Example: Permitting both contract operators and contract administrators to deploy contracts

By default, contract operators for a store can deploy contracts. In some cases, you might want to grant this authority to contract administrators as well.

The flexible design of access control policies offers several methods for implementing this change:

  • You can create a new access group containing both contract operators and contract administrators and assign the new access group to the policy that defines who can deploy contracts.
  • You can add the deploy contract actions to the policy that specifies the actions a contract administrator can perform.
  • You can create a new policy that permits contract administrators to deploy contracts.

This example illustrates the third approach. It shows you how to create a new resource-level policy that authorizes contract administrators to deploy contracts.

To create this policy, you need to do the following:

  • Determine the resource-level policy that authorizes contract operators to deploy contracts.
  • Note the name of the action group for this policy.
  • Note the name of the resource group for this policy.
  • Define a new policy for the contract administrator access group, specifying the action group and resource group from the policy that authorizes contract operators to deploy contracts.

Identify the action group and resource group to use in the new policy

  1. Determine the resource-level policy that authorizes contract operators to deploy contracts The policy is: ContractOperatorsForOrgExecuteContractDeployCommandsOnContractResource.
  2. From the Organization Administration Console, click Access Management > Policies.
  3. For View, select Root Organization to display the policies that it owns.
  4. Locate the policy in the list.
  5. Note the name of the policy's action group--ContractDeploy. This is the action group you need to use in defining your new policy.
  6. Note the name of the resource group--ContractDataResourceGroup, This is the resource group you need to use in defining your new policy.

Define the new policy

  1. Click New to display the New Policy page.
  2. For Name, specify:
    
    ContractAdministratorsForOrgExecuteContractDeployCommandsOnContractResource 
    
  3. For Display Name, specify a short description of the policy in your local language.
  4. For Description, specify a longer description of what the policy does, in your local language.
  5. For User Group, click Find and select ContractAdministratorForOrg.
  6. Click OK.
  7. For Resource Group, select ContractDataResourceGroup.
  8. For Action Group, select ContractDeploy.
  9. For Policy Type, select Groupable Template Policy to designate the policy as a template policy.
  10. Click OK.

Update the access control policy registry with your changes

  1. Open the Administration Console.
  2. Click Configuration > Registry.
  3. From the list of registries, select Access Control Policies.
  4. Click Update.
    Note: This new policy must be assigned to a policy group before it takes effect. The policy assignment must be done through XML. See for more information.