Example: Allow only Buyer Administrators to modify orders

By default, all users are permitted to modify orders they have created, regardless of their position in their organization. In some cases, you may want only the organization's buyer administrator to have the authority to modify orders.

In this example, you will change a resource-level policy, as well as a role-based policy. To allow only buyer administrators to modify orders belonging to members of a buyer organization, you need to do the following:


Identify the resource-level policy

  1. Determine the resource-level policy to be changed. The policy is: AllUsersExecuteOrderWriteCommandsOnOrderResource.

  2. From the Organization Administration Console, click Access Management > Policies.

  3. For View, select Root Organization to display the policies that it owns.

  4. From the list of policies, select AllUsersExecuteOrderWriteCommandsOnOrderResource.

  5. Note the name of the policy's action group--OrderWriteCommands. We need to view this action group to find the name of the command for creating an order.


Change the access group

  1. Click Change to display the Change Policy page.

  2. For User Group, click Find and select Buyer Administrators.

  3. Click OK.

  4. For Relationship, select None.

  5. Update the policy's name, display name, and description to reflect the change of access group.

  6. Click OK.


Identify the commands for modifying orders

  1. Click Access Management > Action Groups.

  2. From the list of action groups, select OrderWriteCommands .

  3. Click Change to display the Change Action Group page. Make note of the names of the commands for modifying orders: 

      com.ibm.commerce.order.commands.OrderCancelCmd
com.ibm.commerce.order.commands.OrderCopyCmd-Write
com.ibm.commerce.order.commands.OrderUnlockCmd
com.ibm.commerce.orderitems.commands.OrderItemAddCmd
com.ibm.commerce.orderitems.commands.OrderItemDeleteCmd
com.ibm.commerce.orderitems.commands.OrderItemMoveCmd
com.ibm.commerce.orderitems.commands.OrderItemUpdate.Cmd
com.ibm.commerce.orderquotation.commands.OrderItemSelectCmd

    We must add these commands to the resource group containing the list of commands a buyer can execute.

    Note: When you add the command, com.ibm.commerce.order.commands.OrderCopyCmd-Write, to the resource group, it appears under Available Resources as com.ibm.commerce.order.commands.OrderCopyCmd.


Identify the role-based policy for the Buyer Administrator role

  1. Determine the role-based policy for buyer administrators. The policy is: BuyerAdministratorsExecuteBuyersAdministratorsCommands.

  2. Click Access Management > Policies.

  3. For View, select Root Organization to display the site-level policies.

  4. Locate the policy in the list.

  5. Make note of the name of the resource group-- BuyersAdministratorsCommmandsResourceGroup.

    This is the name of the resource group you need to update.


Update the resource group in the role-based policy to include the commands for modifying orders

  1. Click Access Management > Resource Groups.

  2. Select BuyersAdministratorsCommandsResourceGroup.

  3. Click Change to display the Change Resource Group page.

  4. Click Next to display the Details page.

  5. From the Available Resources list, select the commands for modifying orders: 

      com.ibm.commerce.order.commands.OrderCancelCmd
com.ibm.commerce.order.commands.OrderCopyCmd
com.ibm.commerce.order.commands.OrderUnlockCmd
com.ibm.commerce.orderitems.commands.OrderItemAddCmd
com.ibm.commerce.orderitems.commands.OrderItemDeleteCmd
com.ibm.commerce.orderitems.commands.OrderItemMoveCmd
com.ibm.commerce.orderitems.commands.OrderItemUpdate.Cmd
com.ibm.commerce.orderquotation.commands.OrderItemSelectCmd

  6. Click Add to add the command to the resource group.

  7. Click Finish.


Update the access control policy registry with our changes

  1. Open the Administration Console.

  2. Click Configuration > Registry.

  3. From the list of registries, select Access Control Policies.

  4. Click Update.