Access control for procurement systems
In WebSphere Commerce access control policies are used to determine what roles can have access to which parts of the system. For procurement systems, there must be a role with the authority to register the requisitioning users on the fly who belong to a buyer organization, as well as another role to send the order back to the procurement system.
In WebSphere Commerce two roles are created to facilitate accessibility for procurement systems:
- Procurement Buyer
- The procurement Buyer is a requisitioning user who belongs to a buyer organization which uses a
procurement system to connect to WebSphere Commerce. Procurement buyers are registered when a
request comes from the procurement system. Procurement buyers use the account belonging to their
buyer organization. After purchasing, the procurement Buyer sends their order to the procurement
system for approval. Note: Only customers with the Procurement Buyer role can access the SubmitShoppingCart and SendShoppingCart commands.
- Procurement Buyer Administrator
- The procurement Buyer Administrator registers requisitioning users as
procurement buyers. The RegisterRequistioner task command checks to see if
the user has the procurement Buyer Administrator role for the buyer organization
to which the new user will be registered. Note: Each buyer organization using a procurement system to connect to a WebSphere Commerce supplier must have a procurement Buyer Administrator.
Buyer organization specific profiling of procurement systems
WebSphere Commerce stores hierarchies of member organizations. Individual users can be associated with member organizations and specific departments within these organizations. An organization can also be designated a buyer organization.
Buyer organization information is captured in order to facilitate the registration of a buyer with a supplier. For procurement systems, the specific information is captured in the PROCBUYPRF table. The PROCBUYPRF table captures any buyer identification from the procurement system as well as protocol and buyer specific information.
Procurement user authentication and registration
WebSphere Commerce provides support for authenticating the requests from procurement systems and automatically registering the requisitioning users.
Requisitioning user authentication is done using the following steps:
- Each procurement request coming to WebSphere Commerce must specify an
administrator's logon credentials. This is handled differently based on the
protocol type. The authentication type used by the protocol should be specified
by the AUTHTYPE column in the PROCPROTCLdatabase table.
For protocols using XML/HTTP, the administrator's credentials are specified
in the XML message. The XML template used to parse the message maps the credential
information to the WebSphere Commerce logonId and logonPassword parameters.
These credentials are then verified by the HTTP Program Adapter.
For protocols that use HTTP over a browser, the Logon command is called from
the PunchOutSetup command to verify the administrator user under whom the
commands are running. These protocols should provide the logonId and logonPassword parameters
as part of their URL request. Note: A procurement Buyer Administrator role must be created at setup time when a buyer organization is configured as a procurement system buyer in WebSphere Commerce. Only the procurement Buyer Administrator can access or execute the procurement system integration related commands and register requisitioning users for the buyer organization.
- The AuthenticationHelper command verifies the buyer and supplier identities against the ORGCODE table.
- The AuthenticationHelper command verifies the relationship between the buyer and supplier in the BUYSUPMAP table.
-
Once the administrator user is authenticated and the buyer supplier identities and relationship are verified, access control policies are used to determine whether the user has the authority to register requisitioning users for the buyer and supplier. If authentication is successful and it is the users first time logging on, the requisitioning user is registered as a new user in WebSphere Commerce. Requisitioning users are identified by the ORG_ID, and REQUISITIONER_ID fields in the BUSPROF table.
Note: In order to integrate with the Member subsystem, a unique logonid, using the requisitioning users id, is assigned during registration.