Access control policies and policy group structure

Access control policies authorize access groups to perform particular actions on the resources of WebSphere Commerce, as long as the users in the access group satisfy a particular relationship with respect to the resource.

WebSphere Commerce provides over three hundred default access control policies that are loaded during instance creation. These policies cover a wide range of common business activities, including order creation and processing, and trading, such as request for quotes and contracts.


Access control policy groups

In order for an access control policy to be applied to the store or site, it must belong to an access control policy group and the policy group must be subscribed by the organization that owns the resource. By default, all access control policies provided with WebSphere Commerce are assigned to policy groups.

Although access control policy groups are owned by organizations, they are not automatically applied to the organization. An organization must subscribe to a policy group in order for the access control policies to apply to the organization. If the organization has child organizations, all policy groups the parent subscribes to are automatically applied to the child organizations. However, if the child organization subscribes directly to a policy group, the policy groups subscribed to by the parent organization no longer apply to the child.

In previous versions of WebSphere Commerce, a policy applied to all resources owned by the descendants of that policy's owner organization. For example, if Organization A had a certain policy and was the parent of Organization B, then Organization B implicitly had that policy as well. As of WebSphere Commerce 5.5, organizations can subscribe to policy groups. Now, if Organization B does not subscribe to any policy groups, the access control framework will begin searching up the organization hierarchy until it encounters an organization that subscribes to at least one policy group. If Organization B's immediate parent organization, Organization A, subscribes to a policy group, the searching stops, and the policies in Organization A's policy group are applied to Organization A and B. This can be seen in the following diagram.

If Organization A does not subscribe to a policy group, the search continues up the organization hierarchy, until an organization with a subscription is reached. This is seen in the following diagram where the Root Organization subscribes to a policy group. Organization B and Organization A inherit the policies in that group.

If Organization B subscribes to a policy group, the search stops at Organization B and Organization B can only apply to those policies to which it has subscribed, as shown in the following diagram.

Note: In terms of access control, ownership of resources has a special meaning. All resources must implement the com.ibm.commerce.security.Protectable interface. One of the methods on this interface is getOwner(), which returns the member ID of the owner of the resource. For example, the Order entity bean is a resource that is protected by having its remote interface extend the Protectable interface. The Order's implementation of getOwner() is such that a specific Order resource returns the owner of the store where the order was placed. For policies where the resource is a command, for example, com.ibm.commerce.command.ViewCommand, the default implementation of getOwner() is to return the owner of the store that is currently in the command context. If there is no store in the command context, then Root Organization is used as the owner.

The WebSphere Commerce access control structure is flexible enough to support all entities in the supported business models. The diagrams in the following sections demonstrate how access control is applied to a typical example of each business model.


Basic access control structure

The basic access control structure is installed during instance creation, regardless of the business model.

The root organization owns the following default policy groups:

Although access control policy groups are owned by organizations, they are not automatically applied to the organization. An organization must subscribe to a policy group in order for the access control policies to apply to the organization

However, the root organization only subscribes to the management and administration policy group. As a result, these policies apply to the site administrators, who are directly under the root.

The policies in the management and administration policy group do not apply to the default organization through inheritance, as the default organization subscribes to the guest shopper management policy group. In order for the management and administration policies to apply, the default organization must subscribe to the management and administration policy group explicitly.

The default organization owns the guest shopper management policy group.

Each of the sample businesses in WebSphere Commerce includes the access control framework.


Related concepts
B2C access control structure
Extended Sites - extended sites hub organization structure