Example: Allowing auditors to view business intelligence reports

By default, intelligence report viewers are permitted to view business intelligence reports for their store. In some cases, you might also want to create a new role called auditor and authorize users with this role to view a store's business intelligence reports.

Here is an overview of the steps involved:

  • Create a new role, (Auditor) and for it, a new access group Auditors, a new resource group, and a new role-based policy.
  • Add the new role to the resource-level policy's access group.
  • Add the Auditor role to the access group of the resource-level policy that defines who can view business intelligence reports for their stores.

In this scenario, you will do the following:

  • Determine the resource-level policy that permits business intelligence report viewers to view business intelligence reports.
  • Note the name of the action in its action group. You must create a new resource group with this action and use it in the role-based policy for the new role. Keep in mind that, in role-based policies for actions, the action group contains only a single action execute. The resource group contains the actions (commands) that can be executed.
  • Define a new resource group, called AuditorCommands, which includes the command for viewing business intelligence reports. You will use this resource group in the role-based policy for the auditor role.
  • Define a new role-based policy for auditors, which uses the Auditors access group and the AuditorCommands resource group.
  • Add the auditor role to the access group for the resource-level policy that defines who can view business intelligence reports for their store.

Define the new auditor role

  1. From the Organization Administration Console, click Access Management > Roles.
  2. On the Roles page, click New.
  3. For Name, specify Auditor.
  4. For Description, specify a description of the auditor role in your local language.
  5. Click OK.

Define a new access group for the auditor role

  1. Click Access Management > Access Groups.
  2. On the Access Groups page, click New to display the Details page for the new access group.
  3. For Name, specify--Auditors.
  4. For Description, specify a description of the access group in your local language.
  5. For Parent Organization, select Root Organization.
  6. Click Next to display the Criteria page for the new access group.
  7. Click Based on organizations and roles.
  8. From the Role list, select Auditor.
  9. Click Add.
  10. Click Finish.

Identify the actions to use in the resource group for the auditor role's role-based policy

  1. Find the policy that authorizes intelligence report viewers to view business intelligence reports. The policy is: 
    
IntelligenceReportViewersForOrgExecuteViewBusinessIntelligenceReport
CommandsOnStoreEntityResource
  2. From the Organization Administration Console, click Access Management > Policies.
  3. For View, select Root Organization to display the policies it owns.
  4. Locate the policy in the list.
  5. Note the name of the policy's action group--ViewBusinessIntelligenceReport. This is the action group you must view to identify the actions for registering members.
  6. Click Access Management > Action Groups.
  7. From the list of action groups, select ViewBusinessIntelligenceReport.
  8. Click Change to display the Change Action Group page.
  9. Note the name of the command for viewing business intelligence reports--com.ibm.commerce.bi.commands.BIShowReportCmd.

Define the new resource group to be used in the role-based policy for the auditor role

  1. Click Access Management > Resource Groups to display the Resource Groups page.
  2. Click New to display the General page for the new resource group.
  3. For Name, specify AuditorCommands.
  4. For Display Name, specify a description of the resource group in your local language.
  5. For Description, specify a longer description of the resource group, in your local language.
  6. Click Next.
  7. For Type, select Explicit Resource Group.
  8. Click Next to display the Details page for the new resource group.
  9. From the Available Resources list, select com.ibm.commerce.bi.commands.BIShowReportCmd.
  10. Click Add.
  11. Click Finish.

Define the role-based policy for the auditor role

  1. Click Access Management > Policies.
  2. On the Policies page, click New.
  3. For Name, specify AuditorsExecuteAuditorCommands.
  4. For Display Name, specify a description of the policy in your local language.
  5. For Description, specify a longer description of what the policy does, in your local language.
  6. For User Group, click Find and select Auditors.
  7. Click OK.
  8. For Resource Group, select AuditorCommands.
  9. For Action Group, select ExecuteCommandActionGroup.
  10. Click OK.

Add the auditor role to the resource-level policy's access group

  1. Click Access Management > Access Groups.
  2. From the list of access groups, select IntelligenceReportViewersForOrg.
  3. Click Change to display the Change Access Group page.
  4. Click Criteria to display the Criteria page for the access group.
  5. From the Role list, select Auditor.
  6. Click For Organization to specify that the role must be played within the resource's own organization or its ancestors.
  7. Click Add.
  8. Click OK.

Update the policy registry with your changes

  1. Open the Administration Console.
  2. Click Configuration > Registry.
  3. From the list of registries, select Access Control Policies.
  4. Click Update.