Data security practices to be followed when integrating OMS with an eCommerce system

If you are a developer setting up integration between OMS and an e-Commerce system, it is your responsibility to ensure the following considerations on user setup and api input/security.

Set up an Integration user with right level of API access:

- Setup an Integration user in Sterling Order Management application and provide right level of access -- no more, no less.

- Leverage Sterling API security configurations to restrict the API access.

- Ensure that access APIs are confined to OMS APIs that are relevant for your integration. Your test cases will likely catch the error of assigning access that is too strict -- your test cases will fail. However, you must carefully think about whether the access is too broad, as your test cases will likely pass.

Example: If you need to display only order summary in your e-commerce system, then make sure that the integration user has access only to order summary related APIs (i.e. get OrderDetails, getCompleteOrderDetails).

- Ensure correct communication between the actual e-Commerce user and Sterling Integration User.

One of the mentioned data security practices below should be followed, depending on whether you are on Sterling Order Management 9.2 and higher or Sterling Order Management 9.1 and lower versions:

For OMS 9.2 and higher versions:

Please ensure that the following configurations are made to the usergroup to which the integration user is associated to. The following flag is enabled by default for the integration user (group); however it may become disabled if configuration changes have been made. Administrators should ensure that the following configurations apply to the usergroup to which the integration user is associated to by taking the following actions:

Enable the Override Access Policy Permissions flag. In the Applications Manager, navigate to Applications > Application Platform > Load Rules For Organization > Security > Groups >Group Details (WCIntegrationGroup) > Permissions > Cross Application > Applications > Application Console > Override Default Functionality Resources > Override Access Policy Permissions.

When calling Sterling OMS APIs through integration user, it is important to pass required access specifier attributes in order to ensure that the data access is contextual and confined to the logged in e-Commerce User.

Relevant access specifier attributes including BuyerUserId and EnterpriseCode should be retrieved from the already authenticated e-Commerce user and should be used as UserOverrides when calling the OMS API though an Integration user.

As an example, a call to getCompleteOrderDetails API through the configured integration user should be made with the following UserOverrides input. UserOverrides input is in addition to other user specified API attributes that are being propagated from e-Commerce site.

<Order OrderHeaderKey=""/>
<UserOverride>
<Order_Header BuyerUserId="<user-Id of eCommerce system>" EnterpriseCode=" <EnterpriseCode to which the eCommerce user is associated to>"/>
</UserOverride>
</Order>

Assume that the logged in e-Commerce user is “shopper-1” and corresponds to Enterprise “E1”. Also, assume that the integration user that is configured for this integration is “Integration_User_1” and this integration user corresponds to Enterprise “E2”.

You must check for following:

BuyerUserId is being passed as input: Not passing a valid BuyerUserId (derived from WCS User: Shopper-1) in the Useroverride element or in the API input can potentially result in unauthorized access. That is, any valid shopper registered for Enterprise E1 can access the orders of other shoppers (ex: shopper-1) within Enterprise E1 bound

EnterpriseCode is passed as input: On the same lines if “EnterpriseCode=E1” is not passed in the Useroverride element then, system will provide an unauthorized access to orders that belong to Enterprise E2. This will have further functional impact wherein rules, workflow and other configurations that are applicable for E2 will be wrongly applied to shopper-1’s entities (orders). With this parameter passed correctly, shopper-1 will have confined access to E1 and right rules and configurations will be used when creating, modifying or fulfilling the orders (that is, rules configured for E1)

Note: These security aspects are considered in Out of the box integration between IBM Websphere Commerce and Order Management application. If you are customizing the out of the box integration then, it is your responsibility to ensure that you have not disabled, compromised, or removed this data security logic.

For OMS 9.1 and lower versions:

If your public facing system like e-Commerce directly accesses business objects like order from Sterling Order Management system, access validation should be enforced in your e-Commerce system. You should have the validation that the user/shopper has the access to the business object (e.g. order) by some validation like the pseudo-code below.

Order anOrder = Sterling.getOrderDetails( <OrderNumber> );
if (anOrder.getShopperID() != shopperIDFromEcommerceSystem){
throw Exception; // This is a case of attempted access breach
}
return anOrder;

Testing Considerations:

Ensure that the e-Commerce user or shopper is not able to view or/and modify orders (and any other specific information) of other shoppers or e-Commerce users.
Ensure that the Integration user is not able to call any APIs that are not required for integration scenarios.
Ensure that no calls to Sterling APIs are made through integration user when there is a failure in authenticating the e-Commerce user.

Useful knowledge center links:

How to pass data access policy or user overrides when calling OMS APIs?

https://www-304.ibm.com/support/knowledgecenter/SS6PEW_9.4.0/com.ibm.help.integ.94wcsc.doc/c_DataAccessPoliciesOverride_wesb.html

How to Configure API security for Integration user?

https://www-304.ibm.com/support/knowledgecenter/SS6PEW_9.4.0/com.ibm.help.config.security.doc/c_ConfiguringAPISecurity.html?lang=en

How to Configure data security policies for Sterling users or user groups?

https://www-304.ibm.com/support/knowledgecenter/SS6PEW_9.4.0/com.ibm.help.config.security.doc/t_CreatingATeam.html?cp=SS6PEW_9.4.0&lang=en