We are building a Magento 2.2 EE site with multiple websites. The use case is to restrict website level administrators to only access data of their own website. We have found multiple bugs in Magento backend with website restricted admin rights. Here is an example below.
There is a problem with admin user role scope. If there are multiple websites and admin user role which has access to only one of the websites, this user can enable or disable product in other websites too, even though it shouldn’t have the access.
Steps to reproduce:
1. Create a second website, store and store view.
2. Create a new admin user role.
3. Assign Role Scopes to Custom, and give the role permission only to one of the websites.
4. Assign a user with this role.
5. With this user, create or edit a product, and go to "Product in Websites" -section.
Expected result: User can only control the product in websites that this role has access to.
Actual result: All the websites are listed in this section. User can control if the product is in websites to which this role shouldn't have access.
Does anyone else struggle with this? Should we even be doing this? Why does the product have the option to restrict roles by website, if the feature doesn't work?
I have followed exact steps , which you have mention and looks like you are correct !!
Basically , Products in websites is a Product Attribute of Magento 2 , So i have double check that is there any possibility to give permission / restrictions to product attribute but un-luckily there is no option to do that.
Magento 2 EE - doesn't have attribute level permissions restrictions , where we can restrict value of Product Attribute like Product in website.
So yes - there is no option for that as of now , As its enterprise so you can ask your assigned technical manager for this issue or raise a ticket over there , or else you can also post in feature request as this is very good option.