Grouping resources by attributes
You may find that a resource policy that is based on class names needs to be more fine-grained than the default policies provided with WebSphere Commerce. An implicit resource group definition will provide the flexibility to protect resources of a particular state. For example, if you want to create a policy in where all users can run the OrderRead command on orders that has status 'P' or 'E', then you will need to define a resource group as shown below.
About this task
CONDITIONS
column in the ACRESGRP
table.
The CONDITIONS column stores the XML document containing the constraints
and attribute value pairs used for grouping resources. This type of
resource group is called an implicit resource group, and is usually
used when the class name of the resource is not sufficient. For example,
if an access control policy applies to Order
resources
that have a status equal to P
(pending) or E
(editing
by a customer service representative), a resource group can be defined
for this.In order to group resources by attributes other than class name, the resource must implement the Groupable interface.
The
following is an example of the Order
resource group:
<ResourceGroup Name="OrderResourceGroupwithPEStatus"
OwnerID="RootOrganization">
<ResourceCondition>
<![CDATA[
<profile>
<andListCondition>
<orListCondition>
<simpleCondition>
<variable name="Status"/>
<operator name="="/>
<value data="P"/>
</simpleCondition>
<simpleCondition>
<variable name="Status"/>
<operator name="="/>
<value data="E"/>
</simpleCondition>
</orListCondition>
<simpleCondition>
<variable name="classname"/>
<operator name="="/>
<value
data="com.ibm.commerce.order.objects.Order"/>
</simpleCondition>
</andListCondition>
</profile>
</ResourceCondition>
</ResourceGroup>
Where:
- Name
- The name of the resource group stored in the GRPNAME column of the ACRESGRP table.
- OwnerID
- The owner of the resource group. This must be the root organization.
- <ResourceCondition>
- Specifies the data that will be loaded to the CONDITIONS column of the ACRESGRP table, to define the resource group.
- <![CDATA[...
- Signifies a section of character data that are used exactly as they are typed .
- <profile>
- A required parameter for all resource conditions.
An essential component of the resource group definition
is the <simpleCondition>
element that has
name="classname"
. This element identifies the java
class of the resource that the group applies to. The java class, com.ibm.commerce.order.objects.Order
,
can be seen in the following example:
<simpleCondition>
<variable name="classname"/>
<operator name="="/>
<value data="com.ibm.commerce.order.objects.Order"/>
</simpleCondition>
The following example specifies the condition on the
com.ibm.commerce.objects.order.objects.Order
resource,
that the status should equal P
.
<simpleCondition>
<variable name="Status"/>
<operator name="="/>
<value data="P"/>
</simpleCondition>
In the preceding example, the <variable
name=" value"/>
represents the attribute
names recognized by the getGroupingAttributeValue (String
attributeName, GroupContext context)()
method on the resource.
This method is part of the Groupable interface. For the purposes of
Implicit Resource Group management within the Administration Console,
the attribute should also be defined in the ACATTR
table
and associated with the resource in the ACRESATREL
table.
When it is time to find the applicable policies for a given resource
and action, this condition will be checked by calling the getGroupingAttributeValue(..)
method,
which in this case passes in Status
as the attributeName
parameter.
The
<orListCondition>
, specifies that the conditions
within this block should be applied using a boolean OR
.
In this case, the status is either P
or E
.
The <andListConditon>
, specifies that the conditions
within this block should be applied using a boolean AND
.
In this case, (Classname = com.ibm.commerce.order.objects.Order)
AND (Status = P OR Status=E).
A sample attribute
definition for populating the ACATTR
table is shown
in the following:
<Attribute Name="Status" Type="String">
</Attribute>
The Name
element is a term to identify
the attribute, and the Type
element identifies the
data type of the attribute. Possible values of the attribute are:
- String
- Integer
- Double
- Currency
- Decimal
- URL
- Image
- Date
The association of an attribute to a resource is specified
within the Resource definition. For example, the Status
attribute
is associated with the OrderResourceCategory
in
the following example:
<ResourceCategory
Name="com.ibm.commerce.order.objects.OrderResourceCategory"
ResourceBeanClass="com.ibm.commerce.order.objects.Order" >
<ResourceAttributes Name="Status"
AttributeTableName="ORDERS"
AttributeColumnName="STATUS"
ResourceKeyColumnName="ORDERS_ID"/>
</ResourceCategory>
Where:
- <ResourceAttributes>
- A block of code that associates an attribute with a resource.
- AttributeTableName
- The name of the database table of the resource.
- AttributeColumnName
- The name of the column in the resource table that stores the attribute.
- ResourceKeyColumnName
- The name of the column in the resource table that stores the primary key.