Modifying the command-level access control for a controller command

Based on the default access control policies, the UserRegistrationAdminAddCmd command cannot be run by users who only have the Marketing Manager role. The following scenario describes the steps needed to modify the existing policies so that these users can perform this command. You can use the steps in this scenario and customize them to your own requirements.

About this task

All controller commands require a command-level access control policy, which has the ActionGroupName = ExecuteCommandActionGroup. It also must have a resource group that includes the interface name of the controller command. These policies usually refer to a specific role, for example, MarketingManagersExecuteMarketingManagerCmdResourceGroup. 

<Policy Name="
MarketingManagersExecuteMarketingManagerCmdResourceGroup"
        OwnerID="RootOrganization"
        UserGroup="MarketingManagers"
        ActionGroupName="ExecuteCommandActionGroup"
        ResourceGroupName="MarketingManagerCmdResourceGroup"
        PolicyType="groupableStandard">
</Policy>
Note: The preceding policy is one of the default policies that is loaded into the database during instance creation. For more information about the default policies, see Default access control policy groups.

In this case, if you want users with the Marketing Manager role to be able to execute the UserRegistrationAdminAddCmd, you have to add this command to the existing Resource Group used in the policy by creating your own XML file, and do the following:

Procedure

  1. Redefine the ExecuteCommand action
  2. Redefine com.ibm.commerce.usermanagement.commands.UserRegistrationAddCmd as a resource category.
  3. Associate the resource category with the required resource group, in this case MarketingManagerCmdResourceGroup.
  4. Copy the XML file to WCDC_installdir/xml/policies/xml. The following is an example of what your XML could look like: 
    
<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?>

<!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">
<Policies>

        <Action Name="ExecuteCommand" CommandName="Execute">
        </Action>

        <ResourceCategory
Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmdResourceCategory"
                         
ResourceBeanClass="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd">

                <ResourceAction Name="ExecuteCommand"/>
        </ResourceCategory>

        
<ResourceGroup Name="MarketingManagerCmdResourceGroup"
OwnerID="RootOrganization"> 
                <ResourceGroupResource
Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmdResourceCategory"/>
        </ResourceGroup> 

</Policies>
  5. Load the XML file into the database using the acpload script. For more information about loading your XML files, see Loading access control policy data.
  6. Update the Access Control Policy Registry in the Administration Console:
    1. Logon to the Administration Console as a Site Administrator.
    2. Click Configuration > Registry. A list of registry components is displayed.
    3. From the list of registries, select Access Control Policies.
    4. Click Update.

Results

You can now use your controller command if it is not doing any resource-level checking.