Each time you create or modify an access control policy, you must
perform certain tests to verify that the policy is working correctly.
Procedure
- For each policy that you have created or modified, ensure the following:
- A user that belongs to the policy's access group is able to take the specified
actions on the specified resources. If you have removed authorization to perform
an action, you should also test to make sure that the user can no longer perform
the action.
- A user that does not belong to the policy's access group is unable to
take the specified actions on the specified resources.
For example, suppose you implement an Auction customization scenario,
in which you remove the ability of auction administrators to close auction
bidding. To test whether this change is working properly, log in as a user
who belongs to the auction administrator
access group and
perform the following actions:
- Modify an auction
- Delete an auction.
- Verify that an Auction Administrator cannot close bidding.
- Log in as a user who does not belong to the
auction administrator
access
group and attempt to perform the same actions. If the policy is working correctly,
your attempts should fail. - Once you have finished testing all your new and changed policies
that are currently in the database, it is a good idea to extract that information
into XML files. These files have the same format as the initial access control
policy related files:
defaultAccessControlPolices.xml
, defaultAccessControlPolicies_locale.xml
,
and ACUserGroup_locale.xml
. This step is necessary because
changes made using the Organization Administration Console affect only the
policy information stored in the database. The XML files that were used to
load the default access control policies and their components during instance
creation, are not updated automatically. For more information, see Extracting
policy and access group definitions.
What to do next
After a new policy has been created, the new policy must be assigned
into a policy group before it comes into effect. You should assign the new
policy to the group that serves the purpose of the policy. For more information
about the policy group names, see Default
access control policy groups.