Manage Customer Users in the Back-Office
This section is a part of the Customer Management topic that provides the general understanding of accounts, contacts, customers and customer hierarchy available in Oro applications.
Customer users act on behalf of the company (i.e. customers in Oro context) and may have a limited set of permissions in OroCommerce, depending on their function in the customer organization.
For customer user management, navigate to Customers > Customer Users in the main menu.
In Customer Users section, you can:
- View, edit, and create new customer users.
- Select their roles in OroCommerce to define their level of permissions and access to the actions and data in OroCommerce storefront.
- Manage customer user information (name, birthday, billing and shipping address, and phone number, etc).
- View requests for quotes, quotes, sales orders, and shopping lists created by the customer user.
- View communication with the customer that happened using email, notes or scheduled events.
- View additional information attached to customer user.
- Enable and disable the customer.
- Reset the customer user password.
- Add OAuth applications
You can delegate this function to the customer who will access user and role management in the OroCommerce storefront (see the Delegating Users and Role Management to the Customer section for more information).
Customer Account Confirmation
Upon registration, a customer user receives an email confirmation request. Once they follow up with the requested action, their account is marked as confirmed.
Hover over the More Options menu to the right of the necessary customer user to perform the following actions:
- View customer user details. Alternatively, click on the item to open its details page.
- Edit customer user details.
- Delete existing customer users.
Create a Customer User
To create a new customer user:
Navigate to Customers > Customer Users in the main menu.
Click Create Customer User.
Select the Enabled check box to enable the user to log into the system and to do their work within it upon creation.
Fill in the customer Name and other personal information.
Select a customer this user represents.
If you are adding a subsidiary of the existing customer, select a parent customer.
Assign a sales representative who will be assisting this customer user. By default, the customer sales representative applies to the customer user.
Select the Generate Password and Send Welcome Email check boxes.
Select the website of customer user registration. While the customer user may have access to other websites within the same organization, the email notifications concerning their user account will point to this website. See Managing Websites for more information.
Select a Preferred Localization for the customer user. This field is displayed if more than one localization is enabled for any of the websites of the current organization. If you change the website for the customer user, you will need to select a new preferred localization.
Add billing and shipping address as described in the Address Book section.
In the Roles section, select the roles that should apply to the customer user. When several roles are selected, granted permissions are accumulated from all the assigned roles. See Managing Customer User Roles for more information.
At least one role must be assigned if the Enabled check box is selected. Disabled customer users can be saved without roles, but you will need to assign roles to them later before enabling.
Click Save on the top right.
View Accepted Consents
When at least one consent to process personal data has been accepted by a customer user in the storefront, you can view this information in the dedicated Consents section on the page of a particular customer user under Customers > Customer Users.
You can read more information on consent management in the following related topics:
Delegate Account Management to a Customer User
You may want to delegate some of the customer user management capabilities to the customer users with administrator role by enabling Account Management permissions and capabilities. See the Customer User Roles section for more information about permissions and capability management.
Add OAuth Applications
Oro applications support oAuth 2.0 credentials authorization grant type to enable connection of third-party applications to the web API. To connect a third-party application, you need to add it and configure its pre-generated credentials in the back-office of your Oro application. These credentials are managed on user level which enables generation of different credentials for various applications across multiple organizations.
To be able to add an OAuth application, make sure that you generate private and public encryption keys and add them to the /var directory of the installed Oro application. Although the path to the keys is predefined, you can change it by providing your custom location in the config.yml file.
If no keys are found, the following warning message will be displayed in the back-office:
OAuth authorization is not available as encryption keys configuration was not complete. Please contact your administrator.
Oro Side: Add an Application
To add a new OAuth application for a customer user in the back-office:
- Navigate to Customers > Customer Users in the main menu.
- Click once on the name of your selected customer user to open their details page.
- In the OAuth Applications section, click Add Application and provide the following details in the pop-up dialog:
- Organization — If you are adding an application within the organization with global access, you can select which other available organization to add the application to.
- Application Name — Provide a meaningful name for the application you are adding.
- Active — Select the Active check box to activate the new application.
- Click Create.
A corresponding notification is sent to the primary email address of the user, the owner of oauth application. You can change the default recipient, localization, or an email content if needed by updating the OAuth email templates and the related notification rule set out-of-the-box in the system configuration.
Once the application is created, you are provided with a Client ID and a Client Secret. Click on the icon to copy the credentials to the clipboard.
For security reasons, the Client Secret is displayed only once – immediately after you have created a new application. You cannot view the Client Secret anywhere in the application once you close this dialog, so make sure you save it somewhere safe so you can access it later.
You can add as many applications as you need for any of your existing organizations. All added applications are displayed in the grid, and you can filter them by name, organization, and status.
Use the More Options menu to edit, deactivate or delete an application.
Use the generated Client ID and Client Secret to retrieve an access token to connect to your Oro application.
Third Party Side: Generate Token
To configure machine-to-machine authentication and retrieve the access token:
Provide your Request URL.
The Request URL consists of your application URL and the /oauth2-token slug, e.g.,
Send a POST request with the following body parameters to the authorization server:
- grant_type with the value client_credentials
- client_id with the client’s ID
- client_secret with the client’s secret
- scopes with a space-delimited list of requested scopes permissions
client_credentials is currently the only supported grant type.
Receive response from the authorization server with a JSON object containing the following properties:
- token_type with the value Bearer
- expires_in = 3600 seconds. Once the token is generated, it is valid for an hour and can be used multiple times within this time limit to request the necessary data.
- access_token a JSON web token signed with the authorization server’s private key
Use the generated access token to make requests to the API.
Access tokens for backend and frontend API are not interchangeable. If you attempt to request data for the frontend API with a token generated for the backend application (i.e., a back-office user), access will be denied.