To facilitate database management and ensure security, access to WebSphere Commerce must be restricted to specific individuals and organizations. The process of restricting access is referred to as access control or authorization. Access control can be defined as security guidelines that:
- Allow or deny a user of a system access to the resources managed by a system.
- Specify what actions the user can perform on each resource.
The access control model for WebSphere Commerce is based upon the enforcement of access control policies. Access control policies are enforced by the access control Policy Manager. In general, when a user attempts to perform an action on a protected resource, the access control policy manager first determines what access control policies are applicable for that resource and then, based upon the applicable access control policies, it determines if the user is allowed to perform the requested action on the particular resource.
The Site Administrator manages the access control policies that apply to an entire site, and can manage the access control policies that apply to a store.
Note: The WebSphere Commerce Organization Administration Console allows you to make simple changes to access control policies and their parts. To make more sophisticated changes, you need to edit the XML files directly, and then load them into the database.
Access control policy groups
Different organizations in an e-commerce site require different sets of access control policies. For example, a seller organization would require shopping related policies, while a buyer organization would not need them. In order to accomplish this type of requirement, in WebSphere Commerce, access control policies are partitioned into access control policy groups. In order for an access control policy to be applied in the site, it must belong to an access control policy group. Then, based on their business and access control requirements, organizations subscribe to the appropriate access control policy groups. The Site Administrator can Subscribe to policy groups using the Organization Administration Console.
Access control policies
An access control policy authorizes a group of users to perform particular actions on a group of WebSphere Commerce resources. Unless authorized through one or more access control policies, users have no access to any functions. Access control policies grant authorization to a specific group of users to perform particular actions on resources in a specified resource group.
An access control policy consists of four parts:
- Access group
- The group of users to which the policy applies.
- Action Group
- A group of actions.
- Resource group
- The resources controlled by the policy. A resource group may include business objects such as "contract" or "order," or a set of related commands.
- Relationship (optional)
- Each resource type can have a set of relationships associated with it. Each resource can have a set of users that fulfill each relationship.
Note: A user belonging to a specific access group is permitted to perform actions in the specified action group on resources belonging to the specified resource group, as long as the user satisfies a particular relationship with respect to the resource.
Site Administrators oversee access control policies for the entire site. WebSphere Commerce comes with two sets of default access control policies that can be used as provided or customized. The default access control policies are:
- Groupable standard policies (policy type -2)
- Groupable template policies (policy type -3)
Both groupable template and groupable standard policies must belong to a policy group in order to be applied in the system. A groupable standard policy is applied, once, at organizations that subscribe to a policy group that contains the policy.
Groupable template policies are dynamic in nature in that they have an access group that is scoped, when the system is running, to the organization that owns the resource. For example, when this type of policy is applied to a resource owned by Organization XYZ, it would check if the user played one of the specified roles for Organization XYZ or its ancestors.
A Site Administrator can perform the following tasks in the Organization Administration Console:
Resources and resource groups
Resources are any objects in the system that need to be protected. For example, RFQs, Auctions, Users, and Orders are some of the resources in WebSphere Commerce which need to be protected. Each resource has an owner. The ownership of the resource may be used to determine which access control policies apply to it.
A resource group identifies a set of related resources. A resource group can include business objects such as a contract or a set of related commands. In access control, resource groups specify the resources to which the access control policy authorizes access. Resource groups can be explicit or implicit.
- Implicit resource groups that match a certain set of attributes, for instance "users in the abc department", "managers", "buyers", or the Java class name of the resources.
- Explicit resource groups that are identified by name.
Adding resources to a group implicitly, by specifying their attributes, makes it easy to authorize access to numerous resources without having to specify each resource. It also avoids the need to add or delete resource when resource changes occur.
Adding resource to a group explicitly, by listing their names, lets you group individual resources that might not necessarily share common attributes.
Note: Resources and resource groups are owned by the root organization. Other organizations cannot own resources or resource groups. RFQs are not available in WebSphere Commerce Professional Edition.
A Site Administrator can perform the following tasks in the Organization Administration Console:
Resource category
Resource category refers to a class of resources. Resource categories are Java classes such as Order, RFQs (request for quote) and Auction. Resources are the instances of these classes. For example, Auction1 created by Auction Administrator A is one resource; Auction2 created by Auction Administrator B is another resource. These two resources belong to the resource category Auction. All resources used by WebSphere Commerce components are registered in the ACRESCGRY table.
Resource relationships
Each resource may have some kind of relationship associated with it, and a set of members that fulfill each relationship. For example, all resources have a relationship of "owner," which is fulfilled by the owner of the resource. Other relationships can include recipients of documents and suppliers for catalog entries. These resource relationships are important in determining who can perform certain actions on a particular instance of a resource. For example, the creator of a document may not be able to delete it, but perhaps an auditor may. Similarly, a reviewer may only be able to read and approve a document, but not forward it or perform other operations.
Action and action groups
Actions are a set of operations that users can perform on resources. Actions typically map to WebSphere Commerce commands. If the resource group is a business object such as a contract, the action might be "create "or "approve". In WebSphere Commerce, when commands are applied to other resources, they become actions. For example, the command UserProfileUpdate can be applied as an action to the user profile.
Action groups are groups of related actions. An example of an action group is the AccountManage group that includes the following commands:
- com.ibm.commerce.account.commands.AccountDeleteCmd
- com.ibm.commerce.account.commands.AccountSaveCmd
A Site Administrator can perform the following tasks in the Organization Administration Console: