Secure > Authorization > Customize default access control policies > Define access control policy elements using XML > Protect controller commands


Modify the resource-level access control of an existing policy

For commands that require resource level access control, they return the protected resources that they are going to access in the command's getResources() method. This triggers a resource level access control check by the WebSphere Commerce access control framework. WebSphere Commerce will search for an access control policy in the system with an Action Group that includes the action that is equal to the current command; in this example com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd. The policy's Resource Group must also include the resource that was returned in the getResources() method. In this case, the UserRegistrationAdminAddCmd command does implement the getResources() method and it returns the organization to which the new user is going to be registered.

By default, in defaultAccessControlPolicies.xml, com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd is already defined as an action:

<Action
Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd"
       
CommandName="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd">
</Action>

It is also included in an action group, defined in the defaultAccessControlPolicies.xml XML file:

<ActionGroup Name="UserAdminRegistration"
OwnerID="RootOrganization"> 

       
<ActionGroupAction
Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd"/>
</ActionGroup>

This action group is already used in an existing bootstrap policy:

<Policy
Name="MembershipAdministratorsForOrgExecuteUserAdminRegistrationCommandsOnOrganizationResource"
        OwnerID="RootOrganization"
        UserGroup="
MembershipAdministratorsForOrg"
        ActionGroupName="
UserAdminRegistration"
        ResourceGroupName="
OrganizationDataResourceGroup" 
        PolicyType="groupableTemplate"> 
</Policy>

Many polices are default polices and loaded into the database during instance creation.


Procedure

  1. Add the required role to the access group used by the policy. In this example, MembershipAdministratorsForOrg.

    This access group is defined in WC_INSTALL/xml/policies/xml/ACUserGroup_en_US.xml as follows:

    <UserGroup Name="
    MembershipAdministratorsForOrg" OwnerID="RootOrganization" 
       Description="Administrators of membership for the organization"
    MemberGroupID="-97">         
    <UserCondition><![ CDATA [ 
       
    <profile>           
    <orListCondition>             
    <simpleCondition>                
    <variable name="role"/>               
    <operator name="="/>               
    <value data="Buyer Administrator"/>                   
    <qualifier name="org"
    data="OrgAndAncestorOrgs"/>        
                
    </simpleCondition>             
    <simpleCondition>                
    <variable name="role"/>               
    <operator name="="/>              
    <value data="Seller Administrator"/>                   
    <qualifier name="org"
    data="OrgAndAncestorOrgs"/>        
                
    </simpleCondition>          
    </orListCondition>    
    </profile> 
    </UserCondition>
    </UserGroup>
    

    In the preceding XML example, users are included that have at least one of the specified roles, Buyer Administrator or Seller Administrator for an organization that is an ancestor of the owner of the resource (organization) returned by getResources(). If you wanted to add the Marketing Manager role, you would have to enhance it to also include the new role.

  2. Copy the XML file to WC_INSTALL/xml/policies/xml. The following is an example of what the XML could look like:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE UserGroups SYSTEM "../dtd/ACUserGroups_en_US.dtd"> 
    <UserGroups> 
    <UserGroup Name="MembershipAdministratorsForOrg"
    OwnerID="RootOrganization" 
        Description="Administrators of membership for the organization"
    MemberGroupID="-97">         
                   
    <UserCondition><![CDATA[
        
    <profile>           
    <orListConditio>             
    <simpleCondition>               
    <variable name="role"/>               
    <operator name="="/>               
    <value data="Buyer Administrator"/>                   
    <qualifier name="org" data="
    OrgAndAncestorOrgs"/>         
                
    </simpleCondition>             
    <simpleCondition>               
    <variable name="role"/>               
    <operator name="="/>               
    <value data="Seller Administrator"/>                   
    <qualifier name="org" data="
    OrgAndAncestorOrgs"/>         
                
    </simpleCondition>             
    <simpleCondition>                
    <variable name="role"/>               
    <operator name="="/>               
    <value data="Marketing Manager"/>                   
    <qualifier name="org"
    data="OrgAndAncestorOrgs"/>        
                
    </simpleCondition>          
    </orListCondition>    
    </profile> 
    </UserCondition>
    </UserGroup>         
    </UserGroups>
    

  3. Load the XML file into the database using the WC_INSTALL/bin/acpload script. For more information about loading the XML files, see Load access control policy XML files.

  4. Update the Access Control Policy Registry in the Administration Console by doing the following:

    1. Open the Administration Console.

    2. Click Configuration > Registry. A list of registry components is displayed.

    3. From the list of registries, select Access Control Policies.

    4. Click Update.


+

Search Tips   |   Advanced Search