The authorizations are basically rules allow a group of users to run set of actions on specific resources according to defined relationships.
WebSphere Commerce defines those rules with XML assertions called policies. Each policy is defined in the following way:
<Policy Name="value" OwnerId="value" UserGroup="value" UserGroupOwner="value" ActionGroupName="value" ResourceGroupName="value" PolicyType="value" RelationName="value" RelationGroupName="value" RelationGroupOwner="value"> </Policy>
The persistent side- stored in the DB- has the following data model mapped with the previous definition:
In order to have a practical reference it could be helpful make the following query in the WCS DB:
SELECT policy.POLICYNAME, user.MBRGRPNAME, action.GROUPNAME, resource.GRPNAME FROM ACPOLICY policy, MBRGRP user, ACACTGRP action, ACRESGRP resource WHERE policy.MBRGRP_ID=user.MBRGRP_ID AND policy.ACACTGRP_ID=action.ACACTGRP_ID AND policy.ACRESGRP_ID=resource.ACRESGRP_ID;
So, for example, the results set contain:
MBRGRPNAME (UserGroup): 'SiteAdministrators'
GROUPNAME (ActionGroup): 'DoEverything'
GRPNAME (ResourceGroup): 'AllResourceGroup'
MBRGRPNAME (UserGroup): 'AllUsers'
GROUPNAME (ActionGroup): 'AllSiteUsersViews'
GRPNAME (ResourceGroup): 'ViewCommandResourceGroup'
Above are just a couple of examples could give the idea how policies are stored in the DB.
Relationship is an optional constraint can be added in the policy definition. In fact, each policy could be declared as:
For example the InfoCenter reports ...
[AllUsers,UpdateDoc,doc,creator] specifies that all users can update a document, if they are the creator (it's the relationship constraint) of the document.
Each time the system gets a request, before to accomplish it, the Policy Manager will assure the user is authorized to run the requested action on the selected resource. In fact, having a look to a trace.log with ACL traces enabled, you could easily find the following:
isAllowed? User = -1002 ; Action = Execute ; Resource = MyCmdImpl ;
In other words the Policy Manager starts the check scanning the policies- looking for the UserGroup the ActionGroup and the ResourceGroup requested- till it finds the right policy authorizes the user. If the condition is not satisfied the user is not authorized.
When the Policy Manager finds the right policy authorize the user, the trace.log will report