Sample: Resource-level access control policy for a new entity bean

Sample: Resource-level access control policy for a new entity bean

The following XML file can act as a template for access control requirements when creating new entity beans. In the case of the following file, the new entity bean is called the Bonus bean, it corresponds to the XBONUS database table, and it gets used by the MyNewControllerCmd controller command. In this access control policy, only the creator of a bonus bean object can perform the MyNewControllerCmd action upon that object.
<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?> 
<!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">

<Policies>
   <Action Name="MyNewControllerCmd"
      CommandName="com.ibm.commerce.sample.commands.MyNewControllerCmd">
   </Action>
 
   <ResourceCategory Name="com.ibm.commerce.extension.objects.BonusResourceCategory"  
       ResourceBeanClass="com.ibm.commerce.extension.objects.Bonus" >
   
         <ResourceAction Name="MyNewControllerCmd" />
         </ResourceCategory>

   <ActionGroup Name="MyNewControllerCmdActionGroup"
      OwnerID="RootOrganization">
   <ActionGroupAction Name="MyNewControllerCmd"/>
   </ActionGroup>

   <ResourceGroup Name="BonusResourceGroup"  OwnerID="RootOrganization" >
      <ResourceGroupResource Name="com.ibm.commerce.extension.objects.
            BonusResourceCategory" />
   </ResourceGroup>
   <Policy Name="AllUsersUpdateBonusResourceGroup" 
      OwnerID="FashionFlowMemberId"
      UserGroup="AllUsers"
      UserGroupOwner="RootOrganization"
      ActionGroupName="MyNewControllerCmdActionGroup"
      ResourceGroupName="BonusResourceGroup" 
      RelationName="creator"
      PolicyType="groupableStandard">
   </Policy>
             
   <PolicyGroup Name="ManagementAndAdministrationPolicyGroup" 
         OwnerID="RootOrganization">
   
   <PolicyGroupPolicy        Name="AllUsersUpdateBonusResourceGroup" 
            PolicyOwnerID="FashionFlowMemberId" />
                        
   </PolicyGroup>

</Policies>
where FashionFlowMemberId is the member ID of the store in which the new resource is being used.
In the preceding access control policy, the interface name of the controller command is specified as the action, without fully-qualifying it with its package name. If your application has multiple interfaces with the same name, we must fully-qualify them with their package names when specifying them as actions in access control policies. As an example, if there was ambiguity with the interface names, the preceding access control policy would require changes, as follows (note, only changed lines are displayed and the modifications are shown in bold):
<Action Name="com.ibm.commerce.sample.commands.MyNewControllerCmd"
CommandName="com.ibm.commerce.sample.commands.MyNewControllerCmd">
.
.
.
<ResourceAction Name="com.ibm.commerce.sample.commands.MyNewControllerCmd" />
.
.
.
<ActionGroupAction Name="com.ibm.commerce.sample.commands.MyNewControllerCmd"/>
Related concepts
Understanding access control

Related tasks
Implementing access control
Creating an access control policy
Defining access control policy elements using XML

Related reference
Sample: Access control policies for development purposes