Roles and permissions
How to set specific permitted actions for each resource
Commerce Layer supports a granular access control system on a resource level. Each access token gets a specific set of permissions. The client and the authorization flow determine your permitted actions for each resource.
Sales channels support
client_credentials
, password
and refresh_token
grant types. Given their limited permissions, they can be safely used in client-side applications.Sales channels that authenticate through
client_credentials
get the following permissions.For security reasons sales channels can read resource lists only for
skus
, sku_options
, prices
, promotions
and bundles
. Getting a list is not allowed for all the other resources. For example, a sales channel is authorized to get /api/orders/xYZkjABcde
but not /api/orders
endpoint.Resource | Create | Read | Update | Delete | Restrictions |
---|---|---|---|---|---|
Addresses | Single resource only. | ||||
Application | |||||
Bundles | Bundles associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope. | ||||
Customers | | ||||
Customer subscriptions | Single resource only. | ||||
Delivery lead times | Delivery lead times associated with the shipping methods accessible by scope. | ||||
Geocoders | Single resource only. | ||||
Gift cards | If "draft" (single resource only). | ||||
Gift card recipients | Single resource only. | ||||
In-stock subscriptions | In-stock subscriptions associated with the market in scope. | ||||
Line items | Can be read if belonging to draft, pending or placed orders and updated/deleted if belonging to draft or pending orders (single resource only). | ||||
Line item options | Can be read if belonging line items associated with draft, pending or placed orders and updated/deleted if belonging to line items associated with draft or pending orders (single resource only). | ||||
Orders | Can be read if draft, pending or placed and updated if draft or pending (single resource only). | ||||
Organization | Your current organization. | ||||
Payment methods | Enabled payment methods associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope. | ||||
Payment sources | Can be read if belonging to draft, pending or placed orders and updated/deleted if belonging to draft or pending orders (single resource only). | ||||
Prices | Prices associated with the market price list. | ||||
Price tiers | Price tiers associated with the prices accessible by scope. | ||||
Promotions | Active promotions associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope. | ||||
Promotion rules | Promotion rules associated with the promotions accessible by scope. | ||||
Shipments | Can be read if belonging to draft, pending or placed orders and updated if belonging to draft or pending orders (single resource only). | ||||
Shipment line items | Can be read if belonging to shipments associated with draft, pending or placed orders (single resource only). | ||||
Shipping methods | Enabled shipping methods associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope. If stock location is specified, it's matched with the one in scope. | ||||
Shipping method tiers | Shipping method tiers associated with the shipping methods accessible by scope. | ||||
SKUs | SKUs with stock items in the market inventory model (unless not tracked), a price in the market price list (unless external prices allowed). | ||||
SKU options | SKU options associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope. | ||||
SKU lists | Single resource only. | ||||
SKU list items | Single resource only. | ||||
Stock items | SKU items belonging to the stock locations associated with the market in scope. | ||||
Stock transfers | Can be read if belonging to shipments associated with "draft", "pending" or "placed" orders (single resource only). | ||||
Subscription models | Subscription models associated with the market in scope. |
Sales channels can authenticate a customer through the
password
flow. The access tokens that they get include the sum of the client permissions plus the ones below.Resource | Create | Read | Update | Delete | Restrictions |
---|---|---|---|---|---|
Customers | The customer must be the authenticated resource owner. | ||||
Customer addresses | The customer must be the authenticated resource owner. | ||||
Customer payment sources | The customer must be the authenticated resource owner. | ||||
Customer subscriptions | The customer must be the authenticated resource owner. | ||||
Line items | The line items must belong to one of the customer's orders. | ||||
Line item options | The line item options must belong to one of the line items associated with one of the customer's orders. | ||||
Orders | Can be deleted only if in editing status. The customer must be the authenticated resource owner. | ||||
Order subscriptions | The subscriptions must be associated with one of the customer's orders. | ||||
Order subscription items | The subscriptions items must be associated with one of the customer's subscriptions. | ||||
Parcels | The parcels must belong to one of the customer's orders. | ||||
Parcel line items | The parcel line items must belong to one of the parcels associated with one of the customer's orders. | ||||
Returns | Can be created for one of the customer's order and updated if in draft status. | ||||
Return line items | The return line items must belong to one of the returns associated with one of customer's order. | ||||
Shipments | The shipments must belong to one of the customer's orders. | ||||
SKU lists | The customer must be the authenticated resource owner. | ||||
SKU list items | The customer must be the authenticated owner of the associated SKU list. |
An access token obtained through a
refresh_token
inherit the same set of permissions as the one that expired.Integrations support the
client_credentials
grant type. The access tokens that they get include the set of permissions of their role.Webapps support
authorization_code
and refresh_token
grant types. They don't bring any grants to the access tokens and get the set of permissions of the authenticated user's role. Access tokens obtained through a refresh_token
inherit the same set of permissions as the one that expired.Last modified 2mo ago