Protecting views

Any view that is called directly from an URL, or that is launched as a redirect from another command, needs a role-based access control policy in order to be displayed.

About this task

The following example displays a role-based policy for views:

<Policy Name="ProductManagersExecuteProductManagersViews"

The ResourceGroup name, ViewCommandResourceGroup, indicates that this is a role-based policy for views. The policy states that users in the ProductManagers user group, can display the views in the ProductMangersViews action group. Similarly, for most roles, there is a corresponding action group which groups the views that the role can access, such as Seller role -> Sellers access group -> SellersViews action group.

The following is an example of the ProductMangersViews action group:

<ActionGroup Name="ProductManagersViews"
        <ActionGroupAction Name="ProductImageView"/>
        <ActionGroupAction Name="ProductManufacturerView"/>
        <ActionGroupAction Name="ProductSalesTaxView"/>

The preceding example lists the three actions, ProductImageView, ProductManufacturerView, and, ProductSalesTaxView that can be performed in the ProductManagerViews action group.

The following is an example of the ProductImageView action definition:

<Action Name="ProductImageView"

The Name attribute, ProductImageView,is used as a tag for referencing the action elsewhere in the XML such as when associating the action with an action group.

Note: The name of the view, stored in the VIEW NAME in the Struts configuration files, must match the CommandName in the action definition. The value of CommandName is stored in the ACTION column of the ACACTION table. The Name and CommandName attributes do not have to be the same.