For all of these examples, it is assumed that a Site Administrator is modifying the policies for Root Organization. Once you step through some of the examples, you will be able to follow the same methodology to make changes not specifically covered here.
The examples are organized by business area. Within each business area, the examples are presented in order of increased complexity.
If you are looking for a example that illustrates a particular kind of change, refer to the table below, which cross-references the examples by the type of illustrated customization.
Customization | See the example |
---|---|
Adding a role to a policy's access group | |
Changing a policy's action group | |
Changing a policy's resource relationship | |
Changing a policy to use a different access group |
|
Creating a new access group and using it in a policy | |
Creating a new action group and using it in a policy | |
Creating a new resource-level policy | |
Creating a new role-based policy | |
Creating a new role and using it in a resource-level policy | |
Deleting a policy | |
Removing an action from a policy's action group |
Tips for changing default policies
For the above examples, keep the following in mind when you change your default policies:
- Most access groups are defined by user roles such as Buyer or Product Manager. To better understand these roles and what actions they are permitted to take, see Roles.
- Before you change a policy to use a different access group, review the definition of that access group to ensure it meets your requirements. To do so, select Access Management > Access Groups from the Organization Administration Console.
- Depending on the value you select for View, the Policies page lists the policies that are owned by the selected organization. It does not distinguish between site-level policies and policies specific to a particular organization.
- Rename any default policies you change so that the policy name reflects what the policy does and so that you can identify the default policies you have changed. Consider implementing a naming convention for your customized policies. If appropriate, you should also modify the description of the policy and its display name.
Note: The access control policy menu is moved to Organization Administration Console. The Organization Administration Console can only perform simple modifications to the access control policy definitions and access group definitions. The more robust solution is to update the data using XML files. The following operations can only be done through XML:
- Defining new actions, resources, attributes, relationships, relationship groups.
- Defining complex implicit resource groups, and complex implicit access groups.
- Assigning a new policy to a policy group.