Performing an Asset Check from a Connected Website

​When an Organization Member logs into a website (such as a B2B Customer Portal) that uses SAP Customer Data Cloud B2B, Policy-Based Access Control (PBAC) is assessed to ensure this user has the correct access rights. We refer to the member’s login as authentication, and the PBAC assessment as authorization.

​PBAC works in real time. When the Organization Member requests access to a resource, an authorization request is sent to SAP SAP Customer Data Cloud using the accounts.b2b.auth.getAssets API. The API returns a list of assets that the user has access to for a given B2B Organization (bpid) and Application (appid).

​Note that once the user is authenticated, you can retrieve the authorization decision directly from the client-side using the equivalent WebSDK JavaScript method (gigya.accounts.b2b.getAssets). If member is linked to multiple organizations, then either set the B2B context (using JS function gigya.accounts.b2b.setOrganizationContext) or pass the bpid of the organization in the authorization request API call. ​

Links to the SAP Customer Data Cloud Help Portal:

• accounts.b2b.auth.getAssets REST
• accounts.b2b.auth.getAssets JS
• accounts.b2b.getOrganizationContext JS

​A typical user flow for an Organization Member on a website is illustrated in the following diagram:

The diagram above flows like this:

• Step 1: Organization Member selects the corporate authentication option on the SAP Customer Data Cloud screen to log in. Note that the option to log in via corporate IdP assumes that Bring Your Own Identity (BYOI) is configured.
• Step 2: SAP Customer Data Cloud redirects the organization member to the organization member’s corporate Identity Service. The organization member logs in and their information is returned to SAP Customer Data Cloud – including Role(s), Job Function, and Department.
• Step 3: SAP Customer Data Cloud creates a session and logs the user into the B2B Customer Portal. The B2B Customer Portal checks which B2B Organization(s) (bpid) the organization member has a relationship with. In this example, the organization member has a relationship with bpid ‘bpid-001’. Note: To return assigned B2B Organizations, the accounts.getAccountInfo API call needs the ‘include: groups’ parameter to be set in the request payload.
• Step 4: The B2B Customer Portal calls the SAP Customer Data Cloud Authorization endpoint (gigya.accounts.b2b.getAssets) to make sure the organization member has the correct access rights. The access rights returned in this example are:
  • Asset: Sales, Action: Access
  • Asset: IT Systems, Action: Access
  • Asset: Commerce, Action: Access
  • Asset: Organization Management, Action: Manage
• Step 5: The B2B Customer Portal is displayed to the organization member in line with their access rights. Note: It is up to the application to interpret the access rights from SAP Customer Data Cloud B2B and display the correct content to the organization member.

The integration of SAP Commerce Cloud B2B with SAP Customer Data Cloud B2B provides the capability to enable customized registration and login options, and allows profile updates and consent management from SAP Commerce Cloud. SAP Customer Data Cloud B2B-specific extensions can be enabled as part of the SAP Commerce Cloud set-up to enable SAP Customer Data Cloud B2B to master PBAC and Delegated Administration functions.

The integration requires a specific PBAC configuration to be made in SAP Customer Data Cloud, as shown in the table below. With this configuration, upon login to the SAP Commerce Cloud Storefront, the organization member will be mapped to a User Group in SAP Commerce Cloud corresponding to the Asset in SAP Customer Data Cloud B2B. In addition, the B2B Organization relationship will be mapped to B2B Unit relationship in SAP Commerce Cloud.

Organization Member’s with access to the ‘b2badmingroup’ in SAP Customer Data Cloud B2B will be able to launch the SAP Customer Data Cloud Delegated Admin Console from SAP Commerce Cloud.

Link to the SAP Customer Data Cloud Help Portal: •SAP Commerce Cloud - Integration Extension Pack - Configuring CIAM for B2B

The example above shows how the data configured in SAP Customer Data Cloud B2B maps to SAP Commerce Cloud B2B. Here, the organization member is assigned to the policy ‘SAP Commerce Manager’ for the given B2B organization in SAP Customer Data Cloud B2B. This translated to the B2B Manager role when accessing SAP Commerce Cloud B2B.

The following data is synchronized from SAP Customer Data Cloud B2B to SAP Commerce Cloud B2B upon login:

• Organization member SAP Customer Data Cloud Profile
• Organization member to B2B Organization relationship
• Organization member role within that B2B Organization

B2B Organization is not included in the out-of-the-box integration and, if required, would need to be synchronized via a custom solution.

The following video explains the integration between CDC B2B and SAP Commerce Cloud.