Data access policies override

In an integrated environment, orders entered on the WebSphere Commerce system must be able to access the Sterling Order Management process.

This process employs data access policies that grant or prohibit various levels of user access to data. Users are not synchronized between the two systems, so these access policies prevent the authenticated user from get order. The user does not have permissions to create an order for the WebSphere Commerce customer.

When a user creates an order in WebSphere Commerce, the order comes into Sterling Order Management from an integration user, and passes through regular user authentication. After that, an API is called to get order. During the API execution, any data requested from the database must pass through the access policy layer.

To prevent failure at the access policy layer, the Access Policies Override feature provides a mechanism where any API can call to get order or view orders. To accomplish this, a new child element in every API contains the information about the WebSphere Commerce customer user for whom data must be accessed or written. When the API is started, Sterling Order Management formats the input XML and stores the integrated user's information so that when API execution reaches the access policy layer, the user's information is honored, the relevant data is retrieved or written, and get order succeeds for the WebSphere Commerce integration user.

The access policy override is available only to WebSphere Commerce integration users. For all other Sterling Order Management users, such as those accessing Sterling Order Management from Sterling Call Center and Sterling Store, typical access policies and permissions apply.

Example 1

The getOrderList API input needs to get all the orders that are place by a WebSphere Commerce customer, so the customer can view the order history. The API is called into Sterling Order Management by the integration user. The API requires the input to be formatted with the EnterpriseCode, designating the enterprise the order needs to be retrieved, and the BuyerUserId of the order. A sample of the formatted input:

<getOrderList>
  <Order ....>
		<UserOverride>
		      <Order_Header EnterpriseCode=""BuyerUserId=""/>
  		</UserOverride>
	</Order>
</getOrderList>

Example 2

The getCompleteOrderDetails API input needs to get data for the WebSphere Commerce customer; the API is called into Sterling Order Management by the integration user. The API requires the input to be formatted with the EnterpriseCode, designating the enterprise the order needs to be retrieved. A sample of the formatted input:

<Order OrderHeaderKey="">
<Modifications>
			<Modification ModificationType="">
			</Modification >
		</Modifications>
<wc:UserOverride>
	      <wc:Order_Header BuyerUserId="" EnterpriseCode=""/>
  </wc:UserOverride>
</Order>