Set Up Business Manager Users

Learning Objectives

After completing this unit, you’ll be able to:

Explain how to create a Business Manager user.
Explain unified authentication.
Explain why it’s important to create passwords for a storefront that’s under development.
Explain what an administrator must do to change a password.

Business Manager and Account Manager

Business Manager is the Salesforce B2C Commerce online tool for configuring and managing B2C Commerce storefronts. Linda Rosenberg, Cloud Kicks’ new administrator, is getting a handle on her admin tasks for Business Manager users. She understands how important it is to assign and restrict access to Business Manager modules based on job tasks. She’s also learned how using predefined roles improves her efficiency and her site’s data security.

Today, she plans to set up some new users and manage permissions for existing users. She also plans to change some existing user data, help users reset their passwords, and configure storefront passwords.

First things first. Her manager has asked her to create records for two new employees: Peter Wong, another administrator, and Traude Beck, a senior merchandiser. Linda learns that merchandisers need access to the Business Manager campaigns and promotion functions, while administrators like her need access to the import and export functions. Linda jots this down for later for when she’s ready to assign their user roles.

Each account in Account Manager is assigned various roles, some providing user access to Business Manager. Account Manager provides Business Manager users with multi-factor authentication (MFA) security. Depending on an organization’s settings, accounts can be local or linked to Salesforce Identity, which allows companies to manage apps, users, and data sharing with simplicity and transparency.

With local accounts, all Account Manager roles require MFA to log into Account Manager.
With Salesforce Identity, new users must log in to Account Manager with MFA to complete linking their account with Salesforce Identity.

See Register Verification Methods for Multi-Factor Authentication for more details.

Linda creates new user accounts in Account Manager with the appropriate Account Manager roles. Then she creates Business Manager roles for those users to give them access to specific, job-related Business Manager modules and data.

Log into Account Manager

To access Account Manager or Business Manager, you must have a B2C Commerce implementation. In this module, we assume you are a B2C Commerce administrator with the proper permissions to perform these tasks. If you’re not a B2C Commerce administrator, that’s OK. Read along to learn how your administrator would take these steps in a staging instance. Don't try to follow our steps in your Trailhead Playground. B2C Commerce isn't available in the Trailhead Playground. If you have a staging instance of B2C Commerce, you can try out these steps in your instance. If you don't have a staging instance, ask your manager if there is one that you can use.

Local Account

Here’s how Linda logs into Account Manager with a local account.

In a web browser, go to https://account.demandware.com/. (You must have an Account Manager account.)
Enter your username (email address).
Click LOG IN.
Enter your password.
Click LOG IN.
Verify your identity with MFA.

Linda already registered an MFA verification method, so she just needs to provide her method to finish logging in. If you haven’t registered a method, you’re prompted to do so before you can log in.
If Salesforce hasn’t enforced MFA for your organization yet, and depending on the MFA settings implemented by your administrator, this step might not apply.

Account Linked to Salesforce Identity

Here’s how Linda logs into Account Manager with an account linked to Salesforce Identity.

In a web browser, go to https://account.demandware.com/. (You must have an Account Manager account.)
Enter your username (email address).
Click LOG IN.

Linda is redirected to Salesforce to log in. After successfully logging into Salesforce, she is redirected to Account Manager and logged in without any further steps.

Change Account Information

Here’s how Linda changes account information

Log into Account Manager.
Click Account Details.
The Account Details page shows several fields whose values you can modify: First Name, Last Name, Business Phone, Mobile Phone, Home Phone, and Preferred Language.
After you change the field values, click Update.
A message appears indicating that your account details are successfully updated.
Click Continue.

Edit an Organization

As an Account Manager account administrator, Linda can edit an organization for the following:

The password policy: length, history, days until expiration
The multi-factor authentication (MFA) verification methods available for users to verify their identity when logging in to B2C Commerce applications
Enabling users to link Account Manager accounts to an existing account in the organization in the Salesforce Platform

Here’s how to edit an organization.

Log into Account Manager.
Click Organization.
Click the organization you want to edit.
Edit the user’s name.
Edit the password policy settings.
- Minimum password length
- Length of password history: number of passwords remembered
- Days until password expires
Configure password settings:
- Minimum number of alphabetic characters in a password: 1
- Minimum number of digits in a password: 1
- Number of password policy categories that are cross-checked: 2
- Maximum number of failed login attempts until an account is locked for 30 minutes: 6
Enable users to link their Account Manager accounts with their Salesforce accounts in your Salesforce organization to provide Single-Sign-On (SSO) across Salesforce products: allow, enforce, or disable.
Define which MFA methods your users can choose: Salesforce Authenticator, TOTP authenticator apps, or FIDO U2F/WebAuthn (FIDO2) compatible security keys.
Click Save.

For most organizations, Salesforce has integrated MFA into the B2C Commerce login experience and MFA can’t be disabled. If MFA hasn’t been enforced for your organization, Salesforce strongly recommends that you enable it on your own. There are two options:

Select MFA enabled for all users in the organization to turn on MFA for everyone who logs in to B2C applications.
Enable MFA by role:
1. Click Add next to MFA User Settings.
2. Search and select the roles that require MFA.
3. To enable MFA for the selected roles, click Add.

To disable MFA for a role, click the trash bin icon next to the role.

Create Business Manager Users

Best practice: Use a naming convention for user IDs and email addresses.

At Cloud Kicks, Linda’s manager instructs her to use pwong for Peter’s user ID and p_wong@cloudkicks.com for his email address. Likewise, she uses tbeck for Traude’s user ID and t_beck@cloudkicks.com for her email address. Linda is ready to create the users in Account Manager. Here are the steps she takes.

In Account Manager on the User tab, click Add User.
Enter the email address: Peter Wong
Click Add.
Add user details.
- Email Address: p_wong@cloudkicks.com
- First Name: Peter
- Last Name: Wong
- (Optional) phone numbers and preferred language
In the Organizations section, click Add.
- Select each organization to which the account belongs and click Add.
- Select Peter’s primary organization.
  Only account administrators for the primary organization can manage Peter’s account.
In the Roles section, click Add.
- Select Business Manager Administrator for Peter in the eCommerce Platform section. This roles requires access to a specific sandbox or PIG instances and a role scope.
- Click Add.
- Select the filter icon.
- Click the Add Instances Filters tab and select an organization.
- Enter the names of the instances you want Peter to access.
- Select the instances that Peter needs to connect to.
Click Add.
Account Manager sends a message to Peter’s email address, which he can use to activate his account.

Linda creates a record for Traude in the same way, except with the Business Manager User role. The preferred data locale that displays when Traude creates data is important because Traude is responsible for creating promotions, products, and content in that language. When Cloud Kicks expands to new geographic locations, the administrator needs to add any new languages to the appropriate users. For now, the default is English.

Once Linda clicks Apply, Account Manager automatically sends an email to Peter and Traude with a system-generated password that asks them to create a new password that’s difficult to guess. They are required to change their password every 90 days.

Password Requirements

User passwords must meet certain requirements to access Business Manager.

They must contain numbers.
They must contain upper and lower case letters.
The default minimum length is 8, and the default maximum length is 25. (You can change the defaults.)
They must contain at least one special character by default.

Change User Info

Account Manager lets Linda change all user account information, except the email address. Her manager receives an email from corporate security saying that the email address convention has changed. Instead of using the <first initial>underscore<familyname>, she must now use the <familyname><three digit number><first initial> convention for all new hires. Existing employees can use the previous convention, but Peter and Traude must use the new one. That means Linda must create new user records for both of them.

Expired Passwords

Account Manager automates some tasks, such as notifying the user by email 7 days and then 1 day before a password expires. Cloud Kicks set up this automation per its password expiration policy.

Password and ID Resets

Linda uses Account Manager to reset a user's account. This helps if the user forgets their password or if she wants to unlink an Account Manager account from a Salesforce account. When she resets a user's account, she puts the account in the same state it was in when it was initially created. The user must reactivate it.

Here’s how she resets an account:

Log into Account Manager.
Click User.
Find the user.
Click Reset beside their account.
Confirm the reset.
Click OK.

Account Manager resets the user's account. If the account is linked to a Salesforce account, Account Manager cancels the link. Account Manager sends a message to the user’s email address with an activation URL. Account Manager also shows a text message beside the user's account that says the account was successfully reset and includes the activation URL. If the user doesn’t receive the email message, Linda can copy the activation URL and email it manually.

Locked Accounts

Sometimes users try and fail to log in too many times and end up locking their account. This just happened to Traude. After six unsuccessful attempts to log in to an account, Account Manager temporarily locked the account for 30 minutes. Traude needs immediate access to complete a high priority work assignment, so she contacted Linda. Here’s what Linda does.

Log into Account Manager.
Click Users.
In the Organization User section, find Traude's record.
Click Unlock beside her record.

Linda’s manager asked her to update Business Manager user security settings to enforce a more secure policy. Here’s how she does it.

Open Business Manager.
Click Administration > Global Preferences > Security.
Configure the following:
- Maximum invalid login attempts. She changes this from 6 to 3.
- Lockout effective period. She leaves this at 30 minutes.
- The number of days after which a user is required to change their password. She leaves the default 60 days.
- Accounts will be deactivated if not active. She changes this from 90 to 60 days per the new policy.
- Is the user is required to answer a security question to change their password? She leaves this as no.
- Enforce password history. She ignores this.
- Minimum password length. She changes this from 6 to 8 characters per the new policy.
- Minimum number of special characters. She leaves this as 1.
- Minimum login length. She changes this from 4 to 6 characters per the new policy.

New Storefront Protection

Cloud Kicks is in the process of implementing a new site within its organization to expand its business. Currently, only Business Manager users with the Access_Protected_Storefront functional permission can log in to the new storefront. Cloud Kicks needs to expand access to some users who don’t have the Business Manager permission. Linda uses a few security options to enable this.

First, Linda enables password protection for the new site. Then she creates a shared site password that restricts access to the site’s development, staging, and production instances to only the people involved in the implementation. This feature blocks access to both dynamic and static pages. If someone tries to log in without the site password, they get an HTTP response 403 (Access Forbidden) error.

At the same time, Linda’s manager asks her to invalidate static content cache. Static content cache retains content that’s been displayed on the storefront; this content is available to any user until it’s invalidated.

Here are the steps Linda takes.

Open Business Manager and select Administration > Sites > Manage Sites.
Select the new site name.
Click the Site Status tab.
Select the site status: Online (Protected).
Enter a password. In the B2C Commerce storefront, you can use the following special characters for usernames and customer logins: #!&$%*+/?=^`~}|{ This is because storefront applications that enforce a mapping between email address and user name require that login attributes support any character that’s valid in an email address.
Click the Cache tab.
Click Invalidate next to Static Content Cache and Entire Page Cache for Site.

The storefront password doesn’t expire. Storefront password resets expire in 30 minutes.

Next Steps

In this unit Linda learned how to add a user and change user information in Account Manager. She also learned why it’s important to password-protect a fledgling storefront. In the next unit, she learns how to create roles and assign them to users.