Tutorials > Program model > Web services > Create a new WebSphere Commerce BOD service module
Implement access control
Resources that Web services act upon are actually nouns which are represented by generated SDOs. The following is a brief overview of how access control policy works for BOD service modules.
For Get requests, we want to know: Can the current user under the current context run the XPath search expression that returns data for a particular access profile?
We answer this question with an action, an action group, and a policy. An access profile is defined by an action:
<Action Name="GetTutorialStore.MyCompany_Summary" CommandName="GetTutorialStore.MyCompany_Summary"/> <Action Name="GetTutorialStore.MyCompany_Details" CommandName="GetTutorialStore.MyCompany_Details"/>
An action group contains all the access profiles the group can use:
<ActionGroup Name="BODTutorialStore-TutorialStore-AllUsers-AccessProfileActionGroup" OwnerID="RootOrganization">
<ActionGroupAction Name="GetTutorialStore.MyCompany_Summary"/>
</ActionGroup>
<ActionGroup Name="BODTutorialStore-TutorialStore-StoreManagers-AccessProfileActionGroup" OwnerID="RootOrganization">
<ActionGroupAction Name="GetTutorialStore.MyCompany_Details"/>
</ActionGroup>
Finally a policy using the action group is defined:
<Policy Name="BODTutorialStore-TutorialStore-AllUsers-AccessProfilePolicy"
OwnerID="RootOrganization"
UserGroup="AllUsers"
ActionGroupName="BODTutorialStore-TutorialStore-AllUsers-AccessProfileActionGroup"
ResourceGroupName="AccessProfileResourceGroup"
PolicyType="groupableStandard"
/>
<Policy Name="BODTutorialStore-TutorialStore-StoreManagers-AccessProfilePolicy"
OwnerID="RootOrganization"
UserGroup="SiteAdministrators"
ActionGroupName="BODTutorialStore-TutorialStore-StoreManagers-AccessProfileActionGroup"
ResourceGroupName="AccessProfileResourceGroup"
PolicyType="groupableStandard"
/>
The second question we need to answer is Can the current user display the returned nouns? This check is performed after the nouns have been fetched by the access control filter:
<ActionGroup Name="BODTutorialStore-TutorialStore-AllUsers-ActionGroup" OwnerID="RootOrganization">
<ActionGroupAction Name="DisplayResourceAction"/>
</ActionGroup>
For Change, Sync, and Process requests, we want to answer the question: Can the user under the current context perform the specified action on the specified noun?
Again, we answer this question with an action, an action group, and a policy. An access profile is defined by an action:
<Action
Name="DisplayResourceAction"
CommandName="Display"
/>
<Action
Name="ChangeResourceAction"
CommandName="Change"
/>
<Action
Name="OpenResourceAction"
CommandName="Open"
/>
<Action
Name="CloseResourceAction"
CommandName="Close"
/>
An action group contains all the access profiles the group can use:
<ActionGroup Name="BODTutorialStore-TutorialStore-StoreManagers-ActionGroup" OwnerID="RootOrganization">
<ActionGroupAction Name="ChangeResourceAction"/>
<ActionGroupAction Name="OpenResourceAction"/>
<ActionGroupAction Name="CloseResourceAction"/>
</ActionGroup>
Finally a policy using the action group is defined:
<Policy Name="BODTutorialStore-TutorialStore-AllUsers-AccessProfilePolicy"
OwnerID="RootOrganization"
UserGroup="AllUsers"
ActionGroupName="BODTutorialStore-TutorialStore-AllUsers-AccessProfileActionGroup"
ResourceGroupName="AccessProfileResourceGroup"
PolicyType="groupableStandard"
/>
<Policy Name="BODTutorialStore-TutorialStore-StoreManagers-AccessProfilePolicy"
OwnerID="RootOrganization"
UserGroup="SiteAdministrators"
ActionGroupName="BODTutorialStore-TutorialStore-StoreManagers-AccessProfileActionGroup"
ResourceGroupName="AccessProfileResourceGroup"
PolicyType="groupableStandard"
/>
The following diagram shows loading the access control policy XML in the context of the overall customization process:
Procedure
- Review the access control policy concepts provided in this
lesson.
- Load the provided access control policy:
- Stop the WebSphere Commerce test server.
- Copy tempDir\BODTutorialStore-access-control.xml
to WCDE_INSTALL\xml\policies\xml\, where tempDir is
the temporary directory where you unzipped TutorialStore.zip.
- In a command prompt, navigate to WCDE_INSTALL\bin.
- Run the following command:
acpload BODTutorialStore-access-control.xml.
- Stop the WebSphere Commerce test server.
Lesson checkpoint
In this lesson we reviewed how access control policies are defined for the BOD programming model, and loaded a sample access control policy XML file.