Secure > Authorization > Customize default access control policies > Define access control policy elements using XML


Define access groups

An access group is a required element in a policy definition. It defines which users are entitled to act upon which resources. There are many instances where it is necessary to define a new access group.

Some common examples are:

The default access groups that are part of WebSphere Commerce are found in language specific XML files, such as WC_INSTALL/xml/policies/xml/ACUserGroups_ locale.xml. This file follows the DTD specified by WC_INSTALL/xml/policies/dtd/ACUserGroups_en_US.dtd.

The following is the format of an access group element:

<UserGroup Name="value" OwnerID="value" Description="value"
       
<UserCondition>                
<![CDATA[
               
<profile>                         
Condition XML
               
</profile>   
       
</UserCondition>
</UserGroup>

Where:

Name

The name of the access group, stored in the MBRGRPNAME column of the MBRGRP table.

OwnerID

The Member ID that owns this access group. The combination of Name and OwnerID must be unique. Special values that can be used include: RootOrganization (-2001) or DefaultOrganization (-2000).

Description (optional)

An optional attribute used to describe the access group.

UserCondition (optional)

An optional element specifying implicit conditions of membership in this access group. This criteria is stored in the CONDITIONS column of the MBRGRPCOND table.

Condition XML

Use the condition framework, any valid combination of the orListCondition, andListCondition, simpleCondition, and trueConditionCondition elements.

The following SimpleCondition names are supported for the UserCondition element:

Variable Name Description Supported Operators Supported Values Qualifiers Qualifier Values
role Specifies that the user must have this role in the MBRROLE tabl. = != Any value of the NAME column in the ROLE table. org ( if not specified, the user must have the role for any organization in the MBRROLE table.

registration status Specifies that the user must have this registration status. = != Any value of the REGISTER-TYPE column in the USERS table such as G for guest, and R for registered. none n/a
status Specifies that the user must have this member state. This is usually used for the status of registration approval. = != Any value of the STATE column in the MEMBER table such as 0 for pending registration approval, 1 for registration approved, and 2 for registration rejected. none n/a
org Specifies that the user is a child of the specified organization. This information is based on data stored in the MBRREL table = !=

  • Any value of the ORGENTITY_ID in the ORGENTITY table.

  • ?: if it is a groupable template policy. This will check if the user is a child of the organization that owns the resource. It will also check if the user is a child of any of the resource owner's ancestors, up to and including the closest ancestor that is subscribing to a policy group

none n/a

Examples of simpleConditions for access groups

Role without a qualifier

The following example displays a role simpleCondition without a qualifier; most commonly used in role-based policies. In this example the user must have a Seller Administration role for any organizational entity.

<UserConditon>                
<![CDATA[
               
<profile>                        
<simpleCondition>                                
<variable name="role"/>                                
<operator name="="/>                                
<value data="Seller
Administrator"/>                        
</simpleCondition>                
</profile>
</UserCondition>

Role with a qualifier

The following example displays a role simpleCondition with a qualifier; most commonly used for organization-level policies. In this example the user must have a Seller role for the organizational entity with ORGENTITY_ID = 100.

<UserCondition>                        
<!CDATA[
               
<profile>                                
<simpleCondition>                                
<variable name="role"/>                                
<operator name="="/>                                
<value data="Seller"/>                                        
<qualifier name="org"
data="100"/>                                
<simpleCondition>                
</profile>
</UserCondition>

Role with a qualifier and parameter

The following example displays a role simpleCondition with a qualifier and the special data value OrgAndAncestorOrgs. This qualified data value, OrgAndAncestorOrgs, only works only in groupable template policies. In this example, the user must have a Sales Manager, Account Manager, or Seller role in the organization that owns the resource, or any of the organization's ancestors.

<UserCondition><!CDATA[
               
<profile>                        
<orListCondition>                                        
<simpleCondition>                                                
<variable
name="role"/>                                                
<operator
name="="/>                                                
<value
data="Sales Manager"/>                                                        
<qualifier name="org" data="OrgAndAncestorOrgs"/>                                        
</simpleCondition>                                        
<simpleCondition>                                                
<variable
name="role"/>                                                
<operator
name="="/>                                                
<value
data="Account Representative"/>                                                        
<qualifier name="org" data="OrgAndAncestorOrgs"/>                                        
</simpleCondition>                                        
<simpleCondition>                                                
<variable
name="role"/>                                                
<operator
name="="/>                                                
<value
data="Seller"/>                                                        
<qualifier name="org" data="OrgAndAncestorOrgs"/>                                        
</simpleCondition>                        
</orListCondition>                
</profile/>  
</UserCondition>                                             

registrationStatus

The following example displays a registrationStatus simpleCondition. In this example, the user must be registered ( USERS.REGISTERTYPE = R).

<UserCondition><!CDATA[
               
<profile>                
<simpleCondition>                        
<variable name="registrationStatus"/>                        
<operator name="="/>                        
<value data="R"/>                
</simpleCondition>                
</profile>
</UserCondition>

status

The following example displays a status simpleCondition. In this example, the user must have had registration approved. ( MEMBER.STATUS = 1)

<UserCondition><![CDATA[
               
<profile>                                
<simpleCondition>                                        
<variable
name="status"/>                                        
<operator name="="/>                                        
<value data="1"/>                                        
</simpleCondition>                
</profile>
</UserCondition>

org

The following example displays an org simpleCondition. In this example, the user must be registered in organizational entity 100. In the MBRREL table, there must be a record where the user is a descendant of an organization that has ANCESTOR_ID = 100, and SEQUENCE = 1.

<UserCondition><![CDATA[
               
<profile>                        
<simpleCondition>                                
<variable name="org"/>                                
<operator name="="/>                                
<value data="100"/>                        
</simpleCondition>                
</profile>
</UserCondition>


+

Search Tips   |   Advanced Search