Modifying the resource-level access control of an existing policy

For commands that require resource level access control, they return the protected resources that they are going to access in the command's getResources() method. This triggers a resource level access control check by the HCL Commerce access control framework. HCL Commerce will search for an access control policy in the system with an Action Group that includes the action that is equal to the current command; in this example com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd. The policy's Resource Group must also include the resource that was returned in the getResources() method. In this case, the UserRegistrationAdminAddCmd command does implement the getResources() method and it returns the organization to which the new user is going to be registered.

About this task

By default, in defaultAccessControlPolicies.xml, com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd is already defined as an action:
<Action
Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd"
       
CommandName="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd">
</Action>
It is also included in an action group, defined in the defaultAccessControlPolicies.xml XML file:

<ActionGroup Name="UserAdminRegistration"
OwnerID="RootOrganization"> 

        <ActionGroupAction
Name="com.ibm.commerce.usermanagement.commands.UserRegistrationAdminAddCmd"/>
</ActionGroup>
This action group is already used in an existing bootstrap policy, with the following values:
UserGroup
MembershipAdministratorsForOrg
ActionGroupName
UserAdminRegistration
ResourceGroupName
OrganizationDataResourceGroup
Note: Many polices are default polices and loaded into the database during instance creation.

Procedure

  1. Add the required role to the access group used by the policy. In this example, MembershipAdministratorsForOrg.

    This access group is defined in WCDE_installdir/xml/policies/xml/ACUserGroups_en_US.xml as follows:

    
    <UserGroup Name="
    MembershipAdministratorsForOrg" OwnerID="RootOrganization" 
       Description="Administrators of membership for the organization"
    MemberGroupID="-97">
            
    <UserCondition><![ CDATA [ 
        <profile>
               <orListCondition>
                 <simpleCondition>
                   
    <variable name="role"/>
                   <operator name="="/>
                   <value data="Buyer Administrator"/>
                       <qualifier name="org"
    data="OrgAndAncestorOrgs"/>        
                 </simpleCondition>
                 <simpleCondition>
                   
    <variable name="role"/>
                   <operator name="="/>
                  <value data="Seller Administrator"/>
                       <qualifier name="org"
    data="OrgAndAncestorOrgs"/>        
                 </simpleCondition>
              </orListCondition>
        </profile>
     </UserCondition>
    </UserGroup>
    

    In the preceding XML example, users are included that have at least one of the specified roles, Buyer Administrator or Seller Administrator for an organization that is an ancestor of the owner of the resource (organization) returned by getResources(). If you wanted to add the Marketing Manager role, you would have to enhance it to also include the new role.

  2. Copy the XML file to the WCDE_installdir/xml/policies/xml/ directory. The following is an example of what your XML could look like:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE UserGroups SYSTEM "../dtd/ACUserGroups_en_US.dtd">
    
    <UserGroups>
    
    <UserGroup Name="MembershipAdministratorsForOrg"
    OwnerID="RootOrganization" 
        Description="Administrators of membership for the organization"
    MemberGroupID="-97">
            
                    <UserCondition><![CDATA[
         <profile>
               <orListConditio>
                 <simpleCondition>
                   <variable name="role"/>
                   <operator name="="/>
                   <value data="Buyer Administrator"/>
                       <qualifier name="org" data="
    OrgAndAncestorOrgs"/>         
                 </simpleCondition>
                 <simpleCondition>
                   <variable name="role"/>
                   <operator name="="/>
                   <value data="Seller Administrator"/>
                       <qualifier name="org" data="
    OrgAndAncestorOrgs"/>         
                 </simpleCondition>
                 <simpleCondition>
                   
    <variable name="role"/>
                   <operator name="="/>
                   <value data="Marketing Manager"/>
                       <qualifier name="org"
    data="OrgAndAncestorOrgs"/>        
                 </simpleCondition>
              </orListCondition>
        </profile>
     </UserCondition>
    </UserGroup>
            
    </UserGroups>
    
  3. Load the XML file into the database using the acpload script. For more information about loading your XML files, see Loading access control policy XML files.
  4. Update the Access Control Policy Registry in the Administration Console by doing the following:
    1. Open the Administration Console.
    2. Click Configuration > Registry. A list of registry components is displayed.
    3. From the list of registries, select Access Control Policies.
    4. Click Update.