Secure > Authorization > Customize default access control policies > Define access control policy elements using XML > Protect controller commands

Modify the command-level access control for a controller command

Based on the default access control policies, the UserRegistrationAdminAddCmd command cannot be run by users who only have the Marketing Manager role. The following scenario describes the steps needed to modify the existing policies so that these users can perform this command. Use the steps in this scenario and customize them to the own requirements.

All controller commands require a command-level access control policy, which has the ActionGroupName = ExecuteCommandActionGroup. It also must have a resource group that includes the interface name of the controller command. These policies usually refer to a specific role, for example, MarketingManagersExecuteMarketingManagerCmdResourceGroup.

<Policy Name="
MarketingManagersExecuteMarketingManagerCmdResourceGroup"
        OwnerID="RootOrganization"
        UserGroup="MarketingManagers"
        ActionGroupName="ExecuteCommandActionGroup"
        ResourceGroupName="MarketingManagerCmdResourceGroup"
        PolicyType="groupableStandard">
</Policy>

The preceding policy is one of the default policies that is loaded into the database during instance creation. For more information about the default policies, see Default access control policy groups.

In this case, if you want users with the Marketing Manager role to be able to execute the UserRegistrationAdminAddCmd, you have to add this command to the existing Resource Group used in the policy by creating the own XML file, and do the following:

Procedure

1. Redefine the ExecuteCommand action

2. Redefine com.ibm.commerce.usermanagement.commands.UserRegistrationAddCmd as a resource category.

3. Associate the resource category with the required resource group, in this case MarketingManagerCmdResourceGroup.

4. Copy the XML file to WC_INSTALL/xml/policies/xml. The following is an example of what the XML could look like:

   <?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?> 
   <!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">
   <Policies> 
          
   <Action Name="ExecuteCommand" CommandName="Execute">        
   </Action> 
          
   <ResourceCategory
   Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmdResourceCategory"
                            
   ResourceBeanClass="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd"> 
                  
   <ResourceAction Name="ExecuteCommand"/>        
   </ResourceCategory> 
           
   <ResourceGroup Name="MarketingManagerCmdResourceGroup"
   OwnerID="RootOrganization"> 
                  
   <ResourceGroupResource
   Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmdResourceCategory"/>
          
   </ResourceGroup> 
   
   </Policies>
   

5. Load the XML file into the database using the WC_INSTALL/bin/acpload script. For more information about loading the XML files, see Load access control policy data.

6. Update the Access Control Policy Registry in the Administration Console:

   1. Logon to the Administration Console as a Site Administrator.

   2. Click Configuration > Registry. A list of registry components is displayed.

   3. From the list of registries, select Access Control Policies.

   4. Click Update.

Results

You can now use the controller command if it is not doing any resource-level checking.

+

Search Tips   |   Advanced Search