Tutorials > Management Center > Create the Project BOD service module

< Previous | Next >

Implement access control

Resources that Web services act upon are actually nouns that are represented by generated SDOs. This lesson contains a brief overview of how access control policy works for BOD service modules.

For Get requests, to know: Can the current user under the current context run the XPath search expression that returns data for a particular access profile? You answer this question with an action, an action group, and a policy. An access profile is defined by an action:

<Action Name="GetProject.MyCompany_Admin_Summary"
    CommandName="GetProject.MyCompany_Admin_Summary" />
<Action Name="GetProject.MyCompany_Store_Summary"
    CommandName="GetProject.MyCompany_Store_Summary" />

An action group contains all the access profiles the group can use:

<ActionGroup Name="Project-Project-AllUsers-AccessProfileActionGroup"
    OwnerID="RootOrganization">
    <ActionGroupAction Name="GetProject.MyCompany_Store_Summary" />

</ActionGroup>
<ActionGroup
    Name="Project-Project-ProjectManagers-AccessProfileActionGroup"
    OwnerID="RootOrganization">

    <ActionGroupAction Name="GetProject.MyCompany_Admin_Summary" />

</ActionGroup>

Finally, define a policy using the action group:

<!--  the all users access profile access control policy -->
<Policy Name="Project-Project-AllUsers-AccessProfilePolicy"
    OwnerID="RootOrganization" UserGroup="AllUsers"
    ActionGroupName="Project-Project-AllUsers-AccessProfileActionGroup"
    ResourceGroupName="AccessProfileResourceGroup"
    PolicyType="groupableStandard" />
<!-- the project manager access profile access policy -->
<Policy Name="Project-Project-ProjectManagers-AccessProfilePolicy"
    OwnerID="RootOrganization" UserGroup="RecipeManagers"
    ActionGroupName="Project-Project-ProjectManagers-AccessProfileActionGroup"
    ResourceGroupName="AccessProfileResourceGroup"
    PolicyType="groupableTemplate" />

The second question answer is Can the current user display the returned nouns? This check is performed after the nouns are retrieved by the access control filter:

<!--  all user action group which contains read and change actions -->
<ActionGroup Name="Project-Project-AllUsers-ActionGroup" OwnerID="RootOrganization">
 
<ActionGroupAction Name="DisplayResourceAction"/>
 
<ActionGroupAction Name="ChangeResourceAction"/>
</ActionGroup> 

For Change, Sync, and Process requests, to answer the question: Can the user under the current context perform the specified action on the specified noun? Again, answer this question with an action, an action group, and a policy. An access profile is defined by an action:

<!--  read action (Get request) -->
    <Action Name="DisplayResourceAction" CommandName="Display"/>
    <!--  change action (Change request) -->
    <Action Name="ChangeResourceAction"    CommandName="Change"/>
    <!--  process actions (Process request) -->
    <Action Name="AddResourceAction" CommandName="Add"/>
    <Action Name="DeleteResourceAction"    CommandName="Delete"/>
    <Action Name="CreateResourceAction" CommandName="Create"/>

An action group contains all the access profiles that the group can use:

<!-- all project managers action group process action -->
<ActionGroup Name="Project-Project-ProjectManagers-ActionGroup" OwnerID="RootOrganization">
   
<ActionGroupAction Name="AddResourceAction"/>
        <ActionGroupAction Name="DeleteResourceAction"/>
        <ActionGroupAction Name="CreateResourceAction"/>
</ActionGroup>

Finally, define a policy using the action group:

<!-- the project manager creator policy -->
<Policy Name="Project-Project-ProjectManagers-CreatorPolicy"
    OwnerID="RootOrganization" UserGroup="RecipeManagers"
    ActionGroupName="Project-Project-ProjectManagers-ActionGroup"
    ResourceGroupName="Project-Project-ResourceGroup"
    RelationName="creator" PolicyType="groupableTemplate" />

For more information, see Access control in the BOD command framework.

Procedure

1. Review the access control policy concepts provided in this lesson.

2. On the Server page, right-click the WebSphere Commerce Test Server and select Publish.

3. Create a new role "Recipe Manager" through Organization Administration Console.
   

4. Add the Recipe Manager role to the following organizations:
   

   • Extended Sites Organization

   • Asset Store Organization (Parent is Extended Sites Organization)

   • Extended Sites Organization Sample Store (Recipe Tutorial)

5. Load the access control policy:

   1. Stop the WebSphere Commerce test server.

   2. Copy tempDir\policies\xml\* to WCDE_INSTALL\xml\policies\xml\, where tempDir is the temporary directory where you unzipped RecipeServices.zip.

   3. At a command prompt, navigate to WCDE_INSTALL\bin.

   4. Run the following commands:

      acugload Project-UserGroup.xml
      acpload Project-access-control.xml
      

      

      acugload development_db db_user db_password Project-UserGroup.xml db_schema
      acpload development_db db_user db_password Project-access-control.xml db_schema
      

6. Import the provided ProtectableProxy class containing the authorization methods:

   1. In the Enterprise Explorer view, navigate to Project-Server/ejbModule and right-click the com.mycompany.commerce.project.facade.server.authorization package.

   2. Click Import. Expand General and select File System. Click Next.

   3. Browse to the temporary location where you unzipped RecipeServices.zip. Browse to the com.mycompany.commerce.project.facade.server.authorization folder.

   4. Select all files. Click Finish.

   5. Click Yes to All to overwrite the existing files.

In this lesson you reviewed how access control policies are defined for the BOD programming model, and loaded a sample access control policy XML file.

< Previous | Next >

+

Search Tips   |   Advanced Search