| description | Commands for administering Business Manager resources on a B2C Commerce instance — access roles, users, access keys, and identity (whoami). |
|---|
Commands for administering instance-level Business Manager resources. These are distinct from Account Manager commands which manage cross-instance identity.
Most bm users and bm roles commands support both the OCAPI Data API and the SCAPI Merchant Users / Merchant Roles APIs. By default (auto mode), SCAPI is preferred when shortCode and tenantId are configured. If the SCAPI scopes aren't granted on your API client, the CLI silently falls back to OCAPI.
# Force SCAPI backend
b2c bm users list --api-backend scapi
# Force OCAPI backend
b2c bm roles get Administrator --api-backend ocapiOr set in dw.json: "api-backend": "scapi". Or SFCC_API_BACKEND=scapi env var.
| Command | SCAPI | OCAPI |
|---|---|---|
bm users list/get/update/delete |
✓ (sfcc.users.rw) |
✓ |
bm users search |
✗ — OCAPI only | ✓ |
bm whoami |
✗ — OCAPI only | ✓ |
bm access-key * |
✗ — OCAPI only | ✓ |
bm roles list/get/create/delete |
✓ (sfcc.roles.rw) |
✓ |
bm roles grant/revoke |
✓ (sfcc.roles.rw) |
✓ |
bm roles permissions get/set |
✓ (sfcc.roles.rw) |
✓ |
::: warning
The SCAPI Users PATCH endpoint does not support changing the disabled flag. bm users update --disabled falls back to OCAPI in auto mode; with --api-backend scapi it errors with a clear message.
:::
BM commands authenticate via OAuth against the configured Commerce Cloud instance. Two flows are supported:
- Client credentials — for automation and CI/CD. Configure an Account Manager API client and grant it the OCAPI permissions listed below. Pass credentials via
--client-id/--client-secret, theSFCC_CLIENT_ID/SFCC_CLIENT_SECRETenvironment variables, ordw.json. - User auth (browser) — for interactive use. Pass
--user-auth(or runb2c auth loginonce and reuse the saved session). The CLI opens a browser and the resulting token carries your BM user identity.
A handful of endpoints require a real BM user identity and cannot use service-client tokens — the CLI defaults those to user-auth automatically:
| Command group | Default auth | Why |
|---|---|---|
b2c bm roles ... |
client-credentials → jwt → implicit | OCAPI permissions for /roles |
b2c bm users {list,get,search,update,delete} |
client-credentials → jwt → implicit | OCAPI permissions for /users |
b2c bm whoami |
implicit (browser) | /users/this requires the token to resolve to a BM user |
b2c bm access-key ... |
implicit (browser) | Access-key endpoints require a valid user plus the Manage_Users_Access_Keys BM functional permission |
Override the auto-defaulted user-auth with --auth-methods client-credentials (or --client-secret) when your service-client setup is configured to issue user-bearing tokens. The interactive defaults can also be skipped end-to-end by exporting SFCC_AUTH_METHODS=client-credentials,jwt in CI.
See the Authentication Guide for end-to-end setup, including the BM administration OCAPI snippet.
Add these resources to the Data API client configuration in Business Manager (Administration > Site Development > Open Commerce API Settings > Data API):
| Resource | Methods | Used by |
|---|---|---|
/roles |
GET | bm roles list |
/roles/* |
GET, PUT, DELETE | bm roles get/create/delete |
/roles/*/users |
GET | bm roles get --expand users |
/roles/*/users/* |
PUT, DELETE | bm roles grant/revoke |
/roles/*/permissions |
GET, PUT | bm roles permissions get/set |
/users |
GET | bm users list |
/users/* |
GET, PATCH, DELETE | bm users get/update/delete |
/users/this |
GET | bm whoami, bm access-key (optional login fallback) |
/users/*/access_key/* |
GET, PUT, PATCH, DELETE | bm access-key get/create/set/delete |
/user_search |
POST | bm users search |
For an importable JSON snippet covering all BM administration endpoints, see Minimal Configuration by Feature in the Authentication Guide.
Access-key writes (bm access-key {create,set,delete}) additionally require the Manage_Users_Access_Keys BM functional permission on the user account performing the request. Grant it via Business Manager: Administration > Roles & Permissions. This is why the CLI defaults bm access-key commands to user-auth — service clients cannot carry BM functional permissions.
# Interactive (browser login on first command, session reused after):
b2c auth login --instance my-sandbox
b2c bm whoami
# Client credentials (where supported):
export SFCC_CLIENT_ID=your-client-id
export SFCC_CLIENT_SECRET=your-client-secret
export SFCC_SERVER=my-sandbox.demandware.net
b2c bm users list
# Force user-auth on a command that defaults to client-credentials:
b2c bm users list --user-auth
# Force client-credentials on a command that defaults to user-auth (advanced):
b2c bm access-key get --auth-methods client-credentialsb2c bm roles — manage instance-level Business Manager access roles, user assignments, and role permissions.
List all access roles on an instance.
b2c bm roles list [--count <n>] [--start <n>] [--columns <cols>] [--extended]| Flag | Description |
|---|---|
--count, -n |
Number of roles to return (default 25) |
--start |
Start index for pagination (default 0) |
--columns, -c |
Comma-separated columns to display. Available: id, description, userCount, userManager |
--extended, -x |
Show all columns including extended fields |
b2c bm roles list
b2c bm roles list --server my-sandbox.demandware.net
b2c bm roles list --extended --jsonGet details of a specific access role.
b2c bm roles get <role> [--expand <expansion>...]| Argument | Description |
|---|---|
role |
Role ID (e.g. Administrator) |
| Flag | Description |
|---|---|
--expand, -e |
Expansions to apply (users, permissions). Repeatable. |
b2c bm roles get Administrator
b2c bm roles get Administrator --expand usersCreate a new custom access role.
b2c bm roles create <role> [--description <text>]| Argument | Description |
|---|---|
role |
Role ID to create |
| Flag | Description |
|---|---|
--description, -d |
Description for the role |
b2c bm roles create ContentEditor --description "Role for content editors"::: warning
Reserved role IDs (Support, Business Support) cannot be created.
:::
Delete a custom access role.
b2c bm roles delete <role>b2c bm roles delete ContentEditor::: warning
System roles (e.g. Administrator) cannot be deleted.
:::
Assign a user to an access role.
b2c bm roles grant <login> --role <role>| Flag | Description |
|---|---|
--role, -r |
Role ID to grant (required) |
b2c bm roles grant user@example.com --role AdministratorUnassign a user from an access role.
b2c bm roles revoke <login> --role <role>b2c bm roles revoke user@example.com --role AdministratorGet permissions for an access role.
b2c bm roles permissions get <role> [--output <file>]| Flag | Description |
|---|---|
--output, -o |
Write full permissions JSON to a file for editing |
# View summary
b2c bm roles permissions get Administrator
# Export to file for editing
b2c bm roles permissions get Administrator --output admin-perms.json
# Get raw JSON
b2c bm roles permissions get Administrator --jsonSet (replace) all permissions for an access role from a JSON file.
b2c bm roles permissions set <role> --file <path>| Flag | Description |
|---|---|
--file, -f |
JSON file containing permissions (role_permissions schema) (required) |
b2c bm roles permissions get MyRole --output perms.json
# ... edit perms.json ...
b2c bm roles permissions set MyRole --file perms.json::: warning
This command replaces all existing permissions for the role. Use permissions get --output first to ensure you have the complete set.
:::
The file follows the OCAPI role_permissions schema with four sections:
{
"functional": {
"organization": [{"name": "PERMISSION_NAME", "type": "functional", "value": "ACCESS"}],
"site": []
},
"module": {
"organization": [{"application": "bm", "name": "ModuleName", "type": "module", "system": true, "value": "ACCESS"}],
"site": []
},
"locale": {
"unscoped": [{"locale_id": "default", "type": "locale", "value": "ACCESS"}]
},
"webdav": {
"unscoped": [{"folder": "Catalogs", "type": "webdav", "value": "ACCESS"}]
}
}b2c bm users — query and manage instance-level Business Manager users via the OCAPI /users resource.
::: tip
Most production instances use SSO with Account Manager; creating local BM users via the Data API is rejected with LocalUserCreationException. These commands focus on read/search/lifecycle for AM-managed users plus access-key administration.
:::
List all users on the instance.
b2c bm users list [--count <n>] [--start <n>] [--columns <cols>] [--extended]| Flag | Description |
|---|---|
--count, -n |
Number of users to return (default 25) |
--start |
Start index for pagination (default 0) |
--columns, -c |
Comma-separated columns to display. Available: login, email, name, disabled, locked, lastLogin, externalId |
--extended, -x |
Include extended columns (lastLogin, externalId) |
b2c bm users list
b2c bm users list --count 100
b2c bm users list --extended --json
b2c bm users list --columns login,email,lastLoginGet details of one user by login.
b2c bm users get <login>b2c bm users get user@example.com
b2c bm users get user@example.com --jsonSearch users by login, email, name, lock state, or disabled state. Searchable fields per the Data API: login, email, first_name, last_name, external_id, last_login_date, is_locked, is_disabled.
b2c bm users search [--search-phrase <text>] [--login <login>] [--email <email>] \
[--locked] [--disabled] [--sort-by <field>] [--sort-order asc|desc] \
[--query <json>] [--count <n>] [--start <n>] [--columns <cols>] [--extended]| Flag | Description |
|---|---|
--search-phrase |
Free-text phrase searched across login/email/first_name/last_name |
--login |
Match a specific login |
--email |
Match a specific email |
--locked / --no-locked |
Match locked / unlocked users |
--disabled / --no-disabled |
Match disabled / enabled users |
--sort-by |
Sort field (e.g. last_login_date) |
--sort-order |
asc or desc |
--query |
Raw OCAPI query JSON (overrides convenience flags) |
--count, -n |
Number of users to return (default 25) |
--start |
Start index for pagination (default 0) |
--columns, -c |
Comma-separated columns to display. Available: login, email, name, disabled, locked, lastLogin, externalId |
--extended, -x |
Include extended columns (lastLogin, externalId) |
b2c bm users search --search-phrase smith
b2c bm users search --locked --sort-by last_login_date --sort-order desc
b2c bm users search --query '{"text_query":{"fields":["login"],"search_phrase":"foo"}}'Update non-identity user fields. The locked flag and password cannot be updated through this command — those are governed by Account Manager / SSO.
b2c bm users update <login> [--disabled | --no-disabled] [--first-name <name>] \
[--last-name <name>] [--email <email>] [--external-id <id>] \
[--preferred-ui-locale <locale>] [--preferred-data-locale <locale>]b2c bm users update user@example.com --disabled
b2c bm users update user@example.com --no-disabled --preferred-ui-locale en_US
b2c bm users update user@example.com --first-name Jane --last-name DoeRemove a user from the instance. Prompts for confirmation by default.
b2c bm users delete <login> [--force]| Flag | Description |
|---|---|
--force |
Skip the confirmation prompt |
b2c bm users delete user@example.com
b2c bm users delete user@example.com --force --jsonb2c bm whoami — show the Business Manager user the current OAuth token resolves to. Calls GET /users/this.
b2c bm whoami [--json]Useful for verifying which BM identity is in use after b2c auth login, or for sanity-checking that a token actually carries a user claim.
b2c bm whoami
b2c bm whoami --json | jq -r '.login'::: tip
This command defaults to browser-based user-auth — a fresh shell triggers b2c auth login. The saved session is reused across commands until it expires.
:::
b2c bm access-key — manage WebDAV / OCAPI / Storefront access keys for SSO-managed (externally managed) Business Manager users. These keys let users authenticate to non-OAuth surfaces using their BM identity.
[LOGIN] is optional on every access-key command — when omitted, the CLI calls bm whoami first and operates on your own user.
| Scope | Used for |
|---|---|
WEBDAV_AND_STUDIO (default) |
WebDAV uploads (cartridge sync, IMPEX), Studio access |
AGENT_USER_AND_OCAPI |
Customer Service Center (CSC) and OCAPI Basic auth |
STOREFRONT |
Storefront diagnostic / agent login passwords |
Get the current state of an access key.
b2c bm access-key get [<login>] [--scope <scope>]| Argument | Description |
|---|---|
[login] |
User login (email). Defaults to the currently authenticated user. |
| Flag | Description |
|---|---|
--scope |
One of WEBDAV_AND_STUDIO (default), AGENT_USER_AND_OCAPI, STOREFRONT |
b2c bm access-key get
b2c bm access-key get --scope STOREFRONT
b2c bm access-key get user@example.com --scope AGENT_USER_AND_OCAPICreate or rotate an access key. The secret value is returned only once, at creation — record it immediately.
b2c bm access-key create [<login>] [--scope <scope>]b2c bm access-key create
b2c bm access-key create --scope STOREFRONT
b2c bm access-key create --json | jq -r '.access_key'::: warning
The previous key for the same scope is removed automatically when a new one is created. The new access_key value is only returned in the response of create — subsequent get calls do not return it.
:::
Enable or disable an existing access key.
b2c bm access-key set [<login>] [--scope <scope>] (--enabled | --no-enabled)| Flag | Description |
|---|---|
--enabled / --no-enabled |
Enable or disable the key (required) |
b2c bm access-key set --enabled
b2c bm access-key set --no-enabled
b2c bm access-key set user@example.com --scope STOREFRONT --enabledDelete an access key. Prompts for confirmation by default.
b2c bm access-key delete [<login>] [--scope <scope>] [--force]| Flag | Description |
|---|---|
--force |
Skip the confirmation prompt |
b2c bm access-key delete
b2c bm access-key delete --scope STOREFRONT --force
b2c bm access-key delete user@example.com --scope WEBDAV_AND_STUDIOb2c bm access-key create
# record the printed access_key — use it as the new password for WebDAV/IMPEXb2c bm roles get Administrator --expand users --json | jq '.users[].login'b2c bm users search --sort-by last_login_date --sort-order asc --jsonb2c bm roles create MyEditor --description "Content editors"
b2c bm roles permissions get MyEditor --output role.json
# ...edit role.json...
b2c bm roles permissions set MyEditor --file role.json
b2c bm roles grant editor@example.com --role MyEditor# disable temporarily
b2c bm access-key set user@example.com --scope WEBDAV_AND_STUDIO --no-enabled
# rotate
b2c bm access-key create user@example.com --scope WEBDAV_AND_STUDIO