Role-based policies are also known as command-level policies because
they authorize users with a particular role to execute a set of commands.
Resource-level policies authorize a group of users to execute a set of commands
on a particular set of resources. For instance, a role-based policy might
authorize children to eat. While a resource-level policy might authorize children
eat rice.
You can usually determine whether a policy is a role-based policy or a
resource-level policy by looking at its name.
- Role-based policies
- Policies that define the controller commands that a role can execute follow
the naming convention:
- <AccessGroupforRoleXYZ> Execute <XYZCmdResourceGroup>
- For instance:
ProductManagersExecuteProductManagersCmdResourceGroup.
- In role-based policies for controller commands, the action group contains
a single entry called
Execute and the resource group contains
a list of WebSphere Commerce commands that users with that role can execute.
- Policies that define the views that a role can execute follow the naming
convention:
- <AccessGroupforRoleXYZ> Execute <XYZViews>
- For instance:
SalesManagersExecuteSalesManagersViews.
- The resource group contains a single resource called
com.ibm.commerce.command.ViewCommand.
- Resource-level policies
- Policies that define who can take actions on data resources (business
objects that can be created or manipulated) follow the naming convention:
- <AccessGroupXYZ> Execute <XYZCommands> On <XYZResource>
- For instance:
AllUsersExecuteOrderProcessOnOrderResource.
- In resource-level policies, the action group contains WebSphere Commerce
commands and the resource group identifies the specific business resources
that can be acted upon.
- One exception is policies that authorize the creation of an entity such
as an order, a bid, or an RFQ. These policies do not act on the entity itself
because it has not yet been created. Instead, they act on the containing entity.
For instance, an auction is created in the context of a store, a user is created
in the context of an organization. Most resources are created in the context
of a store. Consequently, these policies have names such as:
- <AccessGroupXYZs> Execute <XYZCommands> On <StoreEntityResource>
- For instance:
-
AuctionAdministratorsForOrgExecuteAuctionCreateCommandsOnStoreEntityResource
- Policies that define who can view DataBean resources (Data beans contain
information about data resources such as a bid or an order; usually used in
JSPs) follow the naming convention:
- <AccessGroupXYZs> Display <XYZDatabeanResourceGroup>
- For instance:
MembershipViewersForOrgDisplayMembershipDatabeanResourceGroup.