Synchronizing WebSphere Portal access control with WebSphere Commerce roles

It is covered how WebSphere Portal restricts user access by using Realm with Virtual Portal, and as well on how WebSphere Portal maintains resource level access control using role type assignment. This access right control now relates to the WebSphere Commerce roles and organization hierarchy.

The concept used in WebSphere Commerce roles and organizations is very different from the concept of WebSphere Portal resource level access control, it is impossible to come up with a general pattern to synchronize the user access rights between WebSphere Commerce and WebSphere Portal in real time. However, by applying a few restrictions and assumption to the deployment model, the synchronization scope can be dramatically reduced so that at least some typical access right scenarios can be synchronized. The following are a few assumptions that are required to be made when synchronizing WebSphere Commerce roles with WebSphere Portal's access rights:
  • One WebSphere Commerce store per virtual portal – one and only one WebSphere Commerce extended site can be associated with one virtual portal; this means that only one store Id can be used within a given virtual portal site.
  • No implicit inherited WebSphere Commerce roles – all WebSphere Commerce roles that are eligible at any given WebSphere Commerce organization hierarchy level can only be calculated and applied at that same WebSphere Commerce organization level; this means that inherited WebSphere Commerce roles from higher organization levels cannot be mapped implicitly to one WebSphere Portal access right, unless all inherited WebSphere Commerce roles are being mapped out explicitly.
  • One WebSphere Portal member group per WebSphere Commerce role of an organization – for each WebSphere Commerce role assigned at any given WebSphere Commerce organization hierarchy, only one WebSphere Portal member group can be used to uniquely represent this relationship; this means there is only a bidirectional one-to-one mapping between a WebSphere Commerce role for an organization and a WebSphere Portal member group.
  • WebSphere Portal role types are for WebSphere Portal only – a WebSphere Portal role type can then be used to assign access right to these member groups. The WebSphere Portal roles used do not reflect any WebSphere Commerce role characteristics – these WebSphere Portal roles are more designed for WebSphere Portal administrative purposes.

WebSphere Portal access right synchronization with WebSphere Commerce roles diagram

By considering the preceding example:
  1. In WebSphere Commerce, a user has been granted with a Registered Customer role against the Seller A-1 organization.
  2. Because Seller A-1 owns Store A-1, the user can access Store A-1.
  3. In WebSphere Portal, Store A-1 is mapped to Virtual Portal A, whereas the Registered Customer role of Seller A-1 can be mapped to WebSphere Portal member group SellerA1-RC.
  4. From a top level page Home of Virtual Portal A, a WebSphere Portal role type of User@Home is created and granted to WebSphere Portal member group SellerA1-RC.
  5. When this user logs on to Virtual Portal A, the user should be able to access the Home page, as well as all of its sub-pages due to the default inherited behavior of WebSphere Portal role types.