Arcadier applies a role-based access control (RBAC) model where the Role assignment determines portal access, permitted API operations, data visibility scope, and functional capabilities:
- Portal access (Buyer Portal, Merchant Portal, Admin Portal)
- Permitted API operations
- Data visibility scope
- Functional capabilities (for example, item creation, order fulfilment)
A single user account may transition between roles depending on business requirements.
Guest Users vs Registered Users
Arcadier supports guest purchasing without an account creation step where guest checkout is handled by the UI. It typically creates (or uses) a temporary user account and access identity token to proceed through cart and checkout APIs.
In the hosted UI flow, guest checkout involves navigating to an item, adding it to cart, proceeding to checkout, filling in address details, and completing payment. The system internally manages a temporary identity context to process the transaction.
In API-driven implementations, guest checkout creates a temporary identity context:
- Retrieve the item GUID (and child item GUID for variants).
- Add item to cart using an Admin token. The system creates a guest user GUID and a generated authorisation token.
- API response returns: a generated User GUID (the guest) and a generated authorisation token.
- Continue checkout using the guest GUID and token: generate invoice/orders, update order details, update transaction details.