Access control policy groups

WebSphere Commerce supports various business models, and each business model has its own set of access control policies. In order to group the sets of policies within the models, policy groups were created. Policies are explicitly assigned to appropriate policy groups and then organizations can subscribe to one or more of these policy groups. For example, in the following diagram, Seller Organization subscribes to Seller Organization Policy Group, and Root Organization Policy Group.

Policies are assigned to policy groups. For example, in the preceding diagram, Policy 1 and Policy 2 are assigned to the Root Organization Policy group, Policy 3 is assigned to the Seller Organization Policy Group, and Policy 4 is assigned to the Division A Organizational Unit Policy Group.

 

Policy group subscription

Prior to WebSphere Commerce 5.5, a policy applied to all resources owned by the descendants of that policy's owner organization. For example, if Organization A had a certain policy and was the parent of Organization B, then Organization B implicitly, had that policy as well. Beginning with WebSphere Commerce 5.5, organizations can subscribe to policy groups. If Organization B does not subscribe to any policy groups, the access control framework will begin searching up the organization hierarchy until it encounters an organization that subscribes to at least one policy group. If Organization B's immediate parent organization, Organization A, subscribes to a policy group, the searching stops, and the policies are applied to Organization A and B. This can be seen in the following diagram.

If Organization A does not subscribe to a policy group, the search continues up the organization hierarchy, until an organization with a subscription is reached. This is seen in the following diagram where the Root Organization subscribes to a policy group. The policies in that group apply to Organization B and Organization A.

subscribe to policy groups. Its closest subscribing ancestor organization is Root Organization (its grandparent), so the policies in Root Organization Policy Group will apply to Organization B." /> If Organization B subscribes to a policy group, the search stops at Organization B. So only the policies in the Organization B policy group will apply to Organization B.

subscribe to policy groups, the policies in those policy groups do not affect Organization B, since Organization B subscribes to its own policy group: Organization B Policy Group." />

 

Related Concepts


Authorization

 

Related tasks


Subscribing to policy groups