WebSphere Commerce deployment checklist: Access control
Is access control on commands and on JSP pages applied appropriately?
- Ensure that access control is turned on
- Ensure that each URL command is restricted to only those users that are supposed to be able to execute them.
URL commands can be typed on the browser address line, so safeguard beyond the links available on the JSP pages.- Ensure that each view is also restricted to the right set of users. For example, any additional WebSphere Commerce Accelerator pages should be viewable by specific roles only.
Is access to administration tools (WebSphere Commerce Accelerator, Administration Console and Organization Administration Console) outside the firewall properly configured, or disabled?
- If you will not be using the browser-based administration tools, then remove the code from the server so no one can access it, or try to access it.
Are the right subset of roles assigned to the right set of administrators? Do any passwords need to be reset?
During testing, you may have used a user assigned the Site Administrator or Seller role, but as the system is rolled out to specific users for specific roles, make sure they have been assigned only the roles they are allowed to perform.
(C) Copyright IBM Corporation 1996, 2006. All Rights Reserved.