Grouping resources by attributes
You may find that a resource policy that is based on class names needs to be more fine-grained than the default policies provided with WebSphere Commerce. An implicit resource group definition will provide the flexibility to protect resources of a particular state. For example, if you want to create a policy in where all users can run the OrderRead command on orders that has status 'P' or 'E', then you will need to define a resource group as shown below.
About this task
CONDITIONS
column in
the ACRESGRP
table. The CONDITIONS column stores the XML document containing the
constraints and attribute value pairs used for grouping resources. This type of resource group is
called an implicit resource group, and is usually used when the class name of the resource is not
sufficient. For example, if an access control policy applies to Order
resources
that have a status equal to P
(pending) or E
(editing by a
customer service representative), a resource group can be defined for this.In order to group resources by attributes other than class name, the resource must implement the Groupable interface.
The following is an example of the Order
resource group:
<ResourceGroup Name="OrderResourceGroupwithPEStatus"
OwnerID="RootOrganization">
<ResourceCondition>
<![CDATA[
<profile>
<andListCondition>
<orListCondition>
<simpleCondition>
<variable name="Status"/>
<operator name="="/>
<value data="P"/>
</simpleCondition>
<simpleCondition>
<variable name="Status"/>
<operator name="="/>
<value data="E"/>
</simpleCondition>
</orListCondition>
<simpleCondition>
<variable name="classname"/>
<operator name="="/>
<value
data="com.ibm.commerce.order.objects.Order"/>
</simpleCondition>
</andListCondition>
</profile>
</ResourceCondition>
</ResourceGroup>
where:
- Name
- The name of the resource group stored in the GRPNAME column of the ACRESGRP table.
- OwnerID
- The owner of the resource group. This must be the root organization.
- <ResourceCondition>
- Specifies the data that will be loaded to the CONDITIONS column of the ACRESGRP table, to define the resource group.
- <![CDATA[...
- Signifies a section of character data that are used exactly as they are typed .
- <profile>
- A required parameter for all resource conditions.
An essential component of the resource group definition is the
<simpleCondition>
element that has name="classname"
. This
element identifies the java class of the resource that the group applies to. The java class,
com.ibm.commerce.order.objects.Order
, can be seen in the following example:
<simpleCondition>
<variable name="classname"/>
<operator name="="/>
<value data="com.ibm.commerce.order.objects.Order"/>
</simpleCondition>
The following example specifies the condition on the
com.ibm.commerce.objects.order.objects.Order
resource, that the status should equal
P
.
<simpleCondition>
<variable name="Status"/>
<operator name="="/>
<value data="P"/>
</simpleCondition>
In the preceding example, the <variable name=" value"/>
represents the attribute names recognized by the getGroupingAttributeValue (String
attributeName, GroupContext context)()
method on the resource. This method is part of the
Groupable interface. For the purposes of Implicit Resource Group management within the
Administration Console, the attribute should also be defined in the ACATTR
table
and associated with the resource in the ACRESATREL
table. When it is time to find
the applicable policies for a given resource and action, this condition will be checked by calling
the getGroupingAttributeValue(..)
method, which in this case passes in
Status
as the attributeName
parameter.
The <orListCondition>
, specifies that the conditions within this block
should be applied using a boolean OR
. In this case, the status is either
P
or E
. The <andListConditon>
, specifies
that the conditions within this block should be applied using a boolean AND
. In
this case, (Classname = com.ibm.commerce.order.objects.Order) AND (Status = P OR
Status=E).
A sample attribute definition for populating the ACATTR
table is shown in the
following:
<Attribute Name="Status" Type="String">
</Attribute>
The Name
element is a term to identify the attribute, and the
Type
element identifies the data type of the attribute. Possible values of the
attribute are:
- String
- Integer
- Double
- Currency
- Decimal
- URL
- Image
- Date
The association of an attribute to a resource is specified within the Resource definition. For
example, the Status
attribute is associated with the
OrderResourceCategory
in the following example:
<ResourceCategory
Name="com.ibm.commerce.order.objects.OrderResourceCategory"
ResourceBeanClass="com.ibm.commerce.order.objects.Order" >
<ResourceAttributes Name="Status"
AttributeTableName="ORDERS"
AttributeColumnName="STATUS"
ResourceKeyColumnName="ORDERS_ID"/>
</ResourceCategory>
where:
- <ResourceAttributes>
- A block of code that associates an attribute with a resource.
- AttributeTableName
- The name of the database table of the resource.
- AttributeColumnName
- The name of the column in the resource table that stores the attribute.
- ResourceKeyColumnName
- The name of the column in the resource table that stores the primary key.