Examples: Customizing access control policies using the Organization Administration Console

For all of these examples, it is assumed that a Site Administrator is modifying the policies for Root Organization. Once you step through some of the examples, you will be able to follow the same methodology to make changes not specifically covered here.

The examples are organized by business area. Within each business area, the examples are presented in order of increased complexity.

Customization examples organized by type of customization
Customization See the example
Adding a role to a policy's access group
Changing a policy's action group
Changing a policy's resource relationship
Changing a policy to use a different access group
Creating a new access group and using it in a policy
Creating a new action group and using it in a policy
Creating a new resource-level policy
Creating a new role-based policy
Creating a new role and using it in a resource-level policy
Deleting a policy
Removing an action from a policy's action group

Tips for changing default policies

  • Most access groups are defined by user roles such as Buyer or Product Manager.
  • Before you change a policy to use a different access group, review the definition of that access group to ensure it meets your requirements. To do so, select Access Management > Access Groups from the Organization Administration Console.
  • Depending on the value you select for View, the Policies page lists the policies that are owned by the selected organization. It does not distinguish between site-level policies and policies specific to a particular organization.
  • Rename any default policies you change so that the policy name reflects what the policy does and so that you can identify the default policies you have changed. Consider implementing a naming convention for your customized policies. If appropriate, you should also modify the description of the policy and its display name.
  • The display names and the descriptions of access control elements are only available in the default language of the instance.
  • The access control policy menu is moved to Organization Administration Console. The Organization Administration Console can only perform simple modifications to the access control policy definitions and access group definitions. The more robust solution is to update the data using XML files. The following operations can only be done through XML:
    1. Defining new actions, resources, attributes, relationships, relationship groups.
    2. Defining complex implicit resource groups, and complex implicit access groups.
    3. Assigning a new policy to a policy group.