Modify the resource-level access control of an existing policy

For commands that require resource level access control, they return the protected resources that they are going to access in the command's getResources() method. This triggers a resource level access control check by the WebSphere Commerce access control framework. WebSphere Commerce will search for an access control policy in the system with an Action Group that includes the action that is equal to the current command; in this example com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd. The policy's Resource Group must also include the resource that was returned in the getResources() method. In this case, the UserRegistrationAdminAddCmd command does implement the getResources() method and it returns the organization to which the new user is going to be registered.

By default, in defaultAccessControlPolicies.xml, com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd is already defined as an action:

<Action
Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd"
       
CommandName="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd">
</Action>

It is also included in an action group, defined in the defaultAccessControlPolicies.xml XML file:

<ActionGroup Name="UserAdminRegistration"
OwnerID="RootOrganization"> 

        <ActionGroupAction
Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd"/>
</ActionGroup>

This action group is already used in an existing bootstrap policy:

<Policy
Name="MembershipAdministratorsForOrgExecuteUserAdminRegistrationCommandsOnOrganizationResource"
        OwnerID="RootOrganization"
        UserGroup="
MembershipAdministratorsForOrg"
        ActionGroupName="
UserAdminRegistration"
        ResourceGroupName="
OrganizationDataResourceGroup" 
        PolicyType="groupableTemplate">

</Policy>

Many polices are default polices and loaded into the database during instance creation.

To add the required role to the UserRegistrationAdminAddCmd do the following:

1. Add the required role to the access group used by the policy. In this example, MembershipAdministratorsForOrg.

   This access group is defined in WC_installdir/xml/policies/xml/ACUserGroup_en_US.xml as follows:

   <UserGroup Name="
   MembershipAdministratorsForOrg" OwnerID="RootOrganization" 
      Description="Administrators of membership for the organization"
   MemberGroupID="-97">
           
   <UserCondition><![ CDATA [ 
       <profile>
              <orListCondition>
                <simpleCondition>
                  
   <variable name="role"/>
                  <operator name="="/>
                  <value data="Buyer Administrator"/>
                      <qualifier name="org"
   data="OrgAndAncestorOrgs"/>        
                </simpleCondition>
                <simpleCondition>
                  
   <variable name="role"/>
                  <operator name="="/>
                 <value data="Seller Administrator"/>
                      <qualifier name="org"
   data="OrgAndAncestorOrgs"/>        
                </simpleCondition>
             </orListCondition>
       </profile>
    </UserCondition>
   </UserGroup>
   
   
   

   In the preceding XML example, users are included that have at least one of the specified roles, Buyer Administrator or Seller Administrator for an organization that is an ancestor of the owner of the resource (organization) returned by getResources(). If you wanted to add the Marketing Manager role, you would have to enhance it to also include the new role.

2. Copy the XML file to WC_installdir/xml/policies/xml. The following is an example of what your XML could look like:

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE UserGroups SYSTEM "../dtd/ACUserGroups_en_US.dtd">
   
   <UserGroups>
   
   <UserGroup Name="MembershipAdministratorsForOrg"
   OwnerID="RootOrganization" 
       Description="Administrators of membership for the organization"
   MemberGroupID="-97">
           
                   <UserCondition><![CDATA[
        <profile>
              <orListConditio>
                <simpleCondition>
                  <variable name="role"/>
                  <operator name="="/>
                  <value data="Buyer Administrator"/>
                      <qualifier name="org" data="
   OrgAndAncestorOrgs"/>         
                </simpleCondition>
                <simpleCondition>
                  <variable name="role"/>
                  <operator name="="/>
                  <value data="Seller Administrator"/>
                      <qualifier name="org" data="
   OrgAndAncestorOrgs"/>         
                </simpleCondition>
                <simpleCondition>
                  
   <variable name="role"/>
                  <operator name="="/>
                  <value data="Marketing Manager"/>
                      <qualifier name="org"
   data="OrgAndAncestorOrgs"/>        
                </simpleCondition>
             </orListCondition>
       </profile>
    </UserCondition>
   </UserGroup>
           
   </UserGroups>
   
   
   

3. Load the XML file into the database using the WC_installdir/bin/acpload script. For more information about loading your XML files, see Loading access control policy XML files.

4. Update the Access Control Policy Registry in the WebSphere Commerce
   Administration Console by doing the following:

   1. Logon to the Administration Console as a Site Administrator.

   2. Click Configuration > Registry.

   3. From the list of registries, select Access Control Policies.

   4. Click Update.

 

Related Concepts

Authorization
Understanding access control

 

Related tasks

Protecting resources
Protecting controller commands
Define access control policy elements using XML
Add a new controller command using existing policies
Add a new controller command using a new policy
Modifying the command-level access control for a controller command

 

Related Reference

Access control files