Customize default access control policies
The default access control policies provided by WebSphere Commerce address the basic requirements that organizations have for regulating the actions and information available to their users. Often, the default policies may be sufficient for the site's needs. At the same time, the default policies are highly customizable, which enables you to tailor them to the own requirements.
This topic provides information about how to make basic changes to the default access control policies included with WebSphere Commerce. You begin by introducing certain concepts and relationships you'll need to understand.
Access control enables you to manage the business work flows and ensure that users only carry out those activities that are appropriate with their roles and responsibilities. Not only does WebSphere Commerce provide you with default policies that are ready to use "out of the box," but it also provides you with the tools and capacity to customize the policies to suit the business needs.
The following table outlines just a few examples of how simple modifications can customize access to the business environment.
What users are allowed to do by default What users are allowed to do after customization Customers can self-register. Only seller administrators can register new customers. Buyers can display RFQs that they created. Only sellers can display RFQs if the RFQ resulted in a contract. Only customers can cancel orders they created if the order is in pending state. Customer Service Representatives can also cancel orders in pending state, if the total product price is less than $1000. An order can be modified by the person who created it. Only a user from the buyer organization with the role of purchaser can modify an order that has been created. Account representatives can display all accounts. Account Representatives can only display active accounts. Employees with the Logistics Manager role can create and modify fulfillment centers. Employees with the Logistics Manager role can create but not modify fulfillment centers.
- Relationships between role-based and resource-level policies
This topic describes how policies are related to each other and why understand their relationships before you can modify an existing policy, or create a new one. In many cases, change several policies to properly implement a change.
- Role-based and resource-level policies
Role-based policies are also known as command-level policies because they authorize users with a particular role to execute a set of commands. Resource-level policies authorize a group of users to execute a set of commands on a particular set of resources. For instance, a role-based policy might authorize children to eat. While a resource-level policy might authorize children eat rice.
- Define access control policy elements using XML
The Organization Administration Console allows you to make simple changes to access control policies and their parts.To make more sophisticated changes, edit the XML files directly, and then load them into the database.
- Load access control policy data
If you make policy changes by working directly with the XML files, load the changed XML files back into the databases.
- Extract policy and access group definitions
The extraction process reads the access control policy and access group information in the database and generates files that capture the information in XML format. The extraction utility uses an input filter XML file to specify which data to extract from the database. You can extract all access group and policy data, all access group data, or all access group and policy data owned by a particular organization.
- Test access control policy changes
Each time you create or modify an access control policy, perform certain tests to verify that the policy is working correctly.
- Examples: Customizing access control policies using the Organization Administration Console
For all of these examples, it is assumed that a Site Administrator is modifying the policies for Root Organization. Once you step through some of the examples, we will be able to follow the same methodology to make changes not specifically covered here.