Membership hierarchy
Users and organizational entities within the Member subsystem are organized into a hierarchy. Generally this hierarchy mimics a typical organizational hierarchy, with entries for organizations and organizational units, and entries for users in the leaf nodes. The hierarchy includes artificial organizational entities created specifically to support access control.
The following diagram shows a sample membership hierarchy:
The entries in the hierarchy are as follows:
- Root Organization
- The Root Organization is at the top level of the organization and is its own parent. All organizations in WebSphere Commerce organization structure are descendants of the Root Organization. The Root Organization owns site level access control policy groups and their associated policies, and is automatically assigned all roles included in the WebSphere Commerce product. The MEMBER_ID value for the Root Organization is -2001. This value should not be changed.
- Default Organization
- Under the root is the Default Organization, and organizational entities that represent the
seller and buyer organizations in the WebSphere Commerce system. When a user registers and does
not identify an organizational entity to which the user belongs, the Default Organization will be
used. All guest customers and customers in consumer direct businesses are created under the Default
Organization. It is recommended that when a business user (with profile type B) registers that the
business user identify the appropriate organizational entity that he belongs to instead of
defaulting to the Default Organization. The parent member of a user is the immediate organizational
entity to which the user belongs. A user can specify his parent organizational entity during
registration. If he does not specify his parent organizational entity, the Default Organization will
be used the parent. The MEMBER_ID value for the Default Organization is -2000. This value should not
be changed.Note the following considerations about the Default Organization:
- OrgAdminConsole: This tool to manage business users and administrators does not list users under the Org -2000 (Default Org), or allow users to be created under the Default Org, since it assumes that is where B2C Shoppers (and guest users) are kept. Accelerator can be used to manage B2C shoppers.
- Access Control: By default, Default Org (-2000) subscribes to GuestShopperManagementPolicyGroup which allows for some administrators (regardless of where they play their role) to manage the users under the Default Org. Guest users are implicitly owned by the Default Organization (-2000), when an access control check is done on this type of user, since guest users do not exist in the MBRREL table.
- MemberRegistrationAttributes.xml: By default, it has configurations that assume the Default Org DN.
- UserRegistrationAdd command: If no parentMember is specified (for example, the B2C scenario), the user will be placed under the Default Org.
- Sub-organizational entities
- One or more other levels of organizational entities can exist beneath the parent organizational entities. An administrator can add as many child organizational entities as necessary to support their business.
- Users
- Each organizational entity can have multiple users. Each user can belong to only one organizational entity.
Note that an organizational entity is typically an organization, such as "IBM", whereas an organizational unit is within an organization, such as "Electronic Commerce Division".
The MBRREL table stores membership hierarchy information, and must be populated for every user and organizational entity. The MBRREL table only contains entries for registered users. Guest customers always have the Default Organization as their parent organizational entity. The members that are above a user or organizational entity in the membership hierarchy are referred to as the ancestors of that user or organizational entity. The immediate ancestor is also referred to as the parent. The relationship of the user to its parent organizations is defined in the MBRREL table and also mirrored in the DN for the user.