User security

  • Updated

Optimizely Configured Commerce has two groups of users: console users and website (storefront) users. Console users can only access the Admin Console and have roles starting with ISC_. Website users can only access the storefront, and you can assign them to customers and websites. See Get started with users for information.

Personal information

The only required fields are username and email address, but you can add additional information. What information is stored about the user depends on how the user was created. The customer record stores detailed information from new customers; however, the user record stores fields such as email subscriptions.

Role-based security

Configured Commerce uses role-based security. Some roles may prevent users from accessing certain functions in the Admin Console or storefront. You can also change or reset passwords and unlock users.

Require website account activation by email

You can add security by requiring website users to activate their accounts by email. The activation email contains information for users to activate their accounts and set their passwords.

This feature is available out-of-the-box for Spire and can be done through customizations with Classic.

  1. Go to Administration > Settings.
  2. Search for Require Activate Account (located under Account Management).
  3. Toggle the option to Yes. Default: No

This option removes the password fields and password requirements from the Create Account page. 

CreateAccountpage.png

The user must enter an email address and user name. When they click Create, they receive an email to activate their account. After following the instructions, a confirmation displays that their account has been activate and lets them start shopping with their account.

AccountActivated.png

If the link expires in the activation email, they can select to resend the activation.

Passwords

To maintain PA-DSS compliance, passwords must meet the following requirements set in the Admin Console. Go to the AdministrationSettingsConsole Security and Website Security sections:

  • Password Minimum Requirement Length – 8
  • Password Requires Special Character – Yes
  • Password Requires Uppercase – Yes
  • Password Requires Lowercase – Yes
  • Password Requires Digit – Yes
  • Lockout Enabled – Yes
  • Max Failed Attempts Before Lockout – 5
  • Lockout Time in Minutes – 10

PA-DSS also requires that admin user passwords expire at least every 90 days and that the system tracks when user passwords are changed. New passwords must be different from the user's last four passwords. See Manage passwords for information.

Maintain a user's session

Configured Commerce lets you control how long to maintain a user's session.

Remember Me lets users access certain content on the website without repeatedly signing in unless they visit from a different browser or device. If they sign out from the site, they must re-authenticate, including when accessing their account pages or completing checkout.

The following is true for users who have selected the Remember Me checkbox, are returning to the site using the same browser or device, and are within the defined number of days allowed per session:

  • Users can see all pricing and availability, the cart, and any wishlists as if they were signed into the website.
  • Pricing is calculated based on the user's default bill to/ship to address. If no default bill to/ship to exists, the system calculates prices based on the last selected address.
  • If you do not enable additional pages to be remembered, users must re-authenticate to access addresses, account settings, user administration, budget management, invoice history, job quotes, order history, order approval, requisitions, quote history, saved orders, or checkout.

Keep Me Signed In maintains user sessions like Remember Me and includes retaining the user's session when they access their account pages or complete checkout. When you enable this feature, user sessions are kept active, without limitations, for the number of days defined by Days To Retain User.

Follow these steps to enable Remember Me or Keep Me Signed in:

  1. Go to Administration > Settings > Account Management.
  2. Expand the Remember Me / Keep Me Signed In drop-down list under Website Security and select Remember Me or Keep Me Signed In.
  3. Adjust the Days To Retain User field value if desired. The default is 30 days.
  4. (Optional) Select the additonal Pages To Be Remembered if you selected Remember Me. The default page remembered with this feature is My Lists. To include additional pages, click Select Pages, select the desired pages, and click Save. All pages that you select include their subpages.

Follow these steps to disable these features:

  1. Go to Administration > Settings > Account Management.
  2. Expand the Remember Me / Keep Me Signed In drop-down list under Website Security and select Not Applicable.

Custom properties

Custom property fields are available to facilitate implementation-specific, custom functionality. These can be found within the Application Dictionary.