Example: Permitting only Buyers to create orders
By default, all users are permitted to create orders for products, regardless of their position in their organization. In some cases, you may want to limit the ability to create orders to a restricted group of users, such as the employees of the buying organization. Typically, these employees are assigned the Buyer (buy-side) role for the buying organization.
To limit order creation to users with the Buyer
role, you need to do the
following:
- Determine the resource-level policy that specifies who can create an order.
- Change the policy's access group from all users to those with the
Buyer
role. - Update the policy's name, display name, and description.
- Identify the command for creating orders.
- Determine the role-based policy for Buyer (buy-side). This policy defines the commands that users with the Buyer (buy-side) role can execute. You must update this policy's resource group to permit buyers to execute the command for creating orders.
- Update this role-based policy's resource group to include the commands for creating orders.
Identify the resource-level policy
- Determine the resource-level policy to be changed. The policy is:
AllUsersExecuteOrderCreateCommandsOnStoreResource
. - From the Organization Administration Console, click Access Management > Policies.
- For View, select Root Organization to display the policies that it owns.
- From the list of policies, select AllUsersExecuteOrderCreateCommandsOnStoreResource. Note
the name of the policy's action group--
OrderCreateCommands
. This is the action group you need to view to find the names of the commands for creating an order.
Change the access group
- Click Change to display the Change Policy page.
- For User Group, click Find and select Buyers (buy-side).
- Click OK.
- Update the policy's name, display name, and description to reflect the change of access group.
- Click OK.
Identify the command for creating orders
- Click Access Management > Action Groups.
- From the list of action groups, select OrderCreateCommands .
- Click Change to display the Change Action Group page. Note the names of the commands for
creating orders:
You must add these commands to the resource group that contains the list of commands a buyer can execute.com.ibm.commerce.order.commands.OrderCopyCmd com.ibm.commerce.order.commands.OrderScheduleCmd com.ibm.commerce.orderitems.commands.OrderItemMoveCmd com.ibm.commerce.orderitems.commands.OrderItemUpdateCmd com.ibm.commerce.requisitionlist.commands.RequisitionListSubmitCmd com.ibm.commerce.orderitems.commands.OrderItemAddCmd com.ibm.commerce.orderquotation.commands.OrderQuotationCreateCmd
Identify the role-based policy for buyers (buy-side)
- Determine the role-based policy for buyers (buy-side). The policy is:
Buyers(buy-side)ExecuteBuyers(buy-side)CommandsResourceGroup
. - Click Access Management > Policies.
- For View, select Root Organization to display the site-level policies.
- Locate the policy in the list.
- Note the name of the resource group--
Buyers(buy-side)CommandsResourceGroup
. This is the resource group you need to update.
Update the resource group in the role-based policy to include the commands for creating orders
- Click Access Management > Resource Groups.
- From the list of resource groups, select Buyers(buy-side)CommandsResourceGroup.
- Click Change to display the Change Resource Group page.
- Click Next to display the Details page.
- From the Available Resources list, select the following commands for creating orders:
com.ibm.commerce.order.commands.OrderCopyCmd com.ibm.commerce.order.commands.OrderScheduleCmd com.ibm.commerce.orderitems.commands.OrderItemMoveCmd com.ibm.commerce.orderitems.commands.OrderItemUpdateCmd com.ibm.commerce.requisitionlist.commands.RequisitionListSubmitCmd com.ibm.commerce.orderitems.commands.OrderItemAddCmd com.ibm.commerce.orderquotation.commands.OrderQuotationCreateCmd
- Click Add.
- Click Finish.
Update the access control policy registry with your changes
- Open the Administration Console.
- Click Configuration > Registry.
- From the list of registries, select Access Control Policies.
- Click Update.