Users and organizational entities within the WebSphere Commerce member subsystem are organized into a hierarchy. This hierarchy emulates a typical organizational hierarchy, with entries for organizations and organizational units, and entries for users in the leaf nodes. The hierarchy includes an artificial organizational entity called a root organization at the top. All other organizational entities and users are descendants of this root organization. Under the root organization there can be one seller organization and several buyer organizations; all these organizations can have one or more sub-organizations under them. Buyer or Seller Administrators are the heads of the organizations, and they are responsible for maintaining their organizations. On the seller organization side, each sub-organization can have one or more stores within it. Store Administrators are responsible for maintaining the stores. The following diagram shows the organizational hierarchy of a business-to-business e-commerce site.

Root organization
The root organization is at the top of the organizational hierarchy. A Site Administrator has super user access to perform any operation within WebSphere Commerce. The Site Administrator installs, configures, and maintains WebSphere Commerce and its associated software and hardware. This role typically controls access and authorization (that is, creating and assigning members to the appropriate role) and manages the Web site. The Site Administrator can assign roles to users and specify the organization or organizations for which the user plays the role. The Site Administrator must assign a password to each administrator to ensure that only authorized parties can access confidential information. This provides a way to control key responsibilities, such as updating a catalog or approving a request for quotation (RFQ).
Note: It is possible for a user to play roles in an organization other than their parent organization.
In a WebSphere Commerce site, there is one seller organization. In a business-to-business site, there are also one or more buyer organizations. The Site Administrator may define both the access control policies of the seller organization (that owns the store) as well as the access control policies of each organization that buys from the store. In a business-to-consumer site, there are no buyer organizations. Business-to-consumer customers are modeled as members of the default organization.
Organizations (seller)
Both in business-to-business and business-to-consumer sites, the Site Administrator creates one top-level seller. Underneath this seller organization, other sub-organizations or organization units can be created. Any of these sell-side organizational entities can own one or more stores. The Site Administrator then defines any special access control policies for a seller organization, and assigns a Seller Administrator to manage that organization. The Seller Administrator registers users, assigns them different roles to fit the organization's business needs according to the access control policies pertaining to that organization.
The Seller Administrator's responsibilities are summarized as follows:
- Create sub-organizations that can own stores. Optionally, define which processes within the organization require approval. This step is only required in a business-to-business site.
- Assign roles to the sub-organizations.
- Create users.
- Assign roles to users.
Organizations (buyer)
In a business-to-business site, the Site Administrator creates one or more buyer organizations, depending on the business needs. The Site Administrator then defines any special access control policies for a buyer organization and assigns a Buyer Administrator to manage the buyer organization. The Buyer Administrator registers users and assigns them different roles to fit the organization's business needs, according to the access control policies pertaining to that organization.
The Buyer Administrator's responsibilities are summarized as follows:
- Create and administer the sub-organizations within the buyer organization. Optionally, define which processes within the organization require approval. This step is only required in a business-to-business site.
- Assign roles to the sub-organizations.
- Create users.
- Assign roles to users.
Note: The Site Administrator can modify and manage the access control policies of the buyer organization if appropriate.