Example: Allowing only Buyer Administrators to modify orders
By default, all users are permitted to modify orders they have created, regardless of their position in their organization. In some cases, you may want only the organization's buyer administrator to have the authority to modify orders.
In this example, you will change a resource-level policy, as well as a role-based policy. To allow only buyer administrators to modify orders belonging to members of a buyer organization, do the following:
- Determine the resource-level policy that specifies who can modify an order.
- Change the policy's access group from all users, to those with the buyer administrator role.
- Remove the specification of the resource relationship to permit buyer administrators to modify orders belonging to other users.
- Update the policy's name, display name, and description.
- Identify the commands for modifying orders.
- Determine the role-based policy for buyer administrator. This policy defines the commands that users with the buyer administrator role can execute. You must update this policy's resource group to permit buyer administrators to execute the commands for modifying orders.
- Update the role-based policy's resource group to include the commands for modifying orders.
Identify the resource-level policy
- Determine the resource-level policy to be changed. The policy is: AllUsersExecuteOrderWriteCommandsOnOrderResource.
- From the Organization Administration Console, click Access Management > Policies.
- For View, select Root Organization to display the policies that it owns.
- From the list of policies, select AllUsersExecuteOrderWriteCommandsOnOrderResource.
- Note the name of the policy's action group--OrderWriteCommands. You need to view this action group to find the name of the command for creating an order.
Change the access group
- Click Change to display the Change Policy page.
- For User Group, click Find and select Buyer Administrators.
- Click OK.
- For Relationship, select None.
- Update the policy's name, display name, and description to reflect the change of access group.
- Click OK.
Identify the commands for modifying orders
- Click Access Management > Action Groups.
- From the list of action groups, select OrderWriteCommands .
- Click Change to display the Change Action Group page. Make note of the names of the commands for modifying orders
com.ibm.commerce.order.commands.OrderCancelCmd com.ibm.commerce.order.commands.OrderCopyCmd-Write com.ibm.commerce.order.commands.OrderUnlockCmd com.ibm.commerce.orderitems.commands.OrderItemAddCmd com.ibm.commerce.orderitems.commands.OrderItemDeleteCmd com.ibm.commerce.orderitems.commands.OrderItemMoveCmd com.ibm.commerce.orderitems.commands.OrderItemUpdate.Cmd com.ibm.commerce.orderquotation.commands.OrderItemSelectCmd
You must add these commands to the resource group that contains the list of commands a buyer can execute.
Note: When you add the command, com.ibm.commerce.order.commands.OrderCopyCmd-Write, to the resource group, it appears under Available Resources as com.ibm.commerce.order.commands.OrderCopyCmd.
This is the name of the resource group update.
com.ibm.commerce.order.commands.OrderCancelCmd com.ibm.commerce.order.commands.OrderCopyCmd com.ibm.commerce.order.commands.OrderUnlockCmd com.ibm.commerce.orderitems.commands.OrderItemAddCmd com.ibm.commerce.orderitems.commands.OrderItemDeleteCmd com.ibm.commerce.orderitems.commands.OrderItemMoveCmd com.ibm.commerce.orderitems.commands.OrderItemUpdate.Cmd com.ibm.commerce.orderquotation.commands.OrderItemSelectCmd
Related reference
Examples: Customizing access control policies using the Organization Administration Console