Protecting resources

You can add resource-level access control to controller or task commands. Resource-level checking is done at HCL Commerce runtime, based on data returned by the getResources() method of a command. Resource-level checking can also be done during the performExcecute() portion of the command by making direct calls to the access control policy manager using the method void checkIsAllowed(Object resource, String action) throws ECException. This method will throw the ECApplicationException if the current user is not allowed to perform the specified action on the specified resource.

About this task

Note: By default, the getResources() method returns null, and no resource-level checking is done.

You need to create a resource-level policy for new commands in the following instances:

The new command extends from a base HCL Commerce command that is doing a resource-level check, and has a resource-level policy, and the new command is implementing a different interface than the base command.
The new command itself does resource-level access control checking.

The following is an example of a resource-level policy:


<Policy
Name="ContractMangersForOrgExecuteContractManageCommandsOnContractResource"
                OwnerID="RootOrganization"
                UserGroup="ContractManagersForOrg"
                ActionGroupName="ContractManage"
                ResourceGroupName="ContractDataResourceGroup"
                PolicyType="groupableTemplate">
</Policy>

where:

Name: The name of the policy.
PolicyType: The policy type. This is a groupable template policy and will dynamically apply to the organizational entity that owns the resource and it's ancestors.
OwnerID: The member that owns the policy.
UserGroup: The policy applies to users of this group. The naming convention for access groups where roles are dynamically scoped to the organization that owns the resource, is to append ForOrg to the group name
ActionGroupName: The name of the action group that contains the actions to be performed on the resource.
ResourceGroupName: The name of the resource group that contains the resources to be acted upon.

In the preceding example, the action group ContractManage is an action group that contains the set of commands that will act on the ContractDataResourceGroup. The following is an example of the action group that is used in the preceding resource-level policy:


<ActionGroupName="ContractManage" OwnerID="RootOrganization">
        <ActionGroupAction
Name="com.ibm.commerce.contract.commands.ContractCancelCmd"/>
        <ActionGroupAction
Name="com.ibm.commerce.contract.commands.ContractCloseCmd"/>
        <ActionGroupAction
Name="com.ibm.commerce.contract.commands.ContractDeleteCmd"/>
</ActionGroup>

The commands that were previously defined as resources for role-based policies are now defined as actions. The following is a sample definition of an action that is a part of the preceding ContractManage group:


<Action
Name="com.ibm.commerce.contract.commands.ContractCloseCmd"
       
CommandName="com.ibm.commerce.contract.commands.ContractCloseCmd">
</Action>

Note: The value of CommandName should correspond to the interface name of the command that is doing the resource-level check.

Most commands work with enterprise beans. These beans are usually the resources that the resource-level policies are protecting. The following is a sample definition of the resource group that is used in the preceding resource policy:


<ResourceGroup Name="ContractDataResourceGroup"
OwnerId="RootOrganization">
        <ResourceGroupResource
Name="com.ibm.commerce.contract.objects.ContractResourceCategory"/>
</ResourceGroup>

In this example, ContractDataResourceGroup is defined and is composed of one resource. The resource is defined as follows:


<ResourceCategory
Name="com.ibm.commerce.contract.objects.ContractResourceCategory" 
               
ResourceBeanClass="com.ibm.commerce.contract.objects.Contract"
                <ResourceAction
Name="com.ibm.commerce.contract.commands.ContractCancelCmd"/>
                <ResourceAction
Name="com.ibm.commerce.contract.commands.ContractCloseCmd"/>
                <ResourceAction
Name="com.ibm.commerce.contract.commands.ContractDeleteCmd"/>
 </ResourceCategory>

where:

Name: A tag used to reference this resource elsewhere in the XML file.
ResourceBeanClass: The class representing the resource to protect. If the resource is an enterprise bean, its remote interface should extend the Protectable interface.
ResourceAction: Specifies the actions that will be operating on this resource. This information is used by the Organization Administration Console when determining which actions are valid with a particular resource.