Modify the command-level access control for a controller command
Based on the default access control policies, the UserRegistrationAdminAddCmd command cannot be run by users who only have the Marketing Manager role. The following scenario describes the steps needed to modify the existing policies so that these users can perform this command. Use the steps in this scenario and customize them to your own requirements.
All controller commands require a command-level access control policy, which has the ActionGroupName = ExecuteCommandActionGroup. It also must have a resource group that includes the interface name of the controller command. These policies usually refer to a specific role, for example, MarketingManagersExecuteMarketingManagerCmdResourceGroup.
<Policy Name=" MarketingManagersExecuteMarketingManagerCmdResourceGroup" OwnerID="RootOrganization" UserGroup="MarketingManagers" ActionGroupName="ExecuteCommandActionGroup" ResourceGroupName="MarketingManagerCmdResourceGroup" PolicyType="groupableStandard"> </Policy>
The preceding policy is one of the default policies that is loaded into the database during instance creation. For more information about the default policies, see Default access control policy groups.
In this case, if you want users with the Marketing Manager role to be able to execute the UserRegistrationAdminAddCmd, you have to add this command to the existing Resource Group used in the policy by creating your own XML file, and do the following:
- Redefine the ExecuteCommand action
- Redefine com.ibm.commerce.usermanagement.commands.UserRegistrationAddCmd as a resource category.
- Associate the resource category with the required resource group, in this case MarketingManagerCmdResourceGroup.
- Copy the XML file to WC_installdir/xml/policies/xml. The following is an example of what your XML could look like:
<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?> <!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd"> <Policies> <Action Name="ExecuteCommand" CommandName="Execute"> </Action> <ResourceCategory Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmdResourceCategory" ResourceBeanClass="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd"> <ResourceAction Name="ExecuteCommand"/> </ResourceCategory> <ResourceGroup Name="MarketingManagerCmdResourceGroup" OwnerID="RootOrganization"> <ResourceGroupResource Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmdResourceCategory"/> </ResourceGroup> </Policies>- Load the XML file into the database using the WC_installdir/bin/acpload script. For more information about loading your XML files, see Loading access control policy data.
- Update the Access Control Policy Registry in the WebSphere Commerce
Administration Console by doing the following:
- Logon to the Administration Console as a Site Administrator.
- Click Configuration > Registry.
- From the list of registries, select Access Control Policies.
- Click Update.
You can now use your controller command if it is not doing any resource-level checking.
Related Concepts
Authorization
Understanding access control
Related tasks
Protecting resources
Protecting controller commands
Define access control policy elements using XML
Add a new controller command using existing policies
Add a new controller command using a new policy
Modifying the command-level access control for a controller command
Related Reference
Access control files