Explain USER?

Users and user groups in Hybris Commerce are from the generic Principal type. This is the foundation for all
other user-related, more specific sub-types. Principal is the main abstract class for user and usergroup types.

Q: What are the System Accounts? = We have 3 special system user items, that are essential to the platform
and can’t modified / deleted. = (1) Employee : admin (2) customer : anonymous (3) usergroup : admingroup

Unique Identifiers for Users and User Groups? = Users and user groups are identified by a unique identifier, a
uid. The uid is an attribute of the Principal class. The uid is used to uniquely identify all principals in the Hybris
system. It is used identify users such as customer and employee, or user groups such as company.

You can avoid duplicating a uid by adding the suffix “group”. E.g., admin and admingroup

User = Employees (Who manage application), Customers (Who use application) & User Groups.
Q: Let’s say – You arrived into Flipkart Website. Now what you called? =
Anonymous Customer/User (AC). This AC may / many not buy.
In the processing of buying / purchasing, you have to provide unique identification (email / phone).
When you provide email / phone then you won’t be called as AC.
Once AC place order, then he might be Guest Customer (GC) / Logged in Customer.
Guest Customer = Who place order by just providing email / phone. Will not have your Profile in DB.
Logged in Customer = You go through the registration process. Hence your profile will be there in DB.
Note: - Some websites ask mandatory login (IRCTC), Some websites may not ask login (Bookmyshow).
All B2B Websites will ask login. B2C Websites may / may not ask login (Depends on clients).
Note: - Different Emps will have different permissions. Let's you called CC & asked to return the money
bcoz wrong product. Then they will go to manager & get approvals. Everyone is Emps only, but they
have different permissions.

Contact Us = [email protected]
 Note: - User groups (It's logic entity) -- Let’s say we have 10 users in Cockpit user group. All these 10
users will have same permission.

Note: - By default Emps will have “employeegroup (directly group / sub group)”. By default, Customer will
have “customergroup”.

Q: Customers can be member of?

✓ Usergroup: eg. VIP customergroup, frequent buyer group

✓ Tax Group: eg. europe1 Extension
✓ Price Group: eg. europe1 Extension
✓ Discount Group: eg. discount 5% like in europe1 Extension.

Q: Customer can be affected by?

✓ Restrictions
✓ Access Rights = Permission service framework define access rights to users to catalogs & other content
Note: Customers are not Allowed to Manage SAP Hybris Commerce. However, it is technically possible
to grant customer account access to SAP Hybris Commerce management tools, this is not
recommended and should not be allowed.

Q: Employees can be affected by? = (1) Restrictions & (2) Access Rights

Contact Us = [email protected]
Q: Where does User Account Affects?

• JaloSession = At any given time a user must be set to the Jalo Session. Default user is anonymous.
Thumb Rule – Wherever JaloSession is used, a user account is required.
• hybris Management Console = Depends on user log in the hMC elements are various. Example: - Some
users may be allowed to edit product details, while other users may be allowed to edit orders.
• Order Process = A customer must log in to make sure that the shopping cart is assigned to an individual
person.
• Addresses = It is used for Delivery, Payment or Both. Address can be created via hMC / Storefront.
• CronJobs = A Cronjob in hybris suite uses a JaloSession & therefore also requires a User.

Q: Explain Password Autocomplete?

Cockpit level you can turn on auto passwords. Open project.properties file is located in the
${HYBRIS_BIN_DIR}/ext-content/productcockpit/ folder.

productcockpit.default.login=productmanager productcockpit.default.password=1234

Q: Explain User PWD Security Options?

By default Hybris uses 2 Layers to protect user passwords: -

• Every PWD can be hashed using configurable hashing method. You can have custom hashing
method also if you want. Password Hashing: -
Open ${PLATFORM_HOME}/ext/core/resources/core-spring.xml
Default available password encoding methods; -
MD5 SHA-256 SHA-512 PBKDF2
Below example shows how to configure a salted password encoder. Open local.properties
default.password.encoding=sha-512
• Hashed PWD is then encrypted using transparent attribute encryption.
By default, the encoded password is encrypted before stored in the database using a
transparent attribute encryption (TAE).
/platform/ext/core/resources/core-items.xml
<attribute autocreate="true" qualifier="encodedPassword" type="java.lang.String">
<persistence type="property" qualifier="Passwd">
➔ HAC → Maintenance → Encryption keys

Consider one Scenarios: - We have 2 employees. 1st Emp will have read & write permission on object. 2nd Emp
will have only read permission object.

Note: - We can give Access Rights on Product level / Column level.

Access Rights are only for Emps (Not for customers, bcoz customers are created from website).
This can be achieved in 2 ways: -
1) Type Based Access Restrictions = Here you go to user (Emp) & assign the object access rights.
Note: - Generally this is not the best way (2nd way is best).
Contact Us = [email protected]
 → hMC → User → Employee, Search for Employee (productmanager_cl) → Access Rights
Objects = Specify for which objects you would like to provide the access.
→ Add Type (+), Now Search for Product & Add it. (If already product added then just select it).
Now you can specify, which columns can be read only / change / Create / Delete /…
Let’s say – I am creating product then I should not have allowed me to change the status (So
approval status change column should not allow me to change).
We can set the Access Rights in product level & column level also.

2) Here, we create user group 1st & users (Emps) will be assigned to user group. This is the best way.
Create User Group → hMC – User – User Groups → Create → User Group, ID = EleUserGroup
→ Create → Access Rights, Now at Object level → Add Type (+), Now select the required Product &
give the access → Save.
Note: - When new Emps comes (Created / Requires Access), just add them to this group (→ Emps,
Go to required Emp → General → Groups (+), Add the Group.

Note: - Generally, In Company 2nd Method will be implemented. Example: - When Emp promoted
from TL – PM (or) PM – SPM. They just go to Emp & Add those groups (They don’t modify the Emp
profile & provide the access).
Note: - A user can have N number of groups. Users can have sub-usergroups also.
Note: - Generally, we don’t do this manually. We give access rights via ImpEx only.

Contact Us = [email protected]
 If you don’t see any option (or) Need some additional stuffs, then We can do
customizations.
Note: - Many Emp already created, just see which is near to your requirement & copy it &
continue.
Note: - There was report cockpit (From Hybris 5.4 this is taken out – bcoz of LIC challenges). Now
Report Cockpit requires separate LIC. So we can use any 3rd party reporting tools for this. Using 3rd
reporting tools, we can connect to Hybris DB & start creating reports.

Note: - User will not have Stated & Online versions. In general, if we don’t have version creation option then
that means, it won’t have Staged & Online versions.

Q: How to work with User Accounts? = Create them by instantiating a UserModel and saving it with the
ModelService.

Q: How to get the unique user identifier = getUserForUID()

Q: How to check user login already exists in the system = boolean isUserExisting(String uid);

Q: Create an employee user = final EmployeeModel emp = new EmployeeModel();

empl.setUid("one"); modelService.save(emp);

Q: Create a customer user = final CustomerModel cust = new CustomerModel();

cust.setUid("one"); modelService.save(cust);

Q: Removing User = You can remove any user account, except system users such as admin and anonymous.

UserModel user = UserService.getUserForUID("one"); ModelService.remove(user);

Q: How to Update User Group?

UserGroupModel usergroup = UserService.getUserGroupForUID("theUserGroupId");

Q: How to Remove User Group?

UserGroupModel usergroup = UserService.getUserGroupForUID("theUserGroupId");

ModelService.remove(usergroup);

Q: Customer Type Actions =

✓ Updating Address = UserModel, Cartmodel & OrderModel have address. You use the AddressService
to create the address for a user. Address in the cart & order are copies made by cloning.
✓ Updating Payment Info = Each customer has their own PaymentInfo. It holds payment details for user.
✓ Saving Carts = For a specific user, you can save the cart-related data. This allows user to stop browsing
the web shop any time and return later to continue from the point the user left the web shop.

Contact Us = [email protected]
 ✓ Deactivating User = You can modify loginDisabled attribute to deactivate the user. Hybris recommends
that you deactivate user instead of removing. To deactivate a user, use user.setLoginDisabled(true);

Q: Employee Type Actions = Changing User Roles (Users of the employee type can play different roles within a
company). It is possible to define several roles for one user.

Q: What is the purpose of a user group?

✓ Roles & Permissions management

✓ Marketing targeting
✓ Different access layers
✓ Cockpit customization
✓ Catalog visibility

Q: What are the factory default employee accounts that come with the Hybris system?

✓ admin & assortmentmanager

✓ customerservice
✓ editor & layouter
✓ marketing
✓ pageplaner
✓ printadmin & PrintUser
✓ productmanager & productmanager_cl
✓ productmanager_hw
✓ productmanager_wf1 / wf2 / wf3
✓ publicationmanager

Q: Permission -- What is it? What it does?

✓ Permission is an abstract concept

✓ Permission define access right
✓ Can specify detailed level of access to type, item & attributes
✓ Permission can be granted / assigned to user / user group

Q: Permission Scope =

✓ Global Permissions = Assigned to Principal, not related to any type, item / attribute
✓ Type Permissions & Item Permissions
✓ Attribute Permissions

Q: Type-Based Access Rights

✓ Access rights for Hybris types and their attributes

✓ Access is granted to individual user and / user groups
✓ Affect the entire type, not individual items
✓ Also can affect individual type attribute
Contact Us = [email protected]
Q: Custom Access Rights – Overview: -

✓ You may define your own permission types

✓ You can grant / deny permissions to the item instances
✓ Exposed API allows checking of both item & type permissions.

Q: Permission Effective Priority?

✓ Closest permission in the group hierarchy take effective

✓ Most general priority has the lowest priority & most specific priority has the highest priority
✓ Permission assigned to user override the permission assigned to the user group the user belongs to.

Q: What are the Permission Best Practices?

✓ Grant permission at group level as possible

✓ avoid to grant / deny permission at user as possible
✓ design your permissions schema & keep it simple
✓ define custom permission for custom functionalities
✓ documents all custom defined permissions & where it is used
✓ permissions are not automatically enforced. Your code des the job.

Q: What are the User Group Best Practices?

✓ Design your group hierarchy clean & keep it simple

✓ Separate functionalities to different group based on role / can be reusable
✓ Matches the groups closer to the real world functional role as possible.
✓ Add user / group to different groups for different roles instead of create a new group if possible

HMC Access Levels = There are list of OOTB employee accounts & user groups with different level of the hMC
access. You can visit https://help.hybris.com/6.1.0/hcd/8c24121386691014b925a250976f2851.html

Q: Explain URL Access Control?

✓ Define who have access to certain URL / URL Pattern

✓ Defined in “spring-security-config.xml”. Example =
<security:intercept-url pattern = “/my-account*” access = “hasRole(‘ROLE_CUSTOMERGROUP’)”/>
✓ A role name in spring security file is a concatenation of Role_ + UserGroup.UID

Q: Explain Restrictions in Cockpits?

✓ In Cockpits restrictions are disabled by default

✓ To enable restrictions in cockpits – cockpit.disableRestrictions = false

Q: How to create Restrictions? = We can be following ways: -

(1) Hybris Commerce API (2) Hybris Management Console (3) Impex

Contact Us = [email protected]
Q: Explain User Rights? = Access rights definitions could be either positive (Granted) / negative (Denied).

✓ Q: What are the 3 principals in Hybris that can’t be modified / updated? = (1) admin user (2)
anonymous user & (3) admin group
✓ Access Rights = Hybris has permissions FWK & you can define your own access rules to “item types &
attributes”. Access rights can be: -
Globally for a user / user group For an item type
For an instance of an item type For an attribute
✓ If 2 rules crashes, then most restrictive 1 is applied. Means, If 1 rule grants read right & another denies
read right, then user won’t have read right.
✓ Q: What are the possibilities to assign permissions?
o Legacy Impex scripts = Only compatible with legacy permissions (READ, CHANGE, CREATE,
DELETE). Here we use $START_USERRIGHTS and $END_USERRIGHTS to indicate that every line
in between is not Impex but user rights definition.

o PermissionManagementService (OOB) is the new recommended way of managing permissions,

it allows you to create new permission types. Using this you can: -
▪ manage item type, item, attributes & global permissions
▪ create new permissions
PermissionCheckingService = Used to check permissions
PermissionManagementService = Used to conigure permissions
PermissionCRUDService = Used to check CRUD operations
✓ Search Restrictions = Are where clauses added automatically to flexible search queries for specific
users and item types. Restrictions do not apply for:- (1) SOLR search (2) Admin group users (3) Direct
item type access though the model service.
✓ B2B Hierarchy: - Hybris B2B accelerator gives you the ability to manage company organizations: -
o Unit = Basic block of an organization (location, department or entire organization)
o Users = Each user is attached to unit & must have at least one of these roles: -
▪ Administrator = Can manage a unit
▪ Manager = Can access reports
▪ Approver = Can approve orders and define user’s monetary limit
• = Place orders (automatically approved if under the approval threshold)
o Cost Center = Assigned to units, orders are charged against a cost center
o Budget = Assigned to units, if a unit exceed its budgets then orders are sent to an approver
o Credit Limit = Assigned by merchant to a unit, it exceeds the limit a manual approval is needed.
Note: - When you run Hybris with B2B accelerator, you can see new panel under your account to
manage your company organization directly from store front under My Company. To see this user
(you) need to be B2B Admin.

Contact Us = [email protected]