Users and security overview

  • Updated

For simplicity and security, Users are segmented into two groups: Console Users and Website (storefront) Users. Console Users are limited to accessing the Admin Console only, and to help with clarity, their assigned Roles all have the "ISC_" prefix. Website Users can only access the website/storefront and can be assigned to customers and websites.

Users can be created through four different processes:

  • Pre-populated through ERP system integration
  • Uploaded via Template (usually during implementation)
  • Manually via the Admin Console
  • Automatically when a new customer creates an order

Personal information

Although, username and email address are the only required fields, additional information may be entered. The amount of information stored about the user is dependent on the method with which the user was created. Generally, detailed information about users automatically created for new customers is stored within the customer record itself; however, fields such as whether or not the user has subscribed to emails are stored within the user record.


Optimizely Configured Commerce employs .Net Membership Role-based security. Users are assigned roles which manage the Admin Console and/or control website functions that the user may or may not be able to access

Security functions, such as changing or resetting passwords and unlocking users, are also performed within the Users module via transactions with the .Net Membership Services.


To maintain PA-DSS compliance, passwords must meet the following requirements set in the Admin Console. Go to AdministrationSettingsAccount ManagementConsole Security and Website Security sections:

  • Password Minimum Requirement Length – 8
  • Password Requires Special Character – Yes
  • Password Requires Uppercase – Yes
  • Password Requires Lowercase – Yes
  • Password Requires Digit – Yes
  • Lockout Enabled – Yes
  • Max Failed Attempts Before Lockout – 5
  • Lockout Time in Minutes – 10

PA-DSS also requires that admin user passwords expire at least every 90 days and that the system tracks when user passwords are changed. New passwords must be different from the user's last four passwords.


When a new customer creates an account on the website to place an order, a user record is created automatically and associated with that customer record. There are some instances that require a user to be associated with multiple customers; this is common in business-to-business implementations where a sales representative needs to place orders for multiple customers. Additionally, cases such as department stores with multiple buyers require many users to be associated with a single customer. The Admin Console natively supports all three of these models.

Custom properties

Custom property fields are available to facilitate implementation-specific, custom functionality. These can be found within the Application Dictionary.