Secure > Authorization > Customize default access control policies > Define access control policy elements using XML
Define access groups
An access group is a required element in a policy definition. It defines which users are entitled to act upon which resources. There are many instances where it is necessary to define a new access group.
Some common examples are:
- A new role and subsequently a new policy is created to give authorities to this new role.
- New controller commands are created and to assign users with particular roles to access these commands.
The default access groups that are part of WebSphere Commerce are found in language specific XML files, such as WC_INSTALL/xml/policies/xml/ACUserGroups_ locale.xml. This file follows the DTD specified by WC_INSTALL/xml/policies/dtd/ACUserGroups_en_US.dtd.
The following is the format of an access group element:
<UserGroup Name="value" OwnerID="value" Description="value" <UserCondition> <![CDATA[ <profile> Condition XML </profile> </UserCondition> </UserGroup>
Where:
- Name
- The name of the access group, stored in the MBRGRPNAME column of the MBRGRP table.
- OwnerID
- The Member ID that owns this access group. The combination of Name and OwnerID must be unique. Special values that can be used include: RootOrganization (-2001) or DefaultOrganization (-2000).
- Description (optional)
- An optional attribute used to describe the access group.
- UserCondition (optional)
- An optional element specifying implicit conditions of membership in this access group. This criteria is stored in the CONDITIONS column of the MBRGRPCOND table.
- Condition XML
- Use the condition framework, any valid combination of the orListCondition, andListCondition, simpleCondition, and trueConditionCondition elements.
- The following SimpleCondition names are supported for the UserCondition element:
Variable Name Description Supported Operators Supported Values Qualifiers Qualifier Values role Specifies that the user must have this role in the MBRROLE tabl. = != Any value of the NAME column in the ROLE table. org ( if not specified, the user must have the role for any organization in the MBRROLE table.
- OrgEntityID : Where the user must have the role. See the example, Role with a qualifier
- OrgAndAncestorOrgs: When it is used in a groupable template policy. This will check if the user has the specified role in the organization that owns the resource or any of its ancestor organizations. See the examples:
registration status Specifies that the user must have this registration status. = != Any value of the REGISTER-TYPE column in the USERS table such as G for guest, and R for registered. none n/a status Specifies that the user must have this member state. This is usually used for the status of registration approval. = != Any value of the STATE column in the MEMBER table such as 0 for pending registration approval, 1 for registration approved, and 2 for registration rejected. none n/a org Specifies that the user is a child of the specified organization. This information is based on data stored in the MBRREL table = !=
- Any value of the ORGENTITY_ID in the ORGENTITY table.
- ?: if it is a groupable template policy. This will check if the user is a child of the organization that owns the resource. It will also check if the user is a child of any of the resource owner's ancestors, up to and including the closest ancestor that is subscribing to a policy group
none n/a
Examples of simpleConditions for access groups
The following example displays a role simpleCondition without a qualifier; most commonly used in role-based policies. In this example the user must have a Seller Administration role for any organizational entity.
<UserConditon> <![CDATA[ <profile> <simpleCondition> <variable name="role"/> <operator name="="/> <value data="Seller Administrator"/> </simpleCondition> </profile> </UserCondition>
The following example displays a role simpleCondition with a qualifier; most commonly used for organization-level policies. In this example the user must have a Seller role for the organizational entity with ORGENTITY_ID = 100.
<UserCondition> <!CDATA[ <profile> <simpleCondition> <variable name="role"/> <operator name="="/> <value data="Seller"/> <qualifier name="org" data="100"/> <simpleCondition> </profile> </UserCondition>
Role with a qualifier and parameter
The following example displays a role simpleCondition with a qualifier and the special data value OrgAndAncestorOrgs. This qualified data value, OrgAndAncestorOrgs, only works only in groupable template policies. In this example, the user must have a Sales Manager, Account Manager, or Seller role in the organization that owns the resource, or any of the organization's ancestors.
<UserCondition><!CDATA[ <profile> <orListCondition> <simpleCondition> <variable name="role"/> <operator name="="/> <value data="Sales Manager"/> <qualifier name="org" data="OrgAndAncestorOrgs"/> </simpleCondition> <simpleCondition> <variable name="role"/> <operator name="="/> <value data="Account Representative"/> <qualifier name="org" data="OrgAndAncestorOrgs"/> </simpleCondition> <simpleCondition> <variable name="role"/> <operator name="="/> <value data="Seller"/> <qualifier name="org" data="OrgAndAncestorOrgs"/> </simpleCondition> </orListCondition> </profile/> </UserCondition>
The following example displays a registrationStatus simpleCondition. In this example, the user must be registered ( USERS.REGISTERTYPE = R).
<UserCondition><!CDATA[ <profile> <simpleCondition> <variable name="registrationStatus"/> <operator name="="/> <value data="R"/> </simpleCondition> </profile> </UserCondition>
The following example displays a status simpleCondition. In this example, the user must have had registration approved. ( MEMBER.STATUS = 1)
<UserCondition><![CDATA[ <profile> <simpleCondition> <variable name="status"/> <operator name="="/> <value data="1"/> </simpleCondition> </profile> </UserCondition>
The following example displays an org simpleCondition. In this example, the user must be registered in organizational entity 100. In the MBRREL table, there must be a record where the user is a descendant of an organization that has ANCESTOR_ID = 100, and SEQUENCE = 1.
<UserCondition><![CDATA[ <profile> <simpleCondition> <variable name="org"/> <operator name="="/> <value data="100"/> </simpleCondition> </profile> </UserCondition>