Access control policy groups

HCL Commerce supports various business models, and each business model has its own set of access control policies. In order to group the sets of policies within the models, policy groups were created. Policies are explicitly assigned to appropriate policy groups and then organizations can subscribe to one or more of these policy groups. For example, in the following diagram, Seller Organization subscribes to Seller Organization Policy Group, and Root Organization Policy Group.

In this diagram, there are three policy groups. Note that a policy group can contain multiple policies, for example, Root Organization Policy Group contains two policies: Policy 1 and Policy 2, and also note that an organization can subscribe to 0, 1 or multiple policy groups.

Policies are assigned to policy groups. For example, in the preceding diagram, Policy 1 and Policy 2 are assigned to the Root Organization Policy group, Policy 3 is assigned to the Seller Organization Policy Group, and Policy 4 is assigned to the Division A Organizational Unit Policy Group.

Policy group subscription

Organizations can subscribe to policy groups. If Organization B does not subscribe to any policy groups, the access control framework will begin searching up the organization hierarchy until it encounters an organization that subscribes to at least one policy group. If Organization B's immediate parent organization, Organization A, subscribes to a policy group, the searching stops, and the policies are applied to Organization A and B. This can be seen in the following diagram.

In this diagram, Organization B does not subscribe to policy group, so it inherits the policy group subscription of its closest subscribing ancestor organization: Organization A (it's immediate parent organization).

If Organization A does not subscribe to a policy group, the search continues up the organization hierarchy, until an organization with a subscription is reached. This is seen in the following diagram where the Root Organization subscribes to a policy group. The policies in that group apply to Organization B and Organization A.

In this diagram, Organization B does not subscribe to policy groups. Its closest subscribing ancestor organization is Root Organization (its grandparent), so the policies in Root Organization Policy Group will apply to Organization B.

If Organization B subscribes to a policy group, the search stops at Organization B. So only the policies in the Organization B policy group will apply to Organization B.

Even though Organization B's ancestor organizations (Organization A and Root Organization) subscribe to policy groups, the policies in those policy groups do not affect Organization B, since Organization B subscribes to its own policy group: Organization B Policy Group.