Defining roles

A role is set of permissions that are shared amongst one or more users.

Identifying roles

You can identify the roles such as admin, basic, and temp in the Product Master Server system. You must identify the users tasks and requirements and then define the roles.

Best practices

If you are using LDAP, ensure that the role name in the Product Master Server system matches the group name in the LDAP server.
Limit the number of roles of the Product Master Server system. Define only those roles that are required.

Roles creation and authentication

If you want to integrate the Product Master Server system with LDAP, then you can move the roles creation and authentication tasks completely to LDAP.

Roles management

You can map the roles to the appropriate access control groups (ACGs).

Determining the roles that you need

To determine roles for the Product Master Server system, first determine the roles that are needed. Map those roles to users and define the securities for the roles. A single user might only have the expertise to perform the tasks in one or two departments. For each department, you can create a separate category and define roles for managing items in these categories. For example, Apparel and Electronics categories differ in the expertise needed to create and maintain the items that belong to these categories. You must define two groups of roles for creating and maintaining items belonging to these two categories.

The following roles might be involved in the NPI process. The roles on the left side are identical to the roles on the right side, except for the categories that they have authorization for.

Creator - Group A	Creator - Group B
Content Specialist Base – Group A	Content Specialist Base – Group B
Content Specialist Specialty – Group A	Content Specialist Specialty – Group B
Content Specialist Imaging – Group A	Content Specialist Imaging – Group B
Content Approver Base – Group A	Content Approver Base – Group B
Content Approver Specialty – Group A	Content Approver Specialty – Group B
Content Approver Imaging – Group A	Content Approver Imaging – Group B

If items are partitioned, you will have fewer groups to define roles for.

In addition to the roles that are in charge of only a subset of items, some roles in the Product Master Server system deal with all the items regardless of their categorizations. HazMat admin, tax and license admin, and SKU blocking admin are some examples of these roles.

Defining privileges for roles

Privileges are not set to the user, rather to the role that they are assigned to. If you assign a user to multiple roles, the users inherit the privileges from each role.

Based on the requirements of different users, you can define access privileges at different levels, such as:

System-wide access privilege: This privilege is applicable for the complete Product Master Server system. For example, you can grant screen view privilege which is a system-wide access privileges to a role, so that users assigned to that role can view screens in the Product Master Server system. You can restrict access to various features. You cannot change the ACG for the system-wide access. You can restrict the user to certain functions that are not object based such as the ability to modify specs or spec maps, the ability to work with scripts, work with scheduled jobs, security or even access to certain menu options.
Page or screen access privilege: This privilege is applicable for a page or screen. For example, you can define access for a page when you need to provide access to only certain users.
Catalog access privilege: This privilege is applicable for single and multiple catalogs.
Hierarchy access privilege: This privilege is applicable for single and multiple hierarchies.
Locale access privilege: You can restrict access to one or more available locales. For example, members of a north American managers role might have access to English-US, English-Canada, French-Canada and Spanish-Mexico, but not English-UK, French-France or Spanish-Spain locales.
Custom tools access privilege: You can restrict the access to certain custom tools for certain roles. For example, you can provide access to the admin role for some custom tools.

Access Control Groups (ACGs) and relevance to roles

Access Control Group (ACG) is a group of Access Control supported data model objects in Product Master Server system. You can restrict access to the role for each associated ACG. You can restrict the user to view, list, create, edit, or delete certain objects in the Product Master Server system. When you are setting group specific access for a role, you must choose at least one ACG.

Best practices

It is a good practice to give the roles the minimum access to the screens that users need to perform their duties. Access to a screen that they are not knowledgeable about might cause security breaches in addition to confusing the users. For example, if you provide access to the catalog console page to a user other than the Product Master Server Admin, the user by mistake can delete a catalog when you configure screen permissions, be conservative and allow the minimum access possible.