Sunday, October 23, 2011

Order history read access users from same organization.


Read only access to users belonging to same organization and Organization Participant role for order history related databeans, the XML policies below is from the reference link below but they have an issue where on the role Buyer (buy-side) role name so that's fixed.
Buyer(buy-side) roles needs to defined on the organization using Org admin console.
if there is an hierarchy of organizations and the bottom organization is the parent organization for the users. All roles have to be defined to Organizations from Top-Down.
Add the xml fragments below to resource_acpolicies.xml and run ACPLoad.
Add new policy to allow participants to display the order beans for others in the organization:
Relation group: This defines all roles in this case Buyer(buy-side) to BuyingOrganizationalEntity

     <RelationGroup Name="Buyer (buy-side)->BuyerOrganizationalEntity" OwnerID="RootOrganization">
        <RelationCondition><![CDATA[
        <profile>
        <openCondition name="RELATIONSHIP_CHAIN">
        <parameter name="ROLE" value="Buyer (buy-side)"/>
        <parameter name="RELATIONSHIP"
        value="BuyingOrganizationalEntity"/>
        </openCondition>
        </profile>
        ]]></RelationCondition>
    </RelationGroup>
   

 Create a new Policy and use the RelationGroupName created above to the ResourceGroup, OrderDatabeanResourceGroup and ActionGroup, DisplayDatabeanActionGroup

        <Policy Name="ParticipantsOfOrgDisplayOrderDatabeanResourceGroup"
            OwnerID="RootOrganization"
            UserGroup="AllUsers"
            ActionGroupName="DisplayDatabeanActionGroup"
            ResourceGroupName="OrderDatabeanResourceGroup"
            RelationGroupName="ParticipantOf->BuyerOrganizationalEntity"
            PolicyType="groupableStandard">
    </Policy>
    <Policy Name="BuyersOfOrgDisplayOrderDatabeanResourceGroup"
            OwnerID="RootOrganization"
            UserGroup="AllUsers"
            ActionGroupName="DisplayDatabeanActionGroup"
            ResourceGroupName="OrderDatabeanResourceGroup"
            RelationGroupName="Buyer (buy-side)->BuyerOrganizationalEntity"
            PolicyType="groupableStandard">
    </Policy>
     

  Subscribe organizations to the new Access Control policies:         
     <PolicyGroup Name="B2BPolicyGroup" OwnerID="RootOrganization">
        <PolicyGroupPolicy
        Name="ParticipantsOfOrgDisplayOrderDatabeanResourceGroup"
        PolicyOwnerID="RootOrganization" />
        <PolicyGroupPolicy Name=
        "BuyersOfOrgDisplayOrderDatabeanResourceGroup"
        PolicyOwnerID="RootOrganization" />
    </PolicyGroup>   


Once the ACPLoad is run, you can validate using a SQL query.
select * from acpolicy where policyname like 'BuyersOfOrgDisplayOrderDatabeanResourceGroup'
select * from acpolicy where policyname like 'ParticipantsOfOrgDisplayOrderDatabeanResourceGroup'

References:
http://www.ibm.com/developerworks/websphere/library/techarticles/0908_callaghan/0908_callaghan1.html
http://www.ibm.com/developerworks/websphere/library/techarticles/0805_callaghan/0805_callaghan.html

No comments:

Post a Comment