Broadleaf Microservices
  • v1.0.0-latest-prod

Admin User Release Notes for 2.1.4-GA

Requirements

  • JDK 17 is required for Broadleaf release trains 2.0.0-GA, and beyond.

New Features & Notable Changes

Created a separate permission to allow admins to modify their own preferences

Introduced a separate ALL_ADMIN_USER_PROFILE permission and ADMIN_USER_PROFILE security scope. Before this, the general ADMIN_USER scope was used to gate whether an admin user can modify their own preferences, but that scope also provides access to view and manage other admin users. The ALL_ADMIN_USER_PROFILE permission has also been added to all roles out of box for users of the Broadleaf Initializr. The previous ADMIN_USER scope will also still function as before to access the user preference endpoint(s), but the new permission allows finer access control.

SQL Inserts for New Permission and Scope with Out-of-Box Role Mappings
INSERT INTO auth.blc_security_scope (id, name, open) VALUES ('-10009', 'ADMIN_USER_PROFILE', 'N');
INSERT INTO auth.blc_permission_scope (id, permission, is_permission_root, scope_id) VALUES ('-10009', 'ADMIN_USER_PROFILE', 'Y', '-10009');
INSERT INTO auth.blc_user_permission (id, archived, last_updated, name, is_account_perm, user_assignable) VALUES ('-10011', 'N', '2025-05-21 12:53:58.413970', 'ALL_ADMIN_USER_PROFILE', 'N', 'Y');
INSERT INTO auth.blc_user_permission (id, archived, last_updated, name, is_account_perm, user_assignable) VALUES ('-10012', 'N', '2025-05-21 12:53:58.413970', 'READ_ADMIN_USER_PROFILE', 'N', 'Y');
-- map to existing admin roles --
-- PARTIAL_ACCESS
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id) VALUES ('-1', '-10012');
-- FULL_ACCESS
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id) VALUES ('-2', '-10011');
-- APPLICATION_ACCESS
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id) VALUES ('-7', '-10011');
-- ROLE_MARKETPLACE_OPERATOR
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id) VALUES ('-200', '-10011');
-- ROLE_VENDOR_ADMIN
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id) VALUES ('-201', '-10011');
-- ROLE_VENDOR_MERCHANDISER
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id) VALUES ('-202', '-10011');
-- openapi
INSERT INTO auth.blc_client_scopes (id, scope) VALUES ('openapi', 'ADMIN_USER_PROFILE');
INSERT INTO auth.blc_client_permissions (id, permission) VALUES ('openapi', 'ALL_ADMIN_USER_PROFILE');

Admin User Preferences Endpoints Now Uses the Admin User ID Claim to resolve the Currently Authenticated Admin User

This changes the way in which the admin user preferences endpoints resolved the currently authenticated admin user. Instead of using the name on the principal (the username), the system now uses the admin_user_id claim. This is better since the username might not match the case stored in the database and the context ID is more reliably and efficiently indexed for lookups since it is a ULID.

Important
We also deprecated AdminUserService#updateUserPreferencesByName in favor of #updateUserPreferences.

Miscellaneous

  • Changed back link button from My Preferences page to redirect to Admin Portal home page.

Bug Fixes

  • Fixed Admin User fetching logic to be able to return users with application access but no restricted applications, which means that they have access to all applications