and customization by restricting user access to certain catalog versions and languages. Watch the following video for detailed instructions:

As demonstrated, administrators have the ability to define specific user roles with rights to view, edit, or delete data within designated catalog versions and languages. This capability significantly improves the overall data management process.

SAP Commerce Cloud provides robust password policies designed to enhance security. These policies accommodate customizable settings, including minimum password length, complexity requirements, history restrictions, and expiration limits.

Specifically, two key components govern the password policies in SAP Commerce Cloud: the PasswordPolicyService and the PasswordPolicy.

As illustrated:

• Each 'PasswordPolicy' instance represents a specific password rule, such as minimum length and required character types.
• On the other hand, 'PasswordPolicyService' is a service-level component that uses 'PasswordPolicy' instances to enforce the rules during user actions, like creating new passwords or changing existing ones. The service checks for password compliance and will throw an exception if the chosen password doesn’t align with the 'PasswordPolicy’ criteria.

The below demo highlights the predefined password policy implementation.

Password change auditing is a vital security feature that monitors and logs any user password changes. This functionality is underpinned by two primary components shown below:

• UserPasswordChangeAudit is a standard item type used to record user password modifications. It includes details like user ID, change time, and the success status of the change.
• UserPasswordChangeAuditPrepareInterceptor is a Prepare Interceptor implementation for the User type. It creates a UserPasswordChangeAudit instance to log each time a user's password is changed.

Refer to the following video to understand how this feature allows administrators to track suspicious activities related to password changes.

OAuth2 support is a crucial security feature that is readily available in SAP Commerce Cloud. Here are the main features:

• The oauth2 extension is responsible for the support and implementation of OAuth2. To enable this feature, ensure that the extension is included in your localextensions.xml file.
• By default, the system provides endpoints '/authorizationserver/authorize' and '/authorizationserver/token’ to manage access tokens.
• You can directly manage OAuth client details and tokens within Backoffice.

The following video provides a comprehensive guide:

Finally, if you need to customize OAuth2 support to fit your unique business requirements, refer to the OAuth2 help portal page for detailed instructions.