WebSphere brand IBM WebSphere XML Document Management Server, Version 7.0

Granting a group of identities write access to all documents in a domain

You can grant a group of identities write access to all documents in a domain.

Before you begin
Preconditions:
  1. User SuperAdmin (superadmin) owns a domain user list document in his home directory with the following XCAP URI: http://xdms.example.com:9080/services/resource-lists/users/superadmin/domainUserList.xml
  2. The domain user list document contains a list named “ServicesForUSDomain”. This special list contains a list of service IDs that SuperAdmin will provision to grant write access to all documents within a certain user domain.
<?xml version="1.0" encoding="UTF-8"?>
<resource-lists xmlns="urn:ietf:params:xml:ns:resource-lists"
	<list name="ServicesForUSDomain">
		<entry uri="sip:service1@us.example.com"/>
		<entry uri="sip:service2@us.example.com"/>
	</list>
</resource-lists>
About this task

In order for SuperAdmin to provide write access to service IDs listed in the domain user list document, SuperAdmin must create an authorization policy document that complies with the IETF common policy specification. The authorization policy document must be similar to the following example, which references the external list ServicesForUSDomain that is defined in the domain user list document.

<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
	xmlns:oma="urn:oma:xml:xdm:common-policy">
	<rule id="write">
		<conditions>
			<oma:external-list>
				<oma:entry
					anc="http://xdms.example.com:9080/services/resource-lists/superadmin/domainUserList.xml/~~/resource-lists/list%5b@name=%22ServicesForUSDomain%22%5d" />
			</oma:external-list>
		</conditions>
		<actions />
		<transformations />
	</rule>
</ruleset>
Note:
Take note of the following:
  • The <oma:external-list> element contains an oma prefix because the element is defined in the OMA schema for common-policy.
  • The <oma:entry> element contains an anc attribute which is an anchor to a fully qualified resource-lists element. The Node Selector references the specific ServicesForUSDomain list.
  • The anc attribute must be percent encoded therefore the latter portion of the Node Selector list[@name=”ServicesForUSDomain”] is percent encoded into list%5b@name=%22ServicesForUSDomain%22%5d.

The authorization policy document must be created with the XCAP URI to a special directory.xml within a special users XUI named domain:us.example.com with the access control list (ACL) AUID which is com.ibm.resource-lists-acls.http://xdms.example.com:9080/services/com.ibm.resource-lists-acls/users/domain:us.example.com/directory.xml

This defines the authorization policy document that grants write access to all service IDs ,within the domain user list document, to write to any document stored in any users directory that is under the domain us.example.com (including sub-domains) for the corresponding resource-lists AUID.

Before using the XDMS client and XCAP requests, make sure that you have JDK1.5.0 SR 5 installed and configured in your system path variables.

Create or edit an XDM policy document and post it to the XDMS.

  1. Reach the command client by typing the following from the command line: cd was_root/installableApps/xdms/client/
    Note: was_root is the installation root directory for WebSphere® Application Server Network Deployment. By default, this directory is:
    • AIX /usr/IBM/WebSphere/AppServer
    • Linux /opt/IBM/WebSphere/AppServer
  2. Type the XCAP Put request:
    ./xcap_put.sh -user user_id -password password -filename file_name -content_type application/auth-policy+xml XCAP_URL
    For example, to put the file to the XDMS server for xdms.example.com, type the following parameters on a single line.
    ./xcap_put.sh -user superadmin -password password -filename samples/AuthPolicyExternalListWrite.xml -content_type application/auth-policy+xml http://xdms.example.com:9080/services/com.ibm.resource-lists-acls/users/domain:us.example.com/directory.xml
  3. Press Enter to send the request. The new policy document is posted to the XDMS in the specified location–in this case, for the XCAP URI that corresponds to the special directory.xml authorization policy document that protects the us.example.com domain.
What to do next
Policy documents can be retrieved or deleted using the XCAP Get and XCAP Delete commands.



Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.