Implementing access control

Resources that web services act upon are actually nouns that are represented by generated SDOs. This lesson contains a brief overview of how access control policy works for BOD service modules.

About this task

For Get requests, you can run the XPath search expression that returns data for a particular access profile using an action, an action group, and a policy. An access profile is defined by an action: 

<Action Name="GetProject.MyCompany_Admin_Summary" CommandName="GetProject.MyCompany_Admin_Summary" />
<Action Name="GetProject.MyCompany_Store_Summary" CommandName="GetProject.MyCompany_Store_Summary" />
An action group contains all the access profiles the group can use: 

<ActionGroup Name="Project-Project-AllUsers-AccessProfileActionGroup"
  OwnerID="RootOrganization">
  <ActionGroupAction Name="GetProject.MyCompany_Store_Summary" />
</ActionGroup>
<ActionGroup
  Name="Project-Project-ProjectManagers-AccessProfileActionGroup"
  OwnerID="RootOrganization">
  <ActionGroupAction Name="GetProject.MyCompany_Admin_Summary" />
</ActionGroup>
Finally, define a policy using the action group: 

<!--  the all users access profile access control policy -->
<Policy Name="Project-Project-AllUsers-AccessProfilePolicy"
  OwnerID="RootOrganization" UserGroup="AllUsers"
  ActionGroupName="Project-Project-AllUsers-AccessProfileActionGroup"
  ResourceGroupName="AccessProfileResourceGroup"
  PolicyType="groupableStandard" />
<!-- the project manager access profile access policy -->
<Policy Name="Project-Project-ProjectManagers-AccessProfilePolicy"
  OwnerID="RootOrganization" UserGroup="RecipeManagers"
  ActionGroupName="Project-Project-ProjectManagers-AccessProfileActionGroup"
  ResourceGroupName="AccessProfileResourceGroup"
  PolicyType="groupableTemplate" />
To display the returned nouns from the Get request, a check is performed after the nouns are retrieved by the access control filter.

<!--  all user action group which contains read and change actions -->
<ActionGroup Name="Project-Project-AllUsers-ActionGroup" OwnerID="RootOrganization">
  <ActionGroupAction Name="DisplayResourceAction"/>
  <ActionGroupAction Name="ChangeResourceAction"/>
</ActionGroup>
For Change, Sync, and Process requests, you can perform an action on the specified noun using an action, an action group, and a policy. An access profile is defined by an action: 

<!--  read action (Get request) -->
<Action Name="DisplayResourceAction" CommandName="Display"/>
<!--  change action (Change request) -->
<Action Name="ChangeResourceAction" CommandName="Change"/>
<!--  process actions (Process request) -->
<Action Name="AddResourceAction" CommandName="Add"/>
<Action Name="DeleteResourceAction" CommandName="Delete"/>
<Action Name="CreateResourceAction" CommandName="Create"/>
An action group contains all the access profiles that the group can use: 

<!-- all project managers action group process action -->
<ActionGroup Name="Project-Project-ProjectManagers-ActionGroup" OwnerID="RootOrganization">
  <ActionGroupAction Name="AddResourceAction"/>
  <ActionGroupAction Name="DeleteResourceAction"/>
  <ActionGroupAction Name="CreateResourceAction"/>
</ActionGroup>
Finally, define a policy using the action group: 

<!-- the project manager creator policy -->
<Policy Name="Project-Project-ProjectManagers-CreatorPolicy"
  OwnerID="RootOrganization" UserGroup="RecipeManagers"
  ActionGroupName="Project-Project-ProjectManagers-ActionGroup"
  ResourceGroupName="Project-Project-ResourceGroup"
  RelationName="creator" PolicyType="groupableTemplate" />
Note: For more information, see Access control in the BOD command framework.

Procedure

  1. Review the access control policy concepts provided in this lesson.
  2. Right-click the HCL Commerce Test Server and select Publish.
  3. Create a role "Recipe Manager" through Organization Administration Console.
  4. Add the Recipe Manager role to the following organizations:
    • Extended Sites Organization
    • Asset Store Organization (Parent is Extended Sites Organization)
  5. Load the access control policy:
    1. Stop the HCL Commerce test server.
    2. Go to the temporary directory where you extracted the RecipeServices.zip file. Copy all the files in the policies\xml folder to the WCDE_installdir\xml\policies\xml\ folder.
    3. In a command prompt, go to WCDE_installdir\bin.
    4. Run the following commands:
      DB2
      acugload    Project-UserGroup.xml 
acpload WCDE_installdir\xml\policies\xml\Project-access-control.xml
  6. Import the provided ProtectableProxy class that contains the authorization methods:
    1. In the Enterprise Explorer view, expand Project-Server > ejbModule . Right-click the com.mycompany.commerce.project.facade.server.authorization package.
    2. Click Import. Expand General and select File System. Click Next.
    3. Browse to the temporary location where you extracted the RecipeServices.zip file. Browse to the com.mycompany.commerce.project.facade.server.authorization folder.
    4. Select all files. Click Finish.
    5. Click Yes to All to overwrite the existing files.