Protecting views
Any view that is called directly from an URL, or that is launched as a redirect from another command, needs a role-based access control policy in order to be displayed.
About this task
The following example displays a role-based policy for views:
<Policy Name="ProductManagersExecuteProductManagersViews"
OwnerID="RootOrganization"
UserGroup="ProductMangers"
ActionGroupName="ProductMangersViews"
ResourceGroupName="ViewCommandResourceGroup"
PolicyType="groupableStandard">
</Policy>
The ResourceGroup name, ViewCommandResourceGroup,
indicates that this is a role-based policy for views. The policy states that
users in the ProductManagers user group, can display the
views in the ProductMangersViews action group. Similarly,
for most roles, there is a corresponding action group which groups the views
that the role can access, such as Seller role -> Sellers access
group -> SellersViews action group.
The following
is an example of the ProductMangersViews action group:
<ActionGroup Name="ProductManagersViews"
OwnerID="RootOrganization">
<ActionGroupAction Name="ProductImageView"/>
<ActionGroupAction Name="ProductManufacturerView"/>
<ActionGroupAction Name="ProductSalesTaxView"/>
</ActionGoup>
The preceding example lists the three actions, ProductImageView,
ProductManufacturerView, and, ProductSalesTaxView that
can be performed in the ProductManagerViews action group.
The
following is an example of the ProductImageView action definition:
<Action Name="ProductImageView"
CommandName="ProductImageView">
</Action>
The Name attribute, ProductImageView,is
used as a tag for referencing the action elsewhere in the XML such as when
associating the action with an action group.
VIEW NAME in the Struts
configuration files, must match the CommandName in
the action definition. The value of CommandName is stored
in the ACTION column of the ACACTION table. The Name and
CommandName attributes do not have to be the same.