Investigate user roles in Hybris to stop asset changes in the online catalog
Overview
Cloudinary is going be the only source of truth for our media assets. We need to restrict the possibility of adding or modify assets on the product model in the online catalog.
We need to investigate the current roles and permissions in HMC as well as propose a solution going forward.
Current Status & Options
The Hybris role management is very limited, and the main problem is that currently all employees are created as admins. The first problem is that we can not restrict the Admin group. This is a bad idea in case of emergency, an admin user must be capable to perform any action.
First, it's necessary to assign a new group or an existing one (for example: productmanagergroup) to the corresponding Hybris employee users to identify the corresponding Merch Users.
Second, it's necessary to modify the corresponding Product Validator to take into account the next scenarios:
- When the product is being modified and the employee has this group assigned, if she/he tries to modify the attributes normals or triptychMediaSet, a Java Exception is thrown preventing the modification. Note that (contradicting the Overview section) the exception doesn't take into acount the catalog version (Staged, Online), because the user could modify the properties in staged catalog and then synchronise them, or modify directly the Online catalog.
- There are some exclusions to previous point: the interceptor is triggered during the synchronization process (because a copy of the product is created from Staged to Online), so it's important to ignore this validation during that synchronisation process.
- It's necessary to test scenarios in which there could be no user in session (cronjobs that modify products for example).