Sample: Resource-level access control policy for a new entity bean

The following XML file can act as a template for access control requirements when you create new entity beans. In the case of the following file, the new entity bean is called the Bonus bean, it corresponds to the XBONUS database table, and it gets used by the MyNewControllerCmd controller command. In this access control policy, only the creator of a bonus bean object can perform the MyNewControllerCmd action upon that object.


<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?> 
<!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">

<Policies>
   <Action Name="MyNewControllerCmd"
      CommandName="com.ibm.commerce.sample.commands.MyNewControllerCmd">
   </Action>
 
   <ResourceCategory Name="com.ibm.commerce.extension.objects.BonusResourceCategory"  
       ResourceBeanClass="com.ibm.commerce.extension.objects.Bonus" >
   
         <ResourceAction Name="MyNewControllerCmd" />
         </ResourceCategory>

   <ActionGroup Name="MyNewControllerCmdActionGroup"
      OwnerID="RootOrganization">
   <ActionGroupAction Name="MyNewControllerCmd"/>
   </ActionGroup>

   <ResourceGroup Name="BonusResourceGroup"  OwnerID="RootOrganization" >
      <ResourceGroupResource Name="com.ibm.commerce.extension.objects.
            BonusResourceCategory" />
   </ResourceGroup>
   <Policy Name="AllUsersUpdateBonusResourceGroup" 
      OwnerID="FashionFlowMemberId"
      UserGroup="AllUsers"
      UserGroupOwner="RootOrganization"
      ActionGroupName="MyNewControllerCmdActionGroup"
      ResourceGroupName="BonusResourceGroup" 
      RelationName="creator"
      PolicyType="groupableStandard">
   </Policy>
             
   <PolicyGroup Name="ManagementAndAdministrationPolicyGroup" 
         OwnerID="RootOrganization">
   <!-- Define policies in this policy group -->
   <PolicyGroupPolicy        Name="AllUsersUpdateBonusResourceGroup" 
            PolicyOwnerID="FashionFlowMemberId" />
                        
   </PolicyGroup>

</Policies>

where FashionFlowMemberId is the member ID of the store in which the new resource is being used.

In the preceding access control policy, the interface name of the controller command is specified as the action, without fully-qualifying it with its package name. If your application has multiple interfaces with the same name, you must fully-qualify them with their package names when specifying them as actions in access control policies. As an example, if there was ambiguity with the interface names, the preceding access control policy would require changes, as follows (note, only changed lines are displayed and the modifications are shown in bold):


<Action Name="com.ibm.commerce.sample.commands.MyNewControllerCmd"
CommandName="com.ibm.commerce.sample.commands.MyNewControllerCmd">
.
.
.
<ResourceAction Name="com.ibm.commerce.sample.commands.MyNewControllerCmd" />
.
.
.
<ActionGroupAction Name="com.ibm.commerce.sample.commands.MyNewControllerCmd"/>