Escolar Documentos
Profissional Documentos
Cultura Documentos
Transfer Sessions
User Account Management
Joe Huang
joe@1solution.com
Single Sign On - Overview
TAI
SP
IDP
TAI
SP
• SP – Service Provider
• IDP – Identity Provider
• TAI – Trust Assertion Interceptor
SSO Integration
• User accesses a front end application.
• The application redirects user to IdP and user authenticates to IdP.
• IdP redirects user to Assertion Consumer Service (ACS) in SP by sending
Security Assertion(SA) response over HTTP POST inside a hidden form.
• SP processes SA response and creates security context.
• ACS adds security cookie to HTTP response and redirects request to web
resource or business application.
• SP intercepts request in TAI, and maps security cookie to security context
and authorizes user access to the requested web resource.
• Application sends HTTP response back to user
Single Sign-On (SSO) Consideration
• SSO between Web Application
• SSO between Cockpits
• The SSO cookie is only used for processing the authentication. The
related authorization should be realized by implementing a proper
role concept.
Using Single Sign-On in Cockpits
• Update spring-security-config.xml to include rememberMeServices.
• New SSO cookie will be created when user logs in.
• SSO cookie will be used to authenticate user when redirect to any
other cockpits.
• When a user explicitly logs out of the SSO aware cockpit, the SSO
cookie is removed.
• See
https://wiki.hybris.com/display/release5/How+To+Use+SSO+in+hybri
s+Cockpits for detail information.
Enable Single Sign-On for hybirs
• Single Sign-On can be implemented in several different ways.
• Single Sign-On can be implemented at different layers.
• SAML Single Sign-On is one supported with samlsignsignon extension.
https://wiki.hybris.com/display/release5/ImpEx+API#ImpExAPI-
UserRights
API CRUD example
• Permissions are create though Impex or Permission services API
PermissionManagementService –
void createPermission(String permissionName);
i.e.:
permissionManagementService.createPermission(“MY_PERMISSION");
UserGroup
UG_FED
UserGroup
UG_AZ
User UserGroup
U1 UG_PHX
User
U2
Member of Multiple Group
UserGroup UserGroup
UG1 UG2
User
U1
Permission Effective Priority
• The closest permission in the group hierarchy take effective.
• Most general priority has the lowest priority while the most specific
priority has the highest priority
• Permission assigned to user override the permission assigned to the
user group the user belongs to.
Permission Best Practices & Tips
• Grant permission at group level as possible.
• Avoid to use denial as possible – why?
• Avoid to grant/deny permission at user as possible.
• Design your permissions schema and keep it simple.
• Define custom permission for custom functionalities.
• Document all custom defined permission and where it is used.
• Permission are not automatically enforced. Your code does the job.
User Group Best Practices
• Design your group hierarchy clean and keep it simple.
• Separate functionalities to different group base on role or can be
reusable.
• Matches the groups closer to the real world functional role as
possible.
• Add user/group to different groups for different roles instead of
create a new group if possible.
HMC Access Levels
• There are list of OOTB employee accounts and user groups with
deferent level of the hMC access.
• Review those accounts and user groups and manage them per your
business needs.
• https://help.hybris.com/6.1.0/hcd/8c24121386691014b925a250976f
2851.html
Group Based Marketing
• Segment Customers into different groups
• Use segmentation for personalizing the content
• Target group based marketing
- BTG (Behavioral Targeting Groups)
-BTGCockpit
-SAP hybris Marketing
-C4C
URL Access Control
• Defines who have access to certain URL or URL pattern
• Defined in spring-security-config.xml, for example
<security:intercept-url pattern="/my-account*"
access="hasRole('ROLE_CUSTOMERGROUP')" />
• A role name in a Spring Security file is a concatenation of ROLE_ +
UserGroup.uid of a given usergroup stored in the database.
Restrictions
Restrictions are rules obeyed by FlexibleSearch which allow to
limit search results depending on which type is searched and
which user is currently logged in.
Where it apply:
In FlexibleSearch only. (Not effect to user in admingroup).
Not effect to external search engines like Lucene.
https://help.hybris.com/6.1.0/hcd/8c428f8286691014970cee
e87aa01605.html
Restrictions in Cockpits
• In cockpits restrictions are disabled by default
• To enable restrictions in cockpits search box:
cockpit.disableRestrictions=false
Create Restriction
• Restriction can be created through following ways:
• Hybris Commerce API
• Hybris Management Console
• Impex
Question & Answer