Secure > Authorization > Customize default access control policies > Examples: Customizing access control policies using the Organization Administration Console


Example: Allowing auditors to view business intelligence reports

By default, intelligence report viewers are permitted to view business intelligence reports for their store. In some cases, you might also want to create a new role called auditor and authorize users with this role to view a store's business intelligence reports.

Here is an overview of the steps involved:

In this scenario, we will do the following:


Define the new auditor role

  1. From the Organization Administration Console, click Access Management > Roles.

  2. On the Roles page, click New.

  3. For Name, specify Auditor.

  4. For Description, specify a description of the auditor role in the local language.

  5. Click OK.


Define a new access group for the auditor role

  1. Click Access Management > Access Groups.

  2. On the Access Groups page, click New to display the Details page for the new access group.

  3. For Name, specify--Auditors.

  4. For Description, specify a description of the access group in the local language.

  5. For Parent Organization, select Root Organization.

  6. Click Next to display the Criteria page for the new access group.

  7. Click Based on organizations and roles.

  8. From the Role list, select Auditor.

  9. Click Add.

  10. Click Finish.


Identify the actions to use in the resource group for the auditor role's role-based policy

  1. Find the policy that authorizes intelligence report viewers to view business intelligence reports. The policy is:

    IntelligenceReportViewersForOrgExecuteViewBusinessIntelligenceReport CommandsOnStoreEntityResource

  2. From the Organization Administration Console, click Access Management > Policies.

  3. For View, select Root Organization to display the policies it owns.

  4. Locate the policy in the list.

  5. Note the name of the policy's action group--ViewBusinessIntelligenceReport. This is the action group view to identify the actions for registering members.

  6. Click Access Management > Action Groups.

  7. From the list of action groups, select ViewBusinessIntelligenceReport.

  8. Click Change to display the Change Action Group page.

  9. Note the name of the command for viewing business intelligence reports--com.ibm.commerce.bi.commands.BIShowReportCmd.


Define the new resource group to be used in the role-based policy for the auditor role

  1. Click Access Management > Resource Groups to display the Resource Groups page.

  2. Click New to display the General page for the new resource group.

  3. For Name, specify AuditorCommands.

  4. For Display Name, specify a description of the resource group in your local language.

  5. For Description, specify a longer description of the resource group, in the local language.

  6. Click Next.

  7. For Type, select Explicit Resource Group.

  8. Click Next to display the Details page for the new resource group.

  9. From the Available Resources list, select com.ibm.commerce.bi.commands.BIShowReportCmd.

  10. Click Add.

  11. Click Finish.


Define the role-based policy for the auditor role

  1. Click Access Management > Policies.

  2. On the Policies page, click New.

  3. For Name, specify AuditorsExecuteAuditorCommands.

  4. For Display Name, specify a description of the policy in the local language.

  5. For Description, specify a longer description of what the policy does, in the local language.

  6. For User Group, click Find and select Auditors.

  7. Click OK.

  8. For Resource Group, select AuditorCommands.

  9. For Action Group, select ExecuteCommandActionGroup.

  10. Click OK.


Add the auditor role to the resource-level policy's access group

  1. Click Access Management > Access Groups.

  2. From the list of access groups, select IntelligenceReportViewersForOrg.

  3. Click Change to display the Change Access Group page.

  4. Click Criteria to display the Criteria page for the access group.

  5. From the Role list, select Auditor.

  6. Click For Organization to specify that the role must be played within the resource's own organization or its ancestors.

  7. Click Add.

  8. Click OK.


Update the policy registry with the changes

  1. Open the Administration Console.

  2. Click Configuration > Registry.

  3. From the list of registries, select Access Control Policies.

  4. Click Update.


+

Search Tips   |   Advanced Search