- Creating a new role-based access control policy
To create a new role-based policy for a new role, you can use the Organizational Administration Console for some subtasks, however, you need to load some of the changes manually through the use of access control policy XML files. The Organization Administration Console allows you to make simple changes to access control policies and their parts. To make more sophisticated changes, you need to edit the XML files directly, and then load them into the database.
- Creating access groups
Use the Organization Administration Console to create access groups.
- Creating an action group
You must have Site Administrator authority to create an action group.
- Creating a resource group
You must have Site Administrator authority to create new resource group.
- Subscribing to policy groups
Use the Organization Administration Console to subscribe an organization to a policy group.
- Listing site-level roles
Use the Organization Administration Console to list site-level roles.
- Creating site-level roles
Use the Organization Administration Console to create site-level roles.
- Example: Removing the ability of contract managers to add or delete attachments to contracts
By default, contract managers for a store can add or delete attachments to contracts they manage. In some cases, you might not want to grant this authority to contract managers.
- Example: Permitting both contract operators and contract administrators to deploy contracts
By default, contract operators for a store can deploy contracts. In some cases, you might want to grant this authority to contract administrators as well.
- Example: Permitting only Buyers to create orders
By default, all users are permitted to create orders for products, regardless of their position in their organization. In some cases, you may want to limit the ability to create orders to a restricted group of users, such as the employees of the buying organization. Typically, these employees are assigned the Buyer (buy-side) role for the buying organization.
- Example: Allowing only Buyer Administrators to modify orders
By default, all users are permitted to modify orders they have created, regardless of their position in their organization. In some cases, you may want only the organization's buyer administrator to have the authority to modify orders.
- Example: Allowing RMA approvers to approve all RMAs
By default, return merchandise authorization (RMA) approvers for a store are only permitted to approve RMAs for their own stores. In some cases, you may want to allow RMA approvers to approve RMAs for any store. This might be desirable if several stores are owned by the same organization or if the same person handles the RMA approvals for multiple stores.
- Example: Removing the ability of users to self-register
By default users are permitted to self-register if they belong to a registered organization. Membership administrators are also authorized to register users that belong to their organization. For sites that require strictly controlled access, it might be necessary to remove the ability to self-register and require that users be registered by membership administrators.
- Example: Allowing only registered and approved users to change their address information
By default, users can modify their address information if their registration has been approved or is pending approval. In some cases, you might want only registered and approved users to manage their addresses.
- Example: Allowing member registrars to register users
By default, membership administrators for an organization are authorized to register member of their organization. The access group, MemberAdministratorsForOrg, includes several roles such as buyer administrator and seller administrator, which are authorized to perform a variety of administrative tasks. In some cases, you might want to create a separate role that is authorized only to register organization members:
- Example: Allowing only buyers to redeem coupons
By default, all users are permitted to redeem coupons. In some cases, you may want to limit coupon redemption to users with the Buyer (Buy-side) role in WebSphere Commerce.
- Example: Permitting both coupon administrators and Operations Managers to create coupon promotions
By default, coupon administrators for a store can create coupon promotions for their store. In some cases, you might want to grant this authority to Operations Managers as well.
- Example: Allowing procurement shopping cart managers to manage the procurement shopping cart for orders created by their organization
By default, procurement shopping cart managers are authorized to manage the procurement shopping cart when they have created the order. In some cases, you might want to extend the authority of procurement shopping cart managers to let them manage the procurement cart for orders created by any member of their organization.
- Example: Allow procurement buyer administrators to submit the procurement shopping cart for orders created by their organization
By default, procurement shopping cart managers can save or submit procurement shopping carts if they have created the order. In some cases, you might want to divide the responsibility for these tasks. You could allow procurement shopping cart managers to save procurement shopping carts containing orders they have created but give procurement buyer administrators in the same organization as the order creator the authority to submit the procurement shopping cart. This might be beneficial if you want the procurement buyer administrator to review planned purchases before they are submitted.
- Example: Permitting fulfillment center managers to update fulfillment centers but not to delete them
By default, fulfillment center managers are authorized to update or delete the fulfillment centers associated with their store. In some cases, you might want to allow fulfillment center managers to update fulfillment centers but not to delete them.
- Example: Permitting only logistics managers, operations managers, and account representatives to create, update, or delete fulfillment centers
By default, fulfillment center managers are authorized to create, update or delete the fulfillment centers associated with their store. The fulfillment center manager's access group includes the roles: Seller, Logistics Manager, Operations Manager, and Account Representative. In some cases, you might not want Sellers to be authorized as fulfillment center managers.
- Example: Allowing auditors to view business intelligence reports
By default, intelligence report viewers are permitted to view business intelligence reports for their store. In some cases, you might also want to create a new role called auditor and authorize users with this role to view a store's business intelligence reports.