Sunday, October 30, 2011

Read/Write Order access to users from same organization


I am sure you have seen a similar error when trying to give access to commands for different roles.

Do not just override the command and return null from getResources() method that would void any access controls on the order commands associated and could causes security issues, the correct way of fixing such issues, is to figure out the correct PolicyGroup and create custom policies with the corresponding roles. An example would be as below. In this case, you need to give users Buyer(buy-side) role to create\copy orders.
CMN1501E: User does not have the authority to perform action "com.ibm.commerce.order.commands.OrderCopyCmd" on resource "com.ibm.commerce.user.objects._Organization_Stub" for command "AjaxOrderCopy


<Policy Name="CustomUsersFromSameBuyerOrgExecuteOrderCreateCommandsOnOrganizationResource"
         OwnerID="RootOrganization"
         UserGroup="AllUsers"
         ActionGroupName="OrderCreateCommands"
         ResourceGroupName="OrderDataResourceGroup"
         RelationGroupName="Buyer (buy-side)->BuyerOrganizationalEntity"
         PolicyType="groupableStandard">
    </Policy>      
     <Policy Name="CustomUsersFromSameBuyerOrgExecuteOrderCreateReadCommandsOnOrganizationResource"
         OwnerID="RootOrganization"
         UserGroup="AllUsers"
         ActionGroupName="OrderReadCommands"
         ResourceGroupName="OrderDataResourceGroup"
         RelationGroupName="Buyer (buy-side)->BuyerOrganizationalEntity"
         PolicyType="groupableStandard">
    </Policy>      
<Policy Name="CustomUsersFromSameBuyerOrgExecuteOrderCreateWriteCommandsOnOrganizationResource"
         OwnerID="RootOrganization"
         UserGroup="AllUsers"
         ActionGroupName="OrderWriteCommands"
         ResourceGroupName="OrderDataResourceGroup"
         RelationGroupName="Buyer (buy-side)->BuyerOrganizationalEntity"
         PolicyType="groupableStandard">
    </Policy>

    <PolicyGroup Name="CommonShoppingPolicyGroup" OwnerID="RootOrganization">
      <!-- Define policies in this policy group -->
      <PolicyGroupPolicy   Name="CustomUsersFromSameBuyerOrgExecuteOrderCreateCommandsOnOrganizationResource" PolicyOwnerID="RootOrganization" />
      <PolicyGroupPolicy   Name="CustomUsersFromSameBuyerOrgExecuteOrderCreateReadCommandsOnOrganizationResource" PolicyOwnerID="RootOrganization" />
      <PolicyGroupPolicy   Name="CustomUsersFromSameBuyerOrgExecuteOrderCreateWriteCommandsOnOrganizationResource" PolicyOwnerID="RootOrganization" />
    </PolicyGroup>

1 comment:

  1. Hi Raj,

    I am Nupur this side. I got your reference through Linkedin and wanted to get in touch. Kindly share your email address. Thanks!


    Regards,

    Nupur

    ReplyDelete