Implementing access control
Resources that web services act upon are actually nouns that are represented by
generated SDOs. This lesson contains a brief overview of how access control policy works for BOD
service modules.
About this task
<Action Name="GetProject.MyCompany_Admin_Summary" CommandName="GetProject.MyCompany_Admin_Summary" />
<Action Name="GetProject.MyCompany_Store_Summary" CommandName="GetProject.MyCompany_Store_Summary" />
An
action group contains all the access profiles the group can use:
<ActionGroup Name="Project-Project-AllUsers-AccessProfileActionGroup"
OwnerID="RootOrganization">
<ActionGroupAction Name="GetProject.MyCompany_Store_Summary" />
</ActionGroup>
<ActionGroup
Name="Project-Project-ProjectManagers-AccessProfileActionGroup"
OwnerID="RootOrganization">
<ActionGroupAction Name="GetProject.MyCompany_Admin_Summary" />
</ActionGroup>
Finally,
define a policy using the action group:
<!-- the all users access profile access control policy -->
<Policy Name="Project-Project-AllUsers-AccessProfilePolicy"
OwnerID="RootOrganization" UserGroup="AllUsers"
ActionGroupName="Project-Project-AllUsers-AccessProfileActionGroup"
ResourceGroupName="AccessProfileResourceGroup"
PolicyType="groupableStandard" />
<!-- the project manager access profile access policy -->
<Policy Name="Project-Project-ProjectManagers-AccessProfilePolicy"
OwnerID="RootOrganization" UserGroup="RecipeManagers"
ActionGroupName="Project-Project-ProjectManagers-AccessProfileActionGroup"
ResourceGroupName="AccessProfileResourceGroup"
PolicyType="groupableTemplate" />
To
display the returned nouns from the Get request, a check is performed after the nouns are retrieved
by the access control
filter.
<!-- all user action group which contains read and change actions -->
<ActionGroup Name="Project-Project-AllUsers-ActionGroup" OwnerID="RootOrganization">
<ActionGroupAction Name="DisplayResourceAction"/>
<ActionGroupAction Name="ChangeResourceAction"/>
</ActionGroup>
For
Change, Sync, and Process requests, you can perform an action on the specified noun using an action,
an action group, and a policy. An access profile is defined by an action:
<!-- read action (Get request) -->
<Action Name="DisplayResourceAction" CommandName="Display"/>
<!-- change action (Change request) -->
<Action Name="ChangeResourceAction" CommandName="Change"/>
<!-- process actions (Process request) -->
<Action Name="AddResourceAction" CommandName="Add"/>
<Action Name="DeleteResourceAction" CommandName="Delete"/>
<Action Name="CreateResourceAction" CommandName="Create"/>
An
action group contains all the access profiles that the group can use:
<!-- all project managers action group process action -->
<ActionGroup Name="Project-Project-ProjectManagers-ActionGroup" OwnerID="RootOrganization">
<ActionGroupAction Name="AddResourceAction"/>
<ActionGroupAction Name="DeleteResourceAction"/>
<ActionGroupAction Name="CreateResourceAction"/>
</ActionGroup>
Finally,
define a policy using the action group:
<!-- the project manager creator policy -->
<Policy Name="Project-Project-ProjectManagers-CreatorPolicy"
OwnerID="RootOrganization" UserGroup="RecipeManagers"
ActionGroupName="Project-Project-ProjectManagers-ActionGroup"
ResourceGroupName="Project-Project-ResourceGroup"
RelationName="creator" PolicyType="groupableTemplate" />
Note: For more information, see Access control in the BOD command framework.
Procedure
- Review the access control policy concepts provided in this lesson.
- Right-click the WebSphere Commerce Test Server and select Publish.
- Create a role "Recipe Manager" through Organization Administration Console.
-
Add the Recipe Manager role
to the following organizations:
- Extended Sites Organization
- Asset Store Organization (Parent is Extended Sites Organization)
-
Load the access control policy:
-
Import the provided ProtectableProxy class that contains the authorization methods:
- In the Enterprise Explorer view, expand . Right-click the com.mycompany.commerce.project.facade.server.authorization package.
- Click Import. Expand General and select File System. Click Next.
- Browse to the temporary location where you extracted the RecipeServices.zip file. Browse to the com.mycompany.commerce.project.facade.server.authorization folder.
- Select all files. Click Finish.
- Click Yes to All to overwrite the existing files.