When setting up users of your Order Management System (OMS), best security practices dictate that you provide each user only with as much access as they need to get their job done. For example, your designer probably doesn't need access to your orders.
To this end, there are 8 pre-set User Access Levels available in your OMS on each user record, as follows:
Administrator* – Administrators have full access to all sections of the Order Management System.
Editor* – Editors have write access to Orders, Customers, Questions, and Articles only. Editors have read-only access to all other sections with the exception of Account, to which they have no access.
Power User* – Power Users have write access to Orders, Customers, and Questions only. Power Users have read-only access to all other sections with the exceptions of Dashboard and Account, to which they have no access. Access to reports is limited to those Order and Product reports that do not aggregate order, sales, revenue, or other totals.
User – Users have read-only access to all sections of the Order Management System with the exceptions of Dashboard and Account, to which they have no access. Users may also perform some fulfillment tasks such as updating order status. Access to reports is limited to those Order and Product reports that do not aggregate order, sales, revenue, or other totals.
Guest* – Guests have write access to Orders and Customers only. Guests have read-only access to Categories, Products, Coupons, and Gift Certificates. Guest users also have read-only access to Affiliates – with Commission and Amount Due masked, and Payments to Affiliate removed. Guests have no access to other sections, except to view and update their own user information. This level is often used for call center employees and other users whose jobs are limited to taking and processing orders.
Product – Product users have full access to the Categories, Products, and Vendors only. Product users also have full access to the Help Desk, but no access to any other section (except to view and update their own user information).\
Layout – Layout users have write access to the Articles and Layout only. Layout users also have the ability to edit Descriptions and Thumbnails in the Categories section and full access to the Help Desk, but no access to any other section (except to view and update their own user information). This level is often assigned to designers.
XML Tools – XML Tools user access level is not for humans, it's for machines as a more secure authentication method than the less specific XML Key. XML Tools users may not log in to the Order Management System at all; rather, this Access Level is used to grant explicit permission to the user to specified XML Tools (Settings/XML Tools). The User Name and Password are used within the XML Tools Credential container to authenticate the user and authorize the query or update being requested; please see the XML Tools Documentation for examples and more information.
*Note: When placing and editing orders from within the Order Management System, Administrators, Editors, and Power Users are generally able to override restrictions placed on customers, such as minimum orders and billing option limitations. However, Guests may not override these restrictions.
Setting the correct User Access Level is the first step in assigning and potentially narrowing down access for any particular user. However, once you have selected the pre-set user access level, you can further narrow down user access by excluding screens that would otherwise be included in the pre-set access level.
You may use the Excluded Screens checkboxes to prevent a user from accessing screens to which he/she would otherwise have access based on pre-set Access Level.
(listed screens will vary based upon the selected Access Level)
The checkboxes for Excluded Screens are used to exclude the user from accessing any screens for which the box is checked. When a screen is excluded, that exclusion encompasses, as applicable, the list and detail screens; any new/edit screens; reports; imports and exports; and any other functions otherwise available on the excluded screen.
Excluding a screen does not prevent data from an excluded entity from appearing on another screen to which the user has access. For example, products appear on Order Detail, Category Detail, and Vendor Detail screens (although not as links), even if Products is an excluded screen.
Note: You may not change the Excluded Screens for yourself, even if you are an Administrator.
CC Access, Regardless of Access Level
Finally, the Full CC Access options (Settings / Site Options) control access to full credit card numbers for selected Access Levels.
For each Access Level for which Full CC Access is not granted, all but the last 4 digits of all credit card numbers are replaced by x's; those users may still enter full credit card numbers if and when it is necessary to do so, but may never view them afterwards. The Report/XML option controls whether or not an order's full credit card number is included in the Order Print Report (Orders/Reports) and when using the XML Tools (Settings/XML Tools).
The Full CC Access checkboxes do not apply to users with Product or Layout access, who have no access to credit card information.
If the Report/XML option is on, the user must also have access to full credit card numbers generally, via the appropriate User-level checkbox in this section, to access full credit card numbers in the Order Print Report.
Lock Full CC Access
Clicking the Lock Full CC Access button will prevent any change from being made to the Full CC Access options. If you wish to then unlock those options, you must contact TrueCommerce Nexternal.
If your Full CC Access checkboxes are disabled and you do not see the Lock Full CC Access button, your options are currently locked. Please contact TrueCommerce Nexternal if you wish to unlock these options.
Additional Security Rules
For users with access (or with the ability to grant access) to full credit cards, additional security rules apply: password must be changed upon first login and every 90 days thereafter; and none of the last 4 passwords used may be reused. Furthermore, users who have not logged in for 90 days are automatically deactivated.