Secure >
Authorization
Access control or authorization is the process of verifying that users or applications have sufficient authority to access a resource.
Authorization or access control, in WebSphere Commerce is accomplished using access control policies, which are rules describing which group of users can perform a set of actions on a set of resources.
WebSphere Commerce provides a set of default access control policies, specified in XML format.
The hallmark of access control is the ability to oversee these work processes by managing the ways in which users participate in the system, based on their activities, and their business relationship to the products and services.
For example, you might only want customers that have registered with the site to be able to view products for auctions in the store, and to place bids on them. Likewise, you might authorize graphic designers to customize the store pages, but you might restrict them from managing the actual content in the product catalog.
WebSphere Commerce provides 200+ default access control policies that are automatically loaded into the system at the time of instance creation.
Manage access to activities in the electronic marketplace is an integral part of...
- protecting the company's financial assets and resources
- ensuring secure business transactions between approved members of the site
- validating the legitimacy of the online operations
See
- Access control policy
An access control policy authorizes a group of users to perform a set of actions on a set of resources within WebSphere Commerce. Unless authorized through one or more access control policies, users have no access to any functions of the system.To understand access control policies understand four main concepts: users, actions, resources, and relationships. Users are the people who use the system. Resources are objects in the system that need to be protected.
Actions are the activities that users can perform on the resources.
Relationships are optional conditions that exist between users and resources.
- Access control policy groups
WebSphere Commerce supports various business models, and each business model has its own set of access control policies. In order to group the sets of policies within the models, policy groups were created. Policies are explicitly assigned to appropriate policy groups and then organizations can subscribe to one or more of these policy groups. For example, in the following diagram, Seller Organization subscribes to Seller Organization Policy Group, and Root Organization Policy Group.
- Enforcing access control
Policy Manager is the access control component that determines whether the current user is allowed to execute the specified action on the specified resource. Access control policies are specified in XML format. During instance creation, the default policies and policy groups are loaded into the appropriate database tables. When WebSphere Commerce Application Server is started up, the access control information is cached in memory so the Policy Manager can quickly check a user's authorization when called to do so. If access control information is changed in the database through the Administration Console, or by loading XML policy data, the access control cache needs to be updated. This can be done by updating the appropriate registry in the Administration Console. If policy data has changed, then the Access Control Policies registry should be updated. If policy group data has changed, then the Access Control Policy Groups registry should be updated. Restarting WebSphere Commerce will also result in updating the cache.
- Evaluate access control policies
This section can be used as a guide to evaluating access control policies. In this section, you are presented with a scenario and guided through an example of how to evaluate groupable standard and groupable template access control policies. Each section begins with a description of related policies, and scenarios using each policy.
- Example: Examining an access control policy
In this section, you look at one of the default policies in detail, using a series of different examples. The policy we will study is the following:
- Example: Configuring fixed amount shipping charges
When configuring shipping charges based on weight ranges in WebSphere Commerce, the weight for that item will be multiplied by the shipping charge for the range that the weight falls under. This is because the default setup in WebSphere Commerce Accelerator is to use a per unit amount calculation range as opposed to a fixed amount calculation range.
- Default access control policies
The default policies shipped with WebSphere Commerce are organized into the following categories:
- Default access control policy groups
The default access control policy groups that are shipped with WebSphere Commerce are the following:
- Customize default access control policies
The default access control policies provided by WebSphere Commerce address the basic requirements that organizations have for regulating the actions and information available to their users. Often, the default policies may be sufficient for the site's needs. At the same time, the default policies are highly customizable, which enables you to tailor them to the own requirements.
Related concepts
WebSphere Commerce security model
Business models
Access control policy groups
Access control policy
Enforcing access control
Evaluate access control policies
Related tasks
Customize default access control policies
Define access control policy elements using XML
Implement access control
Related reference
Examples: Customizing access control policies using the Organization Administration Console
Example: Examining an access control policy