Introduction

This document explains the basic concept of the user permission management of the Intershop Order Management. This document is aimed at business users, project developers, and operators.

References

Guide - IOM Basic Business Configuration | Create a User, Role and Assign Permissions to use the project configuration
Intershop Order Management Help | Platform Administration to use the back office
Concept - IOM Organizations
Concept - IOM Hierarchical Stocks Visibility
Overview - IOM Database Documentation

Glossary

User	A person or technical account that interacts with the system, usually possesses a unique identifier (like a username) and authentication credentials (`UserDO`)
Permission	The ability to perform a specific access or action to a specific resource, e.g. to view orders (`RightDO`)
Role	A set of predefined permissions related to specific tasks or responsibilities Roles group users according to their job functions, streamlining permission management (`RoleDO`, `Role2RightDO`).
User-Organization assignment	A user “exists” within assigned organizations and their children only (`User2OrganizationDO`). Therefore, a user cannot acquire a role (incl. permissions) outside these assignments.
User-Role-Organization assignment	Effective user permissions assignments A user will be granted all permissions of a role in the given organizations and their children (`User2Role2OrganizationDO`).

In General

As part of user management, permissions grant users specific access and operations to specific resources. In IOM, permissions are granted to users via roles.

User permissions can also specify:

The type of access - for example, a user might be allowed to read data without modifying it (read-only) or be allowed to read and write data.
Specific functions a user can access - for example, most systems have an administrator role that allows users to assign permissions to other users.

Grant Permissions to a User

Using the project configuration: Guide - IOM Basic Business Configuration | Create a User, Role and Assign Permissions
Using the back office: Intershop Order Management Help | Platform Administration

The basic steps are:

Creation or usage of a user assigned to at least one organization
Creation or usage of a role containing permissions
Assignment of a role to a user and assignment of the user to at least one organization

The permissions will be granted to all selected organizations and its children. Also refer Concept - IOM Organizations.

Reserved/Predefined Roles

The IOM initial database dumps come with two predefined roles:

FullOMTClient, which contains all permissions to use the back office, except for the user administration
FullPlatformAdmin, a selection of administrative permissions, like user management

These predefined roles should not be edited in the back office, as this can lead to inconsistencies with regard to (idempotent) configuration scripts.

Reserved/Predefined Users

The IOM initial database dumps come with two predefined users:

internal required: This is a required “dummy” user which is internally used mainly to assign an owner to some batch processes.
Do not modify or delete it. (This user will probably not be visible anymore in a future IOM version).
IOM Admin: This user has almost all permissions at all organizations and can be used to discover all features of the back office.

Consider deleting the user IOM Admin in productive systems, or at least modifying its default password. This user can be used to login in the back office after an installation with the initial dump in order to define further users. Its initial password is ‘!InterShop00!’

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.