, Restricting access to the Hybris Commerce Backoffice application, Acorel
Gratis demo
, Restricting access to the Hybris Commerce Backoffice application, Acorel

Restricting access to the Hybris Commerce Backoffice application

Daniël Roest

With the SAP Hybris Commerce 6.0 release, the Customer Service Cockpit is migrated into the Backoffice application. With this change, SAP Hybris has officially deprecated the HMC (SAP Hybris Management Console) and moved their first major legacy cockpit into the Backoffice.

As the Backoffice will not only be used by administrator users, but also by others, such as key-users or local administrators, we would like to restrict access to the application to certain data, functionality and configuration settings. Let’s see how we can do this. In this example, we want to restrict access for so called portal administrators to only maintain companies, customers and user groups.

Custom backoffice extension

Start by creating your own backoffice extension via ant extgen using the ybackoffice template and add this to your localextensions.xml.

Backoffice roles

Now we need to define the backoffice role with the restricted access, in our example named portaladminborole. Bacause we want to keep the access for the existing administrators unchanged, we also create admingroupbackofficerole for these users. These roles are a subtype of UserGroup:

Make sure that you set Disable backoffice Login to False on the Administrator tab! If a user is not assigned to at least one role with this setting, he doesn’t have access to Backoffice.

In case you also want to restrict access to certain data types, you can do this via the Access Rights tab in HMC. This tab is not visible in the Backoffice application.

Now assign these new backoffice role user groups to the different users or user groups:

Explorer tree

We want to restrict access to only Company, Customer and User Groups in the explorer tree. In file <yourname>-backoffice-config.xml add the following:

<context component=”explorer-tree” principal=”portaladminborole” merge-mode=”none”>

   <explorer-tree:explorer-tree xmlns:explorer-tree=”http://www.hybris.com/cockpitng/config/explorertree” xmlns:advanced-search=”http://www.hybris.com/cockpitng/config/advancedsearch” xmlns:df=”http://www.hybris.com/cockpitng/component/dynamicForms” xmlns:dsb=”http://www.hybris.com/cockpitng/config/dashboard” xmlns:editorArea=”http://www.hybris.com/cockpitng/component/editorArea” xmlns:list-view=”http://www.hybris.com/cockpitng/component/listView” xmlns:simple-search=”http://www.hybris.com/cockpitng/config/simplesearch” xmlns:wz=”http://www.hybris.com/cockpitng/config/wizard-config” xmlns:y=”http://www.hybris.com/cockpit/config/hybris”>

      <explorer-tree:navigation-node id=”hmc_treenode_user”>

         <explorer-tree:type-node code=”company” id=”hmc_typenode_company”/>

         <explorer-tree:type-node code=”Customer” id=”hmc_typenode_customer”/>

         <explorer-tree:type-node code=”UserGroup” id=”hmc_typenode_usergroup”/>




By filling attribute principle with portaladminborole we restrict this tree to only these users. We can enter both backoffice roles and user IDs here separated by comma.

You can also edit this file (actually the merged file from all extensions) in the Orchestrator Mode while you are in the Backoffice Application. To enable this mode make sure the user is assigned to backofficeadmingroup (which is OOTB assigned to admingroup) and press F4. Via the Orchestrator you can easily make and test all kinds of changes without the need to rebuild the system, but they are not persistent and gone after a reboot.


After rebuilding the system, we are now able to login to Backoffice and see our changes. In this case we login as admin and because we have more than one backoffice role assigned, the applications asks us to choose the role (also called Authority Group) to use.

With our Portal Admin role we now see our limited tree!

, Restricting access to the Hybris Commerce Backoffice application, Acorel

Daniël Roest