Customize default access control policies

Customize default access control policies
The default access control policies provided by WebSphere Commerce address the basic requirements that organizations have for regulating the actions and information available to their users. Often, the default policies can be sufficient for the site's needs. At the same time, the default policies are highly customizable, so that we can tailor them to our own requirements.
Any changes that we make to the default access control policies can be overwritten when we upgrade to a new release. To avoid overwriting our custom policies, create our own new policies, member groups, action groups, resource groups, and other access control assets. Remove any default access control policies that do not satisfy your business requirements from the site.

Task info

This topic provides information about how to make basic changes to the default access control policies included with WebSphere Commerce. You begin by introducing certain concepts and relationships you need to understand.
With access control, we can manage your business work flows and ensure that users can complete only the activities that are appropriate with their roles and responsibilities. WebSphere Commerce provides you with default policies that we can use for the site and provides you with the tools and capacity to customize the policies to suit your business needs.
The following table outlines just a few examples of how simple modifications can customize access to your business environment:

What users are allowed to do by default What users are allowed to do after customization
Customers can self-register. Only seller administrators can register new customers.
Buyers can display RFQs that they created. Only sellers can display RFQs if the RFQ resulted in a contract.
Only customers can cancel orders that they created if the order is in pending state. Customer Service Representatives can also cancel orders in pending state, if the total product price is less than $1000.
An order can be modified by the person who created it. Only a user from the buyer organization with the role of purchaser can modify an order that is created.
Account representatives can display all accounts. Account Representatives can display only active accounts.
Employees with the Logistics Manager role can create and modify fulfillment centers. Employees with the Logistics Manager role can create but not modify fulfillment centers.

See

Relationships between role-based and resource-level policies

Role-based and resource-level policies

Defining access control policy elements using XML

Loading access control policy data

Extracting policy and access group definitions

Testing access control policy changes

Examples: Customize access control policies using the Organization Administration Console

Related concepts
Access control policy
Authorization
Evaluating access control policies
Enforcing access control

What users are allowed to do by default	What users are allowed to do after customization
Customers can self-register.	Only seller administrators can register new customers.
Buyers can display RFQs that they created.	Only sellers can display RFQs if the RFQ resulted in a contract.
Only customers can cancel orders that they created if the order is in pending state.	Customer Service Representatives can also cancel orders in pending state, if the total product price is less than $1000.
An order can be modified by the person who created it.	Only a user from the buyer organization with the role of purchaser can modify an order that is created.
Account representatives can display all accounts.	Account Representatives can display only active accounts.
Employees with the Logistics Manager role can create and modify fulfillment centers.	Employees with the Logistics Manager role can create but not modify fulfillment centers.