Secure > Authorization > Customize default access control policies > Define access control policy elements using XML


Group resources by attributes

You may find that a resource policy that is based on class names needs to be more fine-grained than the default policies provided with WebSphere Commerce. An implicit resource group definition will provide the flexibility to protect resources of a particular state. For example, to create a policy in where all users can run the OrderRead command on orders that has status 'P' or 'E', then we will need to define a resource group as shown below.

Resource groups can be defined entirely by using the CONDITIONS column in the ACRESGRP table. The CONDITIONS column stores the XML document containing the constraints and attribute value pairs used for grouping resources. This type of resource group is called an implicit resource group, and is usually used when the class name of the resource is not sufficient. For example, if an access control policy applies to Order resources that have a status equal to P (pending) or E (editing by a customer service representative), a resource group can be defined for this.

In order to group resources by attributes other than class name, the resource must implement the Groupable interface.

The following is an example of the Order resource group:

<ResourceGroup  Name="OrderResourceGroupwithPEStatus"   
                        OwnerID="RootOrganization">                
<ResourceCondition>                 
<![CDATA[
                 
<profile>                   
<andListCondition>                        
<orListCondition>                      
<simpleCondition>                       
<variable name="Status"/>                       
<operator name="="/>                       
<value data="P"/>                      
</simpleCondition>                      
<simpleCondition>                       
<variable name="Status"/>                       
<operator name="="/>                       
<value data="E"/>                      
</simpleCondition>                         
</orListCondition>                      
<simpleCondition>                       
<variable name="classname"/>                       
<operator name="="/>                       
<value
data="com.ibm.commerce.order.objects.Order"/>                      
</simpleCondition>                         
</andListCondition>                        
</profile>                  
               
</ResourceCondition>                 
       
</ResourceGroup>     

Where:

Name

The name of the resource group stored in the GRPNAME column of the ACRESGRP table.

OwnerID

The owner of the resource group. This must be the root organization.

<ResourceCondition>

Specifies the data that will be loaded to the CONDITIONS column of the ACRESGRP table, to define the resource group.

<![CDATA[...

Signifies a section of character data that are used exactly as they are typed .

<profile>

A required parameter for all resource conditions.

An essential component of the resource group definition is the <simpleCondition> element that has name="classname". This element identifies the java class of the resource that the group applies to. The java class, com.ibm.commerce.order.objects.Order, can be seen in the following example:

<simpleCondition>   
<variable name="classname"/>   
<operator name="="/>   
<value data="com.ibm.commerce.order.objects.Order"/>
</simpleCondition> 

The following example specifies the condition on the com.ibm.commerce.objects.order.objects.Order resource, that the status should equal P.

<simpleCondition>    
<variable name="Status"/>    
<operator name="="/>    
<value data="P"/>
</simpleCondition> 

In the preceding example, the <variable name=" value"/> represents the attribute names recognized by the getGroupingAttributeValue (String attributeName, GroupContext context)() method on the resource. This method is part of the Groupable interface. For the purposes of Implicit Resource Group management within the Administration Console, the attribute should also be defined in the ACATTR table and associated with the resource in the ACRESATREL table. When it is time to find the applicable policies for a given resource and action, this condition will be checked by calling the getGroupingAttributeValue(..) method, which in this case passes in Status as the attributeName parameter.

The <orListCondition>, specifies that the conditions within this block should be applied using a boolean OR. In this case, the status is either P or E. The <andListConditon>, specifies that the conditions within this block should be applied using a boolean AND. In this case, (Classname = com.ibm.commerce.order.objects.Order) AND (Status = P OR Status=E).

A sample attribute definition for populating the ACATTR table is shown in the following:

<Attribute Name="Status" Type="String">
</Attribute>

The Name element is a term to identify the attribute, and the Type element identifies the data type of the attribute. Possible values of the attribute are:

The association of an attribute to a resource is specified within the Resource definition. For example, the Status attribute is associated with the OrderResourceCategory in the following example:

<ResourceCategory
Name="com.ibm.commerce.order.objects.OrderResourceCategory"  
                       
ResourceBeanClass="com.ibm.commerce.order.objects.Order" > 
               
<ResourceAttributes Name="Status"
                        AttributeTableName="ORDERS"
                        AttributeColumnName="STATUS"
                        ResourceKeyColumnName="ORDERS_ID"/>
</ResourceCategory> 

Where:

<ResourceAttributes>

A block of code that associates an attribute with a resource.

AttributeTableName

The name of the database table of the resource.

AttributeColumnName

The name of the column in the resource table that stores the attribute.

ResourceKeyColumnName

The name of the column in the resource table that stores the primary key.


+

Search Tips   |   Advanced Search