Implementing access control
Resources that web services act upon are actually
nouns that are represented by generated SDOs. This lesson contains
a brief overview of how access control policy works for BOD service
modules.
About this task
<Action Name="GetProject.MyCompany_Admin_Summary"
CommandName="GetProject.MyCompany_Admin_Summary" />
<Action Name="GetProject.MyCompany_Store_Summary"
CommandName="GetProject.MyCompany_Store_Summary" />
An
action group contains all the access profiles the group can use: <ActionGroup Name="Project-Project-AllUsers-AccessProfileActionGroup"
OwnerID="RootOrganization">
<ActionGroupAction Name="GetProject.MyCompany_Store_Summary" />
</ActionGroup>
<ActionGroup
Name="Project-Project-ProjectManagers-AccessProfileActionGroup"
OwnerID="RootOrganization">
<ActionGroupAction Name="GetProject.MyCompany_Admin_Summary" />
</ActionGroup>
Finally, define a policy
using the action group: <!-- the all users access profile access control policy -->
<Policy Name="Project-Project-AllUsers-AccessProfilePolicy"
OwnerID="RootOrganization" UserGroup="AllUsers"
ActionGroupName="Project-Project-AllUsers-AccessProfileActionGroup"
ResourceGroupName="AccessProfileResourceGroup"
PolicyType="groupableStandard" />
<!-- the project manager access profile access policy -->
<Policy Name="Project-Project-ProjectManagers-AccessProfilePolicy"
OwnerID="RootOrganization" UserGroup="RecipeManagers"
ActionGroupName="Project-Project-ProjectManagers-AccessProfileActionGroup"
ResourceGroupName="AccessProfileResourceGroup"
PolicyType="groupableTemplate" />
To display the returned
nouns from the Get request, a check is performed after the nouns are
retrieved by the access control filter.<!-- all user action group which contains read and change actions -->
<ActionGroup Name="Project-Project-AllUsers-ActionGroup" OwnerID="RootOrganization">
<ActionGroupAction Name="DisplayResourceAction"/>
<ActionGroupAction Name="ChangeResourceAction"/>
</ActionGroup>
For Change, Sync, and Process requests,
you can perform an action on the specified noun using an action, an
action group, and a policy. An access profile is defined by an action: <!-- read action (Get request) -->
<Action Name="DisplayResourceAction" CommandName="Display"/>
<!-- change action (Change request) -->
<Action Name="ChangeResourceAction" CommandName="Change"/>
<!-- process actions (Process request) -->
<Action Name="AddResourceAction" CommandName="Add"/>
<Action Name="DeleteResourceAction" CommandName="Delete"/>
<Action Name="CreateResourceAction" CommandName="Create"/>
An
action group contains all the access profiles that the group can use: <!-- all project managers action group process action -->
<ActionGroup Name="Project-Project-ProjectManagers-ActionGroup" OwnerID="RootOrganization">
<ActionGroupAction Name="AddResourceAction"/>
<ActionGroupAction Name="DeleteResourceAction"/>
<ActionGroupAction Name="CreateResourceAction"/>
</ActionGroup>
Finally, define a policy using the action
group: <!-- the project manager creator policy -->
<Policy Name="Project-Project-ProjectManagers-CreatorPolicy"
OwnerID="RootOrganization" UserGroup="RecipeManagers"
ActionGroupName="Project-Project-ProjectManagers-ActionGroup"
ResourceGroupName="Project-Project-ResourceGroup"
RelationName="creator" PolicyType="groupableTemplate" />
Note: For
more information, see Access control in the BOD command framework.