Fraska Portal

Exploring the WebSphere Commerce world

WebSphere Commerce, understand authorizations

Posted by on in Core
  • Font size: Larger Smaller
  • Hits: 2229
  • 19 Comments
  • Subscribe to this entry
  • Print

The authorizations are basically rules allow a group of users to run set of actions on specific resources according to defined relationships.

Users, Actions and Resources in WebSphere Commerce

WebSphere Commerce defines those rules with XML assertions called policies. Each policy is defined in the following way:

<Policy Name="value"
        OwnerId="value"
        UserGroup="value"
        UserGroupOwner="value"
        ActionGroupName="value"
        ResourceGroupName="value"
        PolicyType="value"
        RelationName="value"
        RelationGroupName="value"
        RelationGroupOwner="value">
</Policy>

The persistent side- stored in the DB- has the following data model mapped with the previous definition:

WebSphere Commerce Data Access Control Model

In order to have a practical reference it could be helpful make the following query in the WCS DB:

SELECT 
   policy.POLICYNAME, 
   user.MBRGRPNAME, 
   action.GROUPNAME, 
   resource.GRPNAME 
FROM 
   ACPOLICY policy, 
   MBRGRP user, 
   ACACTGRP action, 
   ACRESGRP resource 
WHERE 
   policy.MBRGRP_ID=user.MBRGRP_ID AND 
   policy.ACACTGRP_ID=action.ACACTGRP_ID AND 
   policy.ACRESGRP_ID=resource.ACRESGRP_ID;

So, for example, the results set contain:

POLICYNAME: 'SiteAdministratorsCanDoEverything'
MBRGRPNAME (UserGroup): 'SiteAdministrators'
GROUPNAME (ActionGroup): 'DoEverything'
GRPNAME (ResourceGroup): 'AllResourceGroup'

 or 

POLICYNAME: 'AllUsersExecuteAllSiteUsersViews'
MBRGRPNAME (UserGroup): 'AllUsers'
GROUPNAME (ActionGroup): 'AllSiteUsersViews'
GRPNAME (ResourceGroup): 'ViewCommandResourceGroup'

Above are just a couple of examples could give the idea how policies are stored in the DB.

Relationship is an optional constraint can be added in the policy definition. In fact, each policy could be declared as:

AccessControlPolicy [AccessGroup,ActionGroup,ResourceGroup,Relationship]

For example the InfoCenter reports ...

[AllUsers,UpdateDoc,doc,creator] specifies that all users can update a document, if they are the creator (it's the relationship constraint) of the document.

 

The Policy Manager

Each time the system gets a request, before to accomplish it, the Policy Manager will assure the user is authorized to run the requested action on the selected resource. In fact, having a look to a trace.log with ACL traces enabled, you could easily find the following:

isAllowed? User = -1002 ; Action = Execute ; Resource = MyCmdImpl ;

In other words the Policy Manager starts the check scanning the policies- looking for the UserGroup the ActionGroup and the ResourceGroup requested- till it finds the right policy authorizes the user. If the condition is not satisfied the user is not authorized.

When the Policy Manager finds the right policy authorize the user, the trace.log will report

passed?= true

otherwise

passed?= false

 

source:

 

Rate this blog entry:
0

Comments

Leave your comment

Guest
Guest Monday, 15 July 2019

Most Popular Post

WebSphere Commerce, the curious life of a front-end catalog request
Core
Rate this blog entry:
5
WebSphere Commerce, the SOLR extension index
Administration
Rate this blog entry:
4
WebSphere Commerce, Data Load and SOLR Delta Index
Data Load
Rate this blog entry:
0

Latest Blogs

WebSphere Commerce, CommandLevelAuthorizationCache
Cache
Rate this blog entry:
0
WebSphere Commerce v8, toolkit exception, ClassNotFound db2
Administration
Rate this blog entry:
1
WebSphere Commerce, ATP migration
Store
Rate this blog entry:
0
WebSphere Commerce, the curious life of a front-end catalog request
Core
Rate this blog entry:
5
WebSphere Commerce, Performance analysis of few European stores
Performance
Rate this blog entry:
0