Access Control Policies

          An Access Control Policies authorizes a group of users to perform a set of actions on a set of resources.

An access control policy has 4 elements, they are:

1. User.
2. Action.
3. Resource.
4. Relationship.

User:  The Users are the people that use the system. For access control purposes, users must be grouped into relevant access groups. 

Action: Actions are the activities that users can perform on the resource.

Resource: Resources are the entities that are protected. A resource group might include business objects like contract or order, or a set of related commands.

Relationship: Relationships are the relationship between the user and the resource. Access control policies may require that a relationship between the user and the resource be satisfied. Each resource class can have a set of relationships associated with it. Each resource can have a set of users that fulfill each relationship.

There are 2 types of access control policies, they are:

1. Groupable standard policies(policy type-2).
2. Groupable template policies(policy type-3).

     A Groupable standard policy is applied, once, at organizations that subscribe to a policy group that contains the policy.

     A Groupable template policies are dynamic in nature in that they have an access group that is scoped, when the system is running, to the organization that owns the resource.

The table updated in access control poliies are:

1. ACACTION: Stores actions that are to be performed on the resources in the system.
2. ACPOLICY: Stores all the access control policies in a system.
3. ACRESGRP: Stores all access control resource groups in a system.
4. ACPOLDESC: Stores local specific information for ACPOLICY.
5. ACRELATION: Relation between resources and members in system.
6. ACRESREL: Associates a resource and relationships that it supports.

        WebSphere Commerce allows you to determine, through access control, which tasks a particular user, be they customers, buyers, administrators, distributors, manufacturers, or suppliers, can perform in relation to your business.

To facilitate database management and ensure security, access to WebSphere Commerce must be restricted to specific individuals and organizations. The process of restricting access is referred to as access control or authorization. Authorization can be defined as security guidelines that:

Allow or deny a user of a system access to the resources managed by a system.

Specify what actions the user can perform on each resource.

The authorization model for WebSphere Commerce is based upon the enforcement of access control policies. Access control policies are enforced by the access control Policy Manager. In general, when a user attempts to access a protected resource, the access control policy manager first determines what access control policies are applicable for that user and then, based upon the applicable access control policies, it determines if the user is allowed to perform the requested operation on the given resource.

NOTE: The Site Administrator manages the access control policies that apply to a site or store.