By default, intelligence report viewers are permitted to view business intelligence reports for their store. In some cases, you might also want to create a new role called auditor and authorize users with this role to view a store's business intelligence reports.
Here is an overview of the steps involved:
- Create a new role, (Auditor) and for it, a new access group Auditors, a new resource group, and a new role-based policy.
- Add the new role to the resource-level policy's access group.
- Add the Auditor role to the access group of the resource-level policy that defines who can view business intelligence reports for their stores.
In this scenario, you will do the following:
- Determine the resource-level policy that permits business intelligence report viewers to view business intelligence reports.
- Note the name of the action in its action group. You must create a new resource group with this action and use it in the role-based policy for the new role. Keep in mind that, in role-based policies for actions, the action group contains only a single action execute. The resource group contains the actions (commands) that can be executed.
- Define a new resource group, called AuditorCommands, which includes the command for viewing business intelligence reports. You will use this resource group in the role-based policy for the auditor role.
- Define a new role-based policy for auditors, which uses the Auditors access group and the AuditorCommands resource group.
- Add the auditor role to the access group for the resource-level policy that defines who can view business intelligence reports for their store.
Define the new auditor role
- From the Organization Administration Console, click Access Management > Roles.
- On the Roles page, click New.
- For Name, specify Auditor.
- For Description, specify a description of the auditor role in your local language.
- Click OK.
Define a new access group for the auditor role
- Click Access Management > Access Groups.
- On the Access Groups page, click New to display the Details page for the new access group.
- For Name, specify--Auditors.
- For Description, specify a description of the access group in your local language.
- For Parent Organization, select Root Organization.
- Click Next to display the Criteria page for the new access group.
- Click Based on organizations and roles.
- From the Role list, select Auditor.
- Click Add.
- Click Finish.
Identify the actions to use in the resource group for the auditor role's role-based policy
- Find the policy that authorizes intelligence report viewers to view business intelligence reports. The policy is:
IntelligenceReportViewersForOrgExecuteViewBusinessIntelligenceReport CommandsOnStoreEntityResource
- From the Organization Administration Console, click Access Management > Policies.
- For View, select Root Organization to display the policies it owns.
- Locate the policy in the list.
- Note the name of the policy's action group--ViewBusinessIntelligenceReport. This is the action group you must view to identify the actions for registering members.
- Click Access Management > Action Groups.
- From the list of action groups, select ViewBusinessIntelligenceReport.
- Click Change to display the Change Action Group page.
- Note the name of the command for viewing business intelligence reports--com.ibm.commerce.bi.commands.BIShowReportCmd.
Define the new resource group to be used in the role-based policy for the auditor role
- Click Access Management > Resource Groups to display the Resource Groups page.
- Click New to display the General page for the new resource group.
- For Name, specify AuditorCommands.
- For Display Name, specify a description of the resource group in your local language.
- For Description, specify a longer description of the resource group, in your local language.
- Click Next.
- For Type, select Explicit Resource Group.
- Click Next to display the Details page for the new resource group.
- From the Available Resources list, select com.ibm.commerce.bi.commands.BIShowReportCmd.
- Click Add.
- Click Finish.
Define the role-based policy for the auditor role
- Click Access Management > Policies.
- On the Policies page, click New.
- For Name, specify AuditorsExecuteAuditorCommands.
- For Display Name, specify a description of the policy in your local language.
- For Description, specify a longer description of what the policy does, in your local language.
- For User Group, click Find and select Auditors.
- Click OK.
- For Resource Group, select AuditorCommands.
- For Action Group, select ExecuteCommandActionGroup.
- Click OK.
Add the auditor role to the resource-level policy's access group
- Click Access Management > Access Groups.
- From the list of access groups, select IntelligenceReportViewersForOrg.
- Click Change to display the Change Access Group page.
- Click Criteria to display the Criteria page for the access group.
- From the Role list, select Auditor.
- Click For Organization to specify that the role must be played within the resource's own organization or its ancestors.
- Click Add.
- Click OK.
Update the policy registry with your changes
- Open the Administration Console.
- Click Configuration > Registry.
- From the list of registries, select Access Control Policies.
- Click Update.