Protecting views
Any view that is called directly from an URL, or that is launched as a redirect from another command, needs a role-based access control policy in order to be displayed.
About this task
The following example displays a role-based policy for views:
<Policy Name="ProductManagersExecuteProductManagersViews"
OwnerID="RootOrganization"
UserGroup="ProductMangers"
ActionGroupName="ProductMangersViews"
ResourceGroupName="ViewCommandResourceGroup"
PolicyType="groupableStandard">
</Policy>
The ResourceGroup name, ViewCommandResourceGroup
,
indicates that this is a role-based policy for views. The policy states that
users in the ProductManagers
user group, can display the
views in the ProductMangersViews
action group. Similarly,
for most roles, there is a corresponding action group which groups the views
that the role can access, such as Seller
role -> Sellers
access
group -> SellersViews
action group.
The following
is an example of the ProductMangersViews
action group:
<ActionGroup Name="ProductManagersViews"
OwnerID="RootOrganization">
<ActionGroupAction Name="ProductImageView"/>
<ActionGroupAction Name="ProductManufacturerView"/>
<ActionGroupAction Name="ProductSalesTaxView"/>
</ActionGoup>
The preceding example lists the three actions, ProductImageView
,
ProductManufacturerView
, and, ProductSalesTaxView
that
can be performed in the ProductManagerViews
action group.
The
following is an example of the ProductImageView
action definition:
<Action Name="ProductImageView"
CommandName="ProductImageView">
</Action>
The Name
attribute, ProductImageView,
is
used as a tag for referencing the action elsewhere in the XML such as when
associating the action with an action group.
VIEW NAME
in the Struts
configuration files, must match the CommandName
in
the action definition. The value of CommandName
is stored
in the ACTION column of the ACACTION
table. The Name
and
CommandName
attributes do not have to be the same.