Introduction
----------------
Access control policies are enforced by the access control policy manager. Generally, when a user attempts to access a protected resource, the access control policy manager first determines what access control policies are applicable for that protected resource, and then, based upon the applicable access control policies, it determines if the user is allowed to access the requested resources.
An access control policy is a 4-tuple policy that is stored in the ACPOLICY table.
----------------
Access control policies are enforced by the access control policy manager. Generally, when a user attempts to access a protected resource, the access control policy manager first determines what access control policies are applicable for that protected resource, and then, based upon the applicable access control policies, it determines if the user is allowed to access the requested resources.
An access control policy is a 4-tuple policy that is stored in the ACPOLICY table.
Each access control policy takes the
following form:
AccessControlPolicy [UserGroup, ActionGroup, ResourceGroup, Relationship]
The elements in the 4-tuple access control policy specify that a user belonging to a specific user group is permitted to perform actions in the specified action group on resources belonging to the specified resource group, as long as the user satisfies the conditions specified in the relationship or relationship group, with respect to the resource in question.
User/User Group
----------------------
A user group must be associated with member group type of -2. The value of -2 represents an access group and is defined in the MBRGRPTYPE table.
The membership of a user into a particular user group might be stated explicitly or implicitly. An explicit specification occurs if the MBRGRPMBR table states that the user belongs to a particular member group.
AccessControlPolicy [UserGroup, ActionGroup, ResourceGroup, Relationship]
The elements in the 4-tuple access control policy specify that a user belonging to a specific user group is permitted to perform actions in the specified action group on resources belonging to the specified resource group, as long as the user satisfies the conditions specified in the relationship or relationship group, with respect to the resource in question.
User/User Group
----------------------
A user group must be associated with member group type of -2. The value of -2 represents an access group and is defined in the MBRGRPTYPE table.
The membership of a user into a particular user group might be stated explicitly or implicitly. An explicit specification occurs if the MBRGRPMBR table states that the user belongs to a particular member group.
An implicit specification occurs if the
user satisfies a condition (for example, all users that fulfill the role of
Product Manager) that is stated in the MBRGRPCOND table
Most conditions to include a user in a user group are based upon the user fulfilling a particular role. For example, there could be an access control policy that allows all users that fulfill the Product Manager role to perform catalog management operations. In this case, any user that assigned the Product Manager role in the MBRROLE table is then implicitly included in the user group.
Action/Action Group
--------------------------
The ActionGroup element comes from the ACACTGRP table. An action group refers to an explicitly specified group of actions. The listing of actions is stored in the ACACTION table and the relationship of each action to its action group (or groups) is stored in the ACACTACTGP table. An example of an action group is the "OrderWriteCommands" action group. This action group includes the following actions that are used to update orders:
Most conditions to include a user in a user group are based upon the user fulfilling a particular role. For example, there could be an access control policy that allows all users that fulfill the Product Manager role to perform catalog management operations. In this case, any user that assigned the Product Manager role in the MBRROLE table is then implicitly included in the user group.
Action/Action Group
--------------------------
The ActionGroup element comes from the ACACTGRP table. An action group refers to an explicitly specified group of actions. The listing of actions is stored in the ACACTION table and the relationship of each action to its action group (or groups) is stored in the ACACTACTGP table. An example of an action group is the "OrderWriteCommands" action group. This action group includes the following actions that are used to update orders:
- com.ibm.commerce.order.commands.OrderDeleteCmd
- com.ibm.commerce.order.commands.OrderCancelCmd
- com.ibm.commerce.order.commands.OrderProfileUpdateCmd
- com.ibm.commerce.order.commands.OrderUnlockCmd
- com.ibm.commerce.order.commands.OrderScheduleCmd
- com.ibm.commerce.order.commands.ScheduledOrderCancelCmd
- com.ibm.commerce.order.commands.ScheduledOrderProcessCmd
- com.ibm.commerce.order.commands.OrderItemAddCmd
- com.ibm.commerce.order.commands.OrderItemDeleteCmd
- com.ibm.commerce.order.commands.OrderItemUpdateCmd
- com.ibm.commerce.order.commands.PayResetPMCmd
Resource/Resource Group
--------------------------------
A resource group is a mechanism to group together particular types of resources. Membership of a resource in a resource group can be specified in one of two ways:
Using the conditions column in the ACRESGRP table
Using the ACRESGPRES table
Relationship(Optional)
-------------------------------
The access control policy can optionally include either a Relationship or RelationshipGroup element as its fourth element.
If your access control policy uses a Relationship element, this comes from the ACRELATION table. If it includes a RelationshipGroup element, that comes from the ACRELGRP table. Note that neither need be included, but if you include one, you cannot include the other. A RelationshipGroup specification from the ACRELGRP table takes precedence over the Relationship information from the ACRELATION table.
Types
--------------------------------
A resource group is a mechanism to group together particular types of resources. Membership of a resource in a resource group can be specified in one of two ways:
Using the conditions column in the ACRESGRP table
Using the ACRESGPRES table
Relationship(Optional)
-------------------------------
The access control policy can optionally include either a Relationship or RelationshipGroup element as its fourth element.
If your access control policy uses a Relationship element, this comes from the ACRELATION table. If it includes a RelationshipGroup element, that comes from the ACRELGRP table. Note that neither need be included, but if you include one, you cannot include the other. A RelationshipGroup specification from the ACRELGRP table takes precedence over the Relationship information from the ACRELATION table.
Types
--------
Command-level (Broad),Also known as
role-based.
•Specifies that users assigned to a
particular role can execute certain commands.
Applied on controller commands and
views
•For example,guest users can execute the commands that are contained in action group X.
•For example,guest users can execute the commands that are contained in action group X.
Resource-level (Very fine)
•Specifies the relationship that a user
must have with a resource before a given action can be performed.
Applied on databeans
•For example a user can only display an order they created
•For example a user can only display an order they created
Mixed
Command-level Access Control determines whether the user is allowed to execute the particular command within the store you have specified. If a policy allows the user to execute the command, a subsequent Resource-level Access Control Policy could be applied to determine whether the user can access the resource in question.
Command-level Access Control determines whether the user is allowed to execute the particular command within the store you have specified. If a policy allows the user to execute the command, a subsequent Resource-level Access Control Policy could be applied to determine whether the user can access the resource in question.
No comments:
Post a Comment