Content versioning access control
The content version services operate on all the nouns that are enabled for versioning. Access control policies are enabled to limit users to access content version services for a particular noun or group of nouns. The content version noun versions another noun. For example, the access control policy for a version ensures that only the Catalog Manager can manage versions of the Catalog object type. The Catalog Manager has the authority to create, delete, restore, change, and display versions of Catalog objects, but does not have authority to perform the same actions on Marketing objects.
For content version services, we want to answer the question: Can the current user perform the content version actions on the specified object types?
- Create the action. An access profile is defined by an action:
The preceding actions are predefined for content version create, delete, restore, change, and display services in the following file: WCDE_installdir\components\foundation\xml\policies\xml\ContentAccessControlPolicies.xml.<Action Name="DisplayResourceAction" CommandName="Display"/> <Action Name="CreateResourceAction" CommandName="Create"/> <Action Name="DeleteResourceAction" CommandName="Delete"/> <Action Name="RestoreResourceAction" CommandName="Restore"/> <Action Name="ChangeResourceAction" CommandName="Change"/>
- Create an action group that contains all the access profiles the group can use. The following code snippet for the
Catalog-ContentVersion-CatalogManagers-ActionGroup
action group provides access to the content version services for create, delete, restore, change, and display:<ActionGroup Name="Catalog-ContentVersion-CatalogManagers-ActionGroup" OwnerID="RootOrganization"> <ActionGroupAction Name="DisplayResourceAction"/> <ActionGroupAction Name="CreateResourceAction"/> <ActionGroupAction Name="DeleteResourceAction"/> <ActionGroupAction Name="RestoreResourceAction"/> <ActionGroupAction Name="ChangeResourceAction"/> </ActionGroup>
- Create a resource group that filters the content version down to a subset that the business user can access. A resource group definition provides the flexibility to protect resources of a particular state. If you want to create a policy in which users can access the content version services of particular object type, then you must define a resource group. For example, Catalog Managers can create version objects for Catalog, CatalogGroup, and CatalogEntry object types; you do this by using defining a resource group that contains a resource condition that filters based on the objectType in the ContentVersion Noun. The following code snippet of the
Catalog-ContentVersion-ResourceGroup
resource group limits the specified actions to the Catalog, CatalogGroup, and CatalogEntry noun as shown:<ResourceGroup Name="Catalog-ContentVersion-ResourceGroup" OwnerID="RootOrganization"> <ResourceCondition> <![CDATA[ <profile> <andListCondition> <orListCondition> <simpleCondition> <variable name="ObjectType"/> <operator name="="/> <value data="Catalog"/> </simpleCondition> <simpleCondition> <variable name="ObjectType"/> <operator name="="/> <value data="CatalogGroup"/> </simpleCondition> <simpleCondition> <variable name="ObjectType"/> <operator name="="/> <value data="CatalogEntry"/> </simpleCondition> </orListCondition> <simpleCondition> <variable name="classname"/> <operator name="="/> <value data="com.ibm.commerce.content.facade.server.authorization.ContentVersionTypeProtectableProxy"/> </simpleCondition> </andListCondition> </profile> ]]> </ResourceCondition> </ResourceGroup>
An essential component of the resource group definition is the<simpleCondition>
element that hasname="classname"
. This element identifies the Java class of the resource that the group applies to. The Java class,com.ibm.commerce.content.facade.server.authorization.ContentVersionTypeProtectableProxy
, can be seen in the following example:<simpleCondition> <variable name="classname"/> <operator name="="/> <value data="com.ibm.commerce.content.facade.server.authorization.ContentVersionTypeProtectableProxy"/> </simpleCondition>
The following example specifies the condition on thecom.ibm.commerce.content.facade.server.authorization.ContentVersionTypeProtectableProxy
resource, that the ObjectType equals Catalog.<simpleCondition> <variable name="ObjectType"/> <operator name="="/> <value data="Catalog"/> </simpleCondition>
When a content version request is received, access control checks if the user has access to the particular content version service (such as create, restore, delete). If the user has access to the particular content version service, the content version noun that is specified in the request is looked up in the database, and compared against the
ObjectType
values listed in the resource group (Catalog, CatalogGroup, CatalogEntry
). Finally, a policy that uses the action group.
The following sample policy allows users in the CatalogManagersForOrg user group to access content version services for the Catalog, CatalogGroup, and CatalogEntry noun.
Where:<Policy Name="Catalog-ContentVersion-CatalogManagers-Policy" OwnerID="RootOrganization" UserGroup="CatalogManagersForOrg" ActionGroupName="Catalog-ContentVersion-CatalogManagers-ActionGroup" ResourceGroupName="Catalog-ContentVersion-ResourceGroup" PolicyType="groupableTemplate" />
- Name
- The name of the policy.
- OwnerID
- The organization for which the policy applies.
- UserGroup
- The access group.
- ActionGroupName
- The action group.
- ResourceGroupName
- The resource group.
- PolicyType
- The type of policy, such as groupable standard or groupable template.