IBM Gift Center access control
Access control for the IBM Gift Center is defined in the GRUSERAUTH database table, under the GIFTREGISTRYID, PASSWORD, and TYPE columns. A use will not be granted access if a relationship is not set. The access control policies must define each role's access level for a gift registry. For example, a gift registrant may have different access levels from a co-registrant, and this relationship must be defined in the access control policies.
You should also be familiar with the following methods when dealing with access control:
- getResources() method:
- This method is similar to getDelegate(), but focuses on the command level.
- Each protected task command and data bean must implement the getResources() method.
- The method returns a vector (called AccessVector) of access beans (this is always GiftRegistryAccessBean) that can be used to check access.
- Relationships are updated by an authentication command.
- By default, only the site administrator has access to work with gift registries.
- If a null or empty vector is returned, this level of checking is bypassed.
- The returned access bean should Implement Protectable, so that the getResource() method can set the user relationship, and the fulfills() method can check the access control levels for each user type until one is approved.
- getDelegate():
- This method is similar to getResources(), but focuses on the data bean level; that is, it performs access control on itself, like the GiftRegistryItemDataBean.
- The method delegates to another data bean, or uses DataBeanManager to activate another bean, so that the activated bean will be access controlled by the bean manager.
- fulfills() in AccessHelper:
- This method is called multiple times, each time for a relationship that is not fulfilled.
- All relationship are specified in access control policy files, and used in the GiftRegistryUserAuthenticateCmd command.