acp policies
DESCRIPTION
Perform ACCESS CONTROL POLICIESTRANSCRIPT
IBM Software Group
®
WebSphere® Support Technical Exchange
Understanding WebSphere Commerce Access Control
Mike Callaghan and Sidy Doumbia
IBM Software Group
WebSphere® Support Technical Exchange 2
Agenda
� What is Access Control
� Access Control Policies and Components
� Policy Manager
� Resource-level versus Command-level check
� Troubleshooting: How to read the trace
� Basic and Complex Problems
� Questions and Answers
IBM Software Group
WebSphere® Support Technical Exchange 3
What is Access Control?
� The process of restricting access to specific individuals withinspecific organizations
� Access control can be defined as security guidelines that:
�Allow or deny a user of a system access to the resources managed by the system
�Specify what actions the user can perform on each resource
� If access control criteria is met, user is granted authority, and action is invoked
� Otherwise, user does not have the authority, access is denied, action is not invoked
IBM Software Group
WebSphere® Support Technical Exchange 4
Access Control Policies
� Authorize a group of users to perform a group of actions on a group of resources, and consists of four main parts:
� Member (Access/User) group (ie. Registered Customers)
• Group of users to which the policy applies (implicit and explicit grouping of users)
� Action group (ie. Group must contain OrderItemAddCmd)
• A group of actions performed by the user on resources
� Resource group (ie. Target resource of command, OrderBean)
• Objects like an order, or a set of related commands such as all the commands that users of a particular role can perform.
� Relationship (ie. User must be creator of the OrderBean)
• Relationship between the user and the resource.
IBM Software Group
WebSphere® Support Technical Exchange 5
Access Control Policy - Components
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
<Policy Name=
AllUsersDisplayOrderDatabeanResourceGroup
OwnerID="RootOrganization"
UserGroup="AllUsers"
ActionGroupName=
"DisplayDatabeanActionGroup"
ResourceGroupName=
"OrderDatabeanResourceGroup"
RelationName="creator"
PolicyType="groupableStandard">
</Policy>
IBM Software Group
WebSphere® Support Technical Exchange 6
Access Control Policy – Member Group
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
MemberGroupCond
<UserGroup Name="RegisteredCustomers"
OwnerID="RootOrganization"
Description=“Users with Registered Customer role"
MemberGroupID="-197">
<UserCondition><![CDATA[
<profile>
<orListCondition><simpleCondition>
<variable name="role"/><operator name="="/><value data="Registered
Customer"/></simpleCondition>
</orListCondition></profile>
]]></UserCondition>
</UserGroup>
IBM Software Group
WebSphere® Support Technical Exchange 7
Access Control Policy – Action Group
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
Action1
Action2
<Action Name="DisplayDatabean"
CommandName="Display">
</Action>
<ActionGroup
Name="DisplayDatabeanActionGroup"
OwnerID="RootOrganization">
<ActionGroupAction
Name="DisplayDatabean"/>
</ActionGroup>
IBM Software Group
WebSphere® Support Technical Exchange 8
Access Control Policy – Resource Group
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
Resource1
Resource2
<ResourceCategory Name=
"com.ibm.commerce.order.beans.
OrderDataBeanResourceCategory"
ResourceBeanClass=
"com.ibm.commerce.order.beans.OrderDataBean">
<ResourceAction Name="DisplayDatabean"/>
</ResourceCategory>
<ResourceGroup
Name="OrderDatabeanResourceGroup"
OwnerID="RootOrganization">
<ResourceGroupResource Name=
"com.ibm.commerce.order.beans.OrderDataBeanResourceCategory"/>
</ResourceGroup>
IBM Software Group
WebSphere® Support Technical Exchange 9
Access Control Policy – Resource Group (2)
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
Resource1
Resource2
<ResourceCategory Name=
"com.ibm.commerce.user.beans.
UserDataBeanResourceCategory"
ResourceBeanClass=
"com.ibm.commerce.user.beans.UserDataBean"
PrimaryResourceTable="users"
PrimaryResourceOwnerTable="users"
PrimaryResourceOwnerColumn="users_id">
<ResourceAction Name="DisplayDatabean"/>
<ResourceRelation Name="owner"
RelationTable="users"
RelationKeyColumn="users_id"
RelationMemberColumn="users_id"/>
</ResourceCategory>
IBM Software Group
WebSphere® Support Technical Exchange 10
Access Control Policy - Relationship
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
Relation
<Relation Name="owner“ />
<Relation Name="creator“/ >
<Relation Name=
"sameOrganizationalEntityAsCreator“ />
<Relation Name="owner of RFQ“ />
<Relation Name="Approver“ />
<Relation Name="Submitter“ />
IBM Software Group
WebSphere® Support Technical Exchange 11
Access Control Policy: Subscriptions
� (ORG A) Subscribes to Policy Group 1 (Policy 1, 2, 3 apply to them)
� (ORG B) Subscribes to Policy Group 2 (Policy 3, 4, 5 apply to them)
� (ORG C) No direct subscriptions. Therefore it inherits subscriptions of
its parent(ORG A) , Policy Group 1 (Policies 1,2,3)
Policy 1Policy 2Policy 3
Org A
Org C Org B
Org A Policy Group
Policy 3Policy 4Policy 5
Org B Policy Group
Subscribes
Subscribes
IBM Software Group
WebSphere® Support Technical Exchange 12
Access Control Policy - PolicyType
� Two types of access control policies:
� Groupable standard policies (policy type -2)
� Groupable template policies (policy type -3)
� Both types of policies must belong to a policy group in order to be applied in the system
� Groupable standard policies:
� Applied once, at organizations that subscribe to a policy group that contains the policy
� Groupable template policies:
� Dynamic in nature (have an access group that is scoped) to the organization that owns the resource
� E.g. when policy is applied to a resource owned by Org XYZ, it would check if the user played one of the specified roles for Org XYZ or any of its ancestors
IBM Software Group
WebSphere® Support Technical Exchange 13
Access Control Policy – Standard example
C_Org Policy group � Access groups:
� Policy 1 (Approvers for Jewelry)
� Policy 2 (Approves for Clothing)
� User_A, User_B play approver role in
the respective Org Jewelry and Clothing
(approve orders for those orgs)
� Root Organization subscription
contains both Policy 1 and 2
� User A can approve all Jewelry orders,
User B can approve all Clothing orders
� Minimal access control complexity is
achieved by using a minimum of two
policies, 2 policy group and direct
subscription from the orgs owning the
stores.
Root Org
Jewelry Org Clothing Org
User_A User_B
Store J Store C
Policy 1
J_Org Policy group
Policy 2
subsc
ribes
subsc
ribes
IBM Software Group
WebSphere® Support Technical Exchange 14
Access Control Policy – Template example
Policy 3
Root Org Policy group� Access groups:
�Policy 3 (Approvers for Orgs)
� User_A, User_B play approver role in the
respective Org Jewelry and Clothing
(approve orders for those orgs)
� Roles are same for user_A and user_B,
but Access group is parameterized (user
executing action only checked against the
Org that owning resource or its ancestors)
� Root Organization subscription contains
only Policy 3
� User A can only approve Jewelry orders,
User B can only approve Clothing orders
�Achieve same access control restrictions
with one less policy compared to standard
Root Org
Jewelry Org Clothing Org
User_A User_B
Store J Store C
subscribes
IBM Software Group
WebSphere® Support Technical Exchange 15
Access Control Policy - Tables
1002110199-2AllUsersExecuteAllSiteUsersViews
ACREL_IDACRESGRP_IDACACTGRP_IDMBRGRP_IDPolicy Name
AllUsers-2
MBRGRPNAMEMBRGRP_ID
<profile>
<trueCondition>
<trueCondition>
<profile>
-2
ConditionMBRGRP_ID
AllSiteUsersViews10199
GROUPNAMEACACTGRP_ID
1000010199
ACACTION_IDACACTGRP_ID
AlertDialogView10000
ACACTION_IDACACTION_ID
ViewCommandResourc
eGroup
10021
GROUPNAMEACRESGRP_ID
1000010021
ACRESCGRY_IDACRESGRP_ID
com.ibm.commerce.co
mmand.ViewCommand
10079
ResClassnameACRESCGRY_ID
……
Creator10002
Owner10001
RELATIONNAMEACRELATION_ID
MBRGROUP
MBRGROUPCOND
ACACTGRP
ACACTACTGP
ACACTION
ACRESGRP
ACRESGPRES
ACRESCGRYACRELATION
ACPOLICY
IBM Software Group
WebSphere® Support Technical Exchange 16
Policy Manager
� When a user attempts to perform an action on a resource, an access control check will be done to make sure that the user is authorized
� The Policy Manager looks for all the access control policies that match the combination of the user, the action, and the target resource
� From those policies, it will find all policies that apply to theorganization that owns the resource
� If there is at least one such policy, the Policy Manager grants access, otherwise, access is denied
IBM Software Group
WebSphere® Support Technical Exchange 17
Policy Manager: Example
� PolicyManager cycles through each policy until it finds one that applies
� Policy1: User group does not match, -1002 not in AccessGroup_X
� Policy2: Action group does not match, Execute not in ActionGroup_X
� Policy3: Resource group does not match, MyCmdImpl not in ResourceGroup_X
� Policy4: Applies, passed?= true
isAllowed? User = -1002 ; Action = Execute ; Resource = MyCmdImpl ;
Policy_1 [AccessGroup_X , ActionGroup_A, ResourceGroup_A] - Fail
Policy_2 [AccessGroup_X , ActionGroup_X, ResourceGroup_A] - Fail
Policy_3 [AccessGroup_A , ActionGroup_A, ResourceGroup_X] - Fail
Policy_4 [AccessGroup_A , ActionGroup_A, ResourceGroup_A] – Success!
IBM Software Group
WebSphere® Support Technical Exchange 18
Policy Manager: Command-level check
� Checks who can do what in the current store
� Also known as ‘role-based’ access control, for example:
� All sellers can execute seller commands
� Command-level check on controller commands:
� Policy to all Execute action on command resource (interface)
� Generally targeting single role (ie. Sellers)
� Command-level check on views:
� Done if view called direct from URL or a redirect from command
� Action is the viewname
IBM Software Group
WebSphere® Support Technical Exchange 19
Policy Manager: Resource-level check
� Checks who can execute what command on which resources in the current store, for example:
� Only display data from Order which you created
� Only modify promotion in organization which you play a role
� Resource-level check done on command if:
1. Command implements getResources()
2. Command’s performExecute calls checkIsAllowed()
� Resource-level check done on beans:
� If bean invoked by Databean Manager’s activate()
� Ensures there is a policy which grants the user authority to perform the Display action on the primary data bean resource
IBM Software Group
WebSphere® Support Technical Exchange 20
Troubleshooting: How to read the trace
� How to find out if it is Access Control:[8/30/06 13:44:27:141 CDT] 6a36e74e CommerceSrvr E AccManager
isAllowed CMN1501E: User 408002 does not have the authority to perform action “MyNewView" on resource " com.myco.HttpForwardViewCommandlmpl"
� Turn on Access Control component tracing com.ibm.websphere.commerce.WC_ACCESSCONTROL
� Starting from the end of the file, perform a backward search for ‘=false’ to find access control check that failed
WC_ACCESSCONT ... PolicyManagerImpl.isAllowed PASSED? =false
� To determine what was being checked, perform another backward search for the string isAllowed?
WC_ACCESSCONT ... PolicyManagerImpl.isAllowed isAllowed?
User=408002; Action=MyNewView;
Resource= com.myco.HttpForwardViewCommandlmpl; Owner=7001;
Resource Ancestor Orgs=7001,-2001; Resource Applicable Orgs=7001
IBM Software Group
WebSphere® Support Technical Exchange 21
Problem 1: Missing policy for a new view
� Added a new view without an accompanying policy, and only SiteAdminCanDoEverything policy shows in the trace:
PolicyManagerlmpl.isAllowed isAllowed? User=123; Action=MyNewView; Resource=com.ibm.commerce.command.HttpForwardViewCommandlmpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable
Orgs=-2001
PolicyManagerlmpl.isAllowed Found PolicyName: SiteAdministractorsCanDoEverything; PolicyType: 2; PolicyOwner:-2001
PolicyManagerlmpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001
PolicyManagerlmpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything WC_ACCESSCONT d
PolicyManagerlmpl.isAllowed PASSED?=false
� How to fix:
� Trace shows only policies with both the correct action group (ie. action is in that group) and resource group (ie. Resource is in that group)
� Here, no policy has an action group which includes your view as an action
� For brand new view, the view needs to be defined as an action, and then associated to an action group
IBM Software Group
WebSphere® Support Technical Exchange 22
Problem 2: No Command-level policy for command
� A controller command was added without an accompanying access control policy
� Execute action will match several policies, but no resource groups will match
PolicyManagerImpl.isAllowed isAllowed? User=510; Action=Execute; Resource=com.xyz.MyOrderItemAddCmdImpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 ...
PolicyManagerImpl.isAllowed Found PolicyName: AllUsersExecuteAllSiteUserCmd; PolicyType: 2; PolicyOwner: -2001 ...
PolicyManagerImpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001 ...
PolicyManagerImpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything ...
PolicyManagerImpl.evaluatePolicy Normal User Group does not match ...
PolicyManagerImpl.isAllowed PASSED? =false
� How to fix:
� Define the command as a resource in your policy
� Allow the ‘Execute’ action on this newly defined resource
IBM Software Group
WebSphere® Support Technical Exchange 23
Problem 3: No Resource-level policy for command
� A controller command extended without adding the resource-level access control
directives for the new command
� However, base command implements getResources()
� Resource-level failure would look similar to:
PolicyManagerImpl.isAllowed isAllowed? User=510;
Action=com.xyz.MyOrderItemAddCmd;
Resource=com.ibm.commerce.order.objects._Order_Stub; Owner=2002;
Resource Ancestor Orgs=2002,-2001; Resource Applicable Orgs=2002 ...
PolicyManagerImpl.isAllowed PASSED? =false
� How to fix:
� Define the command as an action, and the resource category.
� Associate the command as a ResourceAction for the particular resource.
IBM Software Group
WebSphere® Support Technical Exchange 24
Problem 4: Wrong class implementation
� Get command-level access control failure, one cause could be that the command implements the wrong interface, ie.
public interface MyOrderStatusUpdateCmd extends ToolsControllerCommand { Static final String defaultCommandClassName = "com.mytools. commands.MyOrderStatusUpdateCmdImpl";}
public class MyOrderStatusUpdateCmdImpl extends ToolsControllerCommandImplimplements MyOrderProcessCmd {
private static final String CLASSNAME = "com.mytools.commands.MyOrderStatusUpdateCmdImpl";
� Checks if MyOrderStatusUpdateCmd,which is the resource, is an instance of MyOrderProcessCmd
� The check passes if you have access control setup for MyOrderProcessCmd and that command is executed instead of the one you expect
� If no Access control is setup and you have for instance a typo in the command name, you may see a command level check fail
� How to fix:
� Ensure that interface is using properly defined implementation
IBM Software Group
WebSphere® Support Technical Exchange 25
Problem 5: No Policy group subscription
� Policy appears in the trace however is not applied with messages :
� No organizations subscribe to a policy group with this policy
� Policy does not apply to the resource's applicable organizations
� How to fix:
1. Ensure that the resource owner is subscribing to the correct policy groups.
<PolicyGroup Name="B2CPolicyGroup" OwnerID="RootOrganization">
<PolicyGroupPolicy Name="AllUsersExecuteResellerUserViews"
PolicyOwnerID="RootOrganization"/>
<PolicyGroupSubscription OrganizationID="RootOrganization"/>
</PolicyGroup>
2. Check the policy subscriptions and the organizational hierarchy to ensure expected policy inheritance is in place
� ie. If an organization subscribes to at least one of its own policy groups, it will no longer inherit any from its ancestors
IBM Software Group
WebSphere® Support Technical Exchange 26
Problem 6: CSR cannot impersonate customer
� Command is to be run by CSR-type user, acting on behalf of a registered customer, however it fails similar to:
isAllowed CMN1501E: User 132004 does not have the authority to
perform action "becomeUser" on resource
"com.xyz.customerservice.commands.CSROrderPlaceCmdImpl" for
command "CSROrderPlaceCmd".
� BecomeUserCustomerServiceGroupExecutesBecomeUserCmdsResourceGroup
policy is a special policy that allows certain admin users to run specified commands on behalf of other users
� How to fix:
� Add CSR commands into this policy (by adding action into BecomeUserActionGroup action group)
IBM Software Group
WebSphere® Support Technical Exchange 27
Problem 7: Commands fail when storeID not set
� Users receive a blank page when trying to access the Storefront,with an error similar to the following :
AccManager isAllowedCMN1501E: User -1002 does not have the authority to perform action "Execute" on resource "com.ibm.commerce.catalog.commands.ProductDisplayCmdImpl"
for command "ProductDisplay".
� How to fix:
� This usually happens when the store ID is wrong for the command being called
� For instance calling commands with storeID=0, a value that does not exist or when the storeID is missing altogether
� Make sure to call the URL with the proper storeID
IBM Software Group
WebSphere® Support Technical Exchange 28
Problem 8: Improper cookie domain
� After adding to cart, redirect to shopping cart page results in Access control error, with trace showing failure on chained commands with different user IDs:
isAllowed? User=201921192; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemAddCmdImpl; Owner=7000000000000000051
isAllowed? User=201921193; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemDisplayCmdImpl; Owner=7000000000000000051
� How to fix:
� Verify the wc-server.xml is setup to accept cookies from the proper domain
<cookie domain=mydomain.com
� If your current domain is for instance host.mydomain.com, you will see this problem
� File must be changed to reflect current domain or must be left as blank
IBM Software Group
WebSphere® Support Technical Exchange 29
Problem 9: Authorized user cannot invoke command
� User with the correct authority cannot run a command, ie. Access control check passes:
PolicyManagerImpl.isAllowed org=IBM prod=WebSphere Commerce component=WC_ACCESSCONTROL
PASSED? =true
� Yet user still gets message ‘The user does not have the authority to run this command’ and cannot execute command
� How to fix:
� Custom command must override the isGeneric() method of the superclass.
� This method allows a command to be run by a generic user (userid -1002)
IBM Software Group
WebSphere® Support Technical Exchange 30
Problem 10: PolicyManager does not initialize
� Starting the server after loading in new policies, you get:
[2/11/08 19:05:30:680 IST] 396222fe CommerceSrvr A RequestServlet initPolicyManager CMN0007S: Initialization has started for "Policy Manager".
[2/11/08 19:05:39:695 IST] 396222fe CommerceSrvr E PolicyRegistry loadCache CMN0103E: Could not obtain the key from the registry.java.lang.NullPointerException
at com.ibm.commerce.accesscontrol.policymanager.
Policy.equals(Policy.java(Compiled Code))
� Having other actions in the DoEverything action group will cause this, only the '*' action should be in that group
� Do not need to explicitly list all actions in this group, wildcard matches all actions during policy evaluation
� How to fix:
� Remove additional action from DoEverything group, by definition, and put in another group if necessary
IBM Software Group
WebSphere® Support Technical Exchange 31
Problem 11: Sporadic resource-level failures
� Sporadically receive errors relating to resource-level checks, such as this:
isAllowed CMN1501E: User 16077287 does not have the authority
to perform action
"com.ibm.commerce.order.commands.OrderProcessCmd" on resource
"com.ibm.commerce.order.objects._Order_Stub"
for command "OrderProcess".
� The problem may be that an action is to be performed on a resource, but the resource is no longer in the proper state, ie. For classname = com.ibm.commerce.order.objects.Order
<ResourceGroup Name="OrderResourceGroupwithPEStatus" OwnerID="RootOrganization">
<ResourceCondition>….
<simpleCondition>
<variable name="Status"/>
<operator name="="/>
<value data="P"/>
</simpleCondition>
IBM Software Group
WebSphere® Support Technical Exchange 32
Summary
� Access control policy:
�Member, action, resource groups, relation
� Potentially two levels of checking done per action
�Command-level and resource-level
� Access control failures a result of:
� Improper policies
� Improper Subscriptions
�Various other runtime aspects, not directly related to the policy configurations
IBM Software Group
WebSphere® Support Technical Exchange 33
Additional Access Control Resources
� Understanding Access Control
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm
erce.developer.doc/concepts/caxunderstandaccessmain.htm
� Evaluating Access Control
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm
erce.admin.doc/concepts/caxevaluate.htm
� Troubleshooting Access Control
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm
erce.developer.doc/refs/raxtroubleshooting.htm
� Access Control Data Model
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm
erce.data.doc/refs/rdmaccess.htm
IBM Software Group
WebSphere® Support Technical Exchange 34
Additional WebSphere Product Resources
� Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/
� Learn about other upcoming webcasts, conferences and events: http://www.ibm.com/software/websphere/events_1.html
� Join the Global WebSphere User Group Community: http://www.websphere.org
� Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant
� View a Flash replay with step-by-step instructions for using the Electronic Service Request (ESR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html
� Sign up to receive weekly technical My support emails: http://www.ibm.com/software/support/einfo.html
IBM Software Group
WebSphere® Support Technical Exchange 35
Questions and Answers