Secure > Authorization > Customize default access control policies > Examples: Customizing access control policies using the Organization Administration Console


Example: Allowing member registrars to register users

By default, membership administrators for an organization are authorized to register member of their organization. The access group, MemberAdministratorsForOrg, includes several roles such as buyer administrator and seller administrator, which are authorized to perform a variety of administrative tasks. In some cases, you might want to create a separate role that is authorized only to register organization members:

Here is an overview of the steps involved:

In this example, we will do the following:


Define the new role

  1. From the Organization Administration Console, click Access Management > Roles.

  2. On the Roles page, click New.

  3. For Name, specify Member Registrar.

  4. For Description, specify a description of the member registrar role in your local language.

  5. Click OK.


Define a new access group containing the member registrar role

  1. Click Access Management > Access Groups.

  2. On the Access Groups page, click New to display the Details page for the new access group.

  3. For Name, specify: MemberRegistrars.

  4. For Parent Organization, select Root Organization.

  5. For Description, specify a description of the access group in the local language.

  6. Click Next to display the Criteria page for the new access group.

  7. Click Based on organizations and roles.

  8. From the Role list, select Member Registrar.

  9. Click For Organization to specify that the role must played within the user's own organization or its ancestors.

  10. Click Finish.


Identify the actions to use in the resource group for the member registrar role-based policy

  1. Determine the policy that permits membership administrators to register users. The policy is:

    CSAMembershipAdministratorsForOrgExecuteUserAdminRegistrationCommandsOn OrganizationResource

  2. Click Access Management > Policies.

  3. For View, select Root Organization to display the site-level policies.

  4. Locate the policy in the list.

  5. Note the name of the policy's action group--UserAdminRegistration. This is the action group view to identify the actions for registering members.

  6. Click Access Management > Action Groups.

  7. From the list of action groups, select UserAdminRegistration.

  8. Click Change to display the Change Action Group page.

  9. Note the name of the command for registering members: com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd.


Define the new resource group to be used in the role-based policy for member registrars

  1. Click Access Management > Resource Groups to display the Resource Groups page.

  2. Click New to display the General page for the new resource group.

  3. For Name, specify UserAdminRegistrationCommands.

  4. For Display Name, specify a description of the resource group in your local language.

  5. For Description, specify a longer description of the resource group, in your local language.

  6. For Type, select Explicit Resource Group.

  7. Click Next.

  8. Click Next to display the Details page for the new resource group.

  9. From the Available Resources list, select the following:

    com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd

  10. Click Add.

  11. Click Finish.


Define a role-based policy for the member registrar role

  1. Click Access Management > Policies.

  2. On the Policies page, click New.

  3. For Name, specify MemberRegistrarsExecuteUserAdminRegistrationCommands.

  4. For Display Name, specify a description of the policy in the local language.

  5. For Description, specify a longer description of what the policy does, in the local language.

  6. For User Group, click Find and select MemberRegistrars.

  7. Click OK.

  8. For Resource Group, select UserAdminRegistrationCommands.

  9. For Action Group, select ExecuteCommandActionGroup.

  10. Click OK.

Note: After creating this new policy, it has to be assigned to a policy group before it becomes effective. This must be done through XML. For more information, see Define access control policy elements using XML.


Modify the resource-level policy to use the new access group

After modifying the resource-level policy, only users who play the Member Registrar role in the same organization as the resource will be allowed to register the user. Users who play the role in any other organization will not be able to do so.

  1. From the list of policies, select the following:

    CSAMembershipAdministratorsForOrgExecuteUserAdmin RegistrationCommandsOnOrganizationResource

    .

  2. Click Change to display the Change Policy page.

  3. Update the policy's name, display name and description to reflect the change of access group.

  4. For User Group, click Find and select MemberRegistrars.

  5. Click OK.


Update the access control policy registry with the changes

  1. Open the Administration Console.

  2. Click Configuration > Registry.

  3. From the list of registries, select Access Control Policies.

  4. Click Update.


+

Search Tips   |   Advanced Search