cancel
Showing results for 
Search instead for 
Did you mean: 

Hybris OCC: How to restrict user groups to access only particular site's occ?

abotorabi
Explorer
0 Kudos

Given a headless implementation of SAP CC (Hybris) with two different user groups, say A and B, and two different base sites with own catalogs, say Site1 and Site2, how can the access of A and B be restricted to use either Site1's occ or Site2's occ?

I have tried to use a filter, which checks the request URL (for Site1 or Site2) and also checks the user groups and validates the access. But it seems not to be an easy task to introduce this filter into 'commerceWebServicesFilterChainListV2'. It seems, that it would need an OOTB customization, what I would like to avoid.

Does someone have any ideas about how to do this?

Accepted Solutions (1)

Accepted Solutions (1)

adiputera
Active Participant
0 Kudos

What you need is search restriction.

INSERT_UPDATE SearchRestriction; code[unique = true]; query; principal(UID); restrictedType(code); active; generate
;restrictionSiteA;{uid} = "siteA"; userGroupA; BaseSite; true; true
;restrictionSiteB;{uid} = "siteB"; userGroupB; BaseSite; true; true

This will restrict user group A only to base site A and user group B to base site B.

Edit:

To make it clear if someone find this in the future, search restriction does work with OCC, if you use grant_type client_credentials in oauth, user in OCC session will be set to anonymous. If you use grant type password in oauth and give username & password of User A, user in OCC session will be set to user A. And search restriction will be applied if there are any restriction for user A.

abotorabi
Explorer
0 Kudos

In principle, search restrictions are a good idea, and they work great for storefront-based shop implementations as it was earlier. However, they do not work for headless commerce (OCC based) implementation. It seems that the restrictions do not have any effect on accessing site's products using the OCC endpoints. Having those restricitons in place does not avoid user groups to access all available sites' products. See my example below (tested with SAP CC 2205).

- userGroupA should see only the catalogs of SiteA by using following OCC endpoint:

https://<myshop.com>/occ/v2/site-a/products/search

- However, also having the restrictions you have mentioned, it is possible that userGroupA can access SiteB without any restrictions, thus seeing the products of SiteB.

https://<myshop.com>/occ/v2/site-b/products/search

adiputera
Active Participant

abotorabi

Search restriction does work with OCC. It will fetch the user from oauth if you use password grant type and set it in session (if you use client_credentials, user will be set as anonymous).

Just validate it, for product detail (/products/{productCode})

I restrict user A to access product B, and the API will not return anything if I use password grant type and give username & password of user A. But if I use client_credentials (user will be anonymous), it will return the product data.

For product search, the case was a bit different since it's coming from solr and search restriction didn't work with solr. What I can think of is add category parameter, so search only for those category. Or you can add category parameter from backend in the controller to search only for categories that was in site A/site B

abotorabi
Explorer
0 Kudos

Yusuf, thanks for the hints. The product search is indeed more complex, because one would need to customize existing occ endpoints for considering your suggested category restriction.

I will try to setup an own filter chain for /occ/v2 and introduce a kind of user/site validation filter, and see how far I can go with this approach.

I think, this aspect is something which should be supported by Hybris for headless-commerce: A kind of "customFilter" as one of the last filters in current v2 filter chain would do the trick. That "customFilter" could be easily overridden by the shop implementation and do that kind of validations.

Thank you for your thoughts, Yusuf.

adiputera
Active Participant
0 Kudos

abotorabi

I'm wondering, did you use same product indexer for both site A & site B?

abotorabi
Explorer
0 Kudos

No, every site has an own product indexing.

One additional note: Accessing OCC issue is not only related to search functionality. A lot of OCC endpoints are currently available also to anonymous users, because the support for B2B is not 100% in place in Hybris. With mentioned filter, it is also possible to restrict all OCC endpoints to authenticated users.

adiputera
Active Participant
0 Kudos

abotorabi

Restricting all OCC endpoints is good, or you can also create 2 dummy user for each site A & site B and put restrictions to them, and then change the logic in UserMatchingFilter, if current base site is site A, then set current user to user A, if it's site B, then set to user B. I feel like that's the easiest way, search restrictions will take the rest.

Answers (0)