Examples: Customizing access control policies using the Organization Administration Console

For all of these examples, it is assumed that a Site Administrator is modifying the policies for Root Organization. Once you step through some of the examples, you will be able to follow the same methodology to make changes not specifically covered here.

The examples are organized by business area. Within each business area, the examples are presented in order of increased complexity.

Customization examples organized by type of customization
Customization	See the example
Adding a role to a policy's access group	Permitting both coupon administrators and Operations Managers to create coupon promotions
Changing a policy's action group	Allow procurement buyer administrators to submit the procurement shopping cart for orders created by their organization Permitting fulfillment center managers to update fulfillment centers but not to delete them
Changing a policy's resource relationship	Allowing only Buyer Administrators to modify orders Allowing procurement shopping cart managers to manage the procurement shopping cart for orders created by their organization
Changing a policy to use a different access group	Permitting only Buyers to create orders Allowing only Buyer Administrators to modify orders Allowing only registered and approved users to change their address information Allowing only buyers to redeem coupons Permitting both coupon administrators and Operations Managers to create coupon promotions
Creating a new access group and using it in a policy	Allowing RMA approvers to approve all RMAs Allowing member registrars to register users
Creating a new action group and using it in a policy	Allowing member registrars to register users Allow procurement buyer administrators to submit the procurement shopping cart for orders created by their organization
Creating a new resource-level policy	Permitting both contract operators and contract administrators to deploy contracts Allow procurement buyer administrators to submit the procurement shopping cart for orders created by their organization
Creating a new role-based policy	Allowing member registrars to register users Allowing auditors to view business intelligence reports
Creating a new role and using it in a resource-level policy	Allowing member registrars to register users Allowing auditors to view business intelligence reports
Deleting a policy	Removing the ability of users to self-register
Removing an action from a policy's action group	Removing the ability of contract managers to add or delete attachments to contracts

Tips for changing default policies

Most access groups are defined by user roles such as Buyer or Product Manager.
Before you change a policy to use a different access group, review the definition of that access group to ensure it meets your requirements. To do so, select Access Management > Access Groups from the Organization Administration Console.
Depending on the value you select for View, the Policies page lists the policies that are owned by the selected organization. It does not distinguish between site-level policies and policies specific to a particular organization.
Rename any default policies you change so that the policy name reflects what the policy does and so that you can identify the default policies you have changed. Consider implementing a naming convention for your customized policies. If appropriate, you should also modify the description of the policy and its display name.

Note:

The display names and the descriptions of access control elements are only available in the default language of the instance.
The access control policy menu is moved to Organization Administration Console. The Organization Administration Console can only perform simple modifications to the access control policy definitions and access group definitions. The more robust solution is to update the data using XML files. The following operations can only be done through XML:
1. Defining new actions, resources, attributes, relationships, relationship groups.
2. Defining complex implicit resource groups, and complex implicit access groups.
3. Assigning a new policy to a policy group.