Acp policies

IBM Software Group

®

WebSphere® Support Technical Exchange

Understanding WebSphere Commerce Access Control

Mike Callaghan and Sidy Doumbia

IBM Software Group

WebSphere® Support Technical Exchange 2

Agenda

� What is Access Control

� Access Control Policies and Components

� Policy Manager

� Resource-level versus Command-level check

� Troubleshooting: How to read the trace

� Basic and Complex Problems

� Questions and Answers

IBM Software Group


What is Access Control?

� The process of restricting access to specific individuals withinspecific organizations

� Access control can be defined as security guidelines that:

�Allow or deny a user of a system access to the resources managed by the system

�Specify what actions the user can perform on each resource

� If access control criteria is met, user is granted authority, and action is invoked

� Otherwise, user does not have the authority, access is denied, action is not invoked

IBM Software Group


Access Control Policies

� Authorize a group of users to perform a group of actions on a group of resources, and consists of four main parts:

� Member (Access/User) group (ie. Registered Customers)

• Group of users to which the policy applies (implicit and explicit grouping of users)

� Action group (ie. Group must contain OrderItemAddCmd)

• A group of actions performed by the user on resources

� Resource group (ie. Target resource of command, OrderBean)

• Objects like an order, or a set of related commands such as all the commands that users of a particular role can perform.

� Relationship (ie. User must be creator of the OrderBean)

• Relationship between the user and the resource.

IBM Software Group


Access Control Policy - Components

Policy

MemberGroup

ActionGroup

ResourceGroup

Relation

<Policy Name=

AllUsersDisplayOrderDatabeanResourceGroup

OwnerID="RootOrganization"

UserGroup="AllUsers"

ActionGroupName=

"DisplayDatabeanActionGroup"

ResourceGroupName=

"OrderDatabeanResourceGroup"

RelationName="creator"

PolicyType="groupableStandard">

</Policy>

IBM Software Group


Access Control Policy – Member Group

Policy

MemberGroup

ActionGroup

ResourceGroup

Relation

MemberGroupCond

<UserGroup Name="RegisteredCustomers"

OwnerID="RootOrganization"

Description=“Users with Registered Customer role"

MemberGroupID="-197">

<UserCondition><![CDATA[

<profile>

<orListCondition><simpleCondition>

<variable name="role"/><operator name="="/><value data="Registered

Customer"/></simpleCondition>

</orListCondition></profile>

]]></UserCondition>

</UserGroup>

IBM Software Group


Access Control Policy – Action Group

Policy

MemberGroup

ActionGroup

ResourceGroup

Relation

Action1

Action2

<Action Name="DisplayDatabean"

CommandName="Display">

</Action>

<ActionGroup

Name="DisplayDatabeanActionGroup"

OwnerID="RootOrganization">

<ActionGroupAction

Name="DisplayDatabean"/>

</ActionGroup>

IBM Software Group


Access Control Policy – Resource Group

Policy

MemberGroup

ActionGroup

ResourceGroup

Relation

Resource1

Resource2

<ResourceCategory Name=

"com.ibm.commerce.order.beans.

OrderDataBeanResourceCategory"

ResourceBeanClass=

"com.ibm.commerce.order.beans.OrderDataBean">

<ResourceAction Name="DisplayDatabean"/>

</ResourceCategory>

<ResourceGroup

Name="OrderDatabeanResourceGroup"

OwnerID="RootOrganization">

<ResourceGroupResource Name=

"com.ibm.commerce.order.beans.OrderDataBeanResourceCategory"/>

</ResourceGroup>

IBM Software Group


Access Control Policy – Resource Group (2)

Policy

MemberGroup

ActionGroup

ResourceGroup

Relation

Resource1

Resource2

<ResourceCategory Name=

"com.ibm.commerce.user.beans.

UserDataBeanResourceCategory"

ResourceBeanClass=

"com.ibm.commerce.user.beans.UserDataBean"

PrimaryResourceTable="users"

PrimaryResourceOwnerTable="users"

PrimaryResourceOwnerColumn="users_id">

<ResourceAction Name="DisplayDatabean"/>

<ResourceRelation Name="owner"

RelationTable="users"

RelationKeyColumn="users_id"

RelationMemberColumn="users_id"/>

</ResourceCategory>

IBM Software Group


Access Control Policy - Relationship

Policy

MemberGroup

ActionGroup

ResourceGroup

Relation

Relation

<Relation Name="owner“ />

<Relation Name="creator“/ >

<Relation Name=

"sameOrganizationalEntityAsCreator“ />

<Relation Name="owner of RFQ“ />

<Relation Name="Approver“ />

<Relation Name="Submitter“ />

IBM Software Group


Access Control Policy: Subscriptions

� (ORG A) Subscribes to Policy Group 1 (Policy 1, 2, 3 apply to them)

� (ORG B) Subscribes to Policy Group 2 (Policy 3, 4, 5 apply to them)

� (ORG C) No direct subscriptions. Therefore it inherits subscriptions of

its parent(ORG A) , Policy Group 1 (Policies 1,2,3)

Policy 1Policy 2Policy 3

Org A

Org C Org B

Org A Policy Group

Policy 3Policy 4Policy 5

Org B Policy Group

Subscribes

Subscribes

IBM Software Group


Access Control Policy - PolicyType

� Two types of access control policies:

� Groupable standard policies (policy type -2)

� Groupable template policies (policy type -3)

� Both types of policies must belong to a policy group in order to be applied in the system

� Groupable standard policies:

� Applied once, at organizations that subscribe to a policy group that contains the policy

� Groupable template policies:

� Dynamic in nature (have an access group that is scoped) to the organization that owns the resource

� E.g. when policy is applied to a resource owned by Org XYZ, it would check if the user played one of the specified roles for Org XYZ or any of its ancestors

IBM Software Group


Access Control Policy – Standard example

C_Org Policy group � Access groups:

� Policy 1 (Approvers for Jewelry)

� Policy 2 (Approves for Clothing)

� User_A, User_B play approver role in

the respective Org Jewelry and Clothing

(approve orders for those orgs)

� Root Organization subscription

contains both Policy 1 and 2

� User A can approve all Jewelry orders,

User B can approve all Clothing orders

� Minimal access control complexity is

achieved by using a minimum of two

policies, 2 policy group and direct

subscription from the orgs owning the

stores.

Root Org

Jewelry Org Clothing Org

User_A User_B

Store J Store C

Policy 1

J_Org Policy group

Policy 2

subsc

ribes

subsc

ribes

IBM Software Group


Access Control Policy – Template example

Policy 3

Root Org Policy group� Access groups:

�Policy 3 (Approvers for Orgs)

� User_A, User_B play approver role in the

respective Org Jewelry and Clothing

(approve orders for those orgs)

� Roles are same for user_A and user_B,

but Access group is parameterized (user

executing action only checked against the

Org that owning resource or its ancestors)

� Root Organization subscription contains

only Policy 3

� User A can only approve Jewelry orders,

User B can only approve Clothing orders

�Achieve same access control restrictions

with one less policy compared to standard

Root Org

Jewelry Org Clothing Org

User_A User_B

Store J Store C

subscribes

IBM Software Group


Access Control Policy - Tables

1002110199-2AllUsersExecuteAllSiteUsersViews

ACREL_IDACRESGRP_IDACACTGRP_IDMBRGRP_IDPolicy Name

AllUsers-2

MBRGRPNAMEMBRGRP_ID

<profile>

<trueCondition>

<trueCondition>

<profile>

-2

ConditionMBRGRP_ID

AllSiteUsersViews10199

GROUPNAMEACACTGRP_ID

1000010199

ACACTION_IDACACTGRP_ID

AlertDialogView10000

ACACTION_IDACACTION_ID

ViewCommandResourc

eGroup

10021

GROUPNAMEACRESGRP_ID

1000010021

ACRESCGRY_IDACRESGRP_ID

com.ibm.commerce.co

mmand.ViewCommand

10079

ResClassnameACRESCGRY_ID

……

Creator10002

Owner10001

RELATIONNAMEACRELATION_ID

MBRGROUP

MBRGROUPCOND

ACACTGRP

ACACTACTGP

ACACTION

ACRESGRP

ACRESGPRES

ACRESCGRYACRELATION

ACPOLICY

IBM Software Group


Policy Manager

� When a user attempts to perform an action on a resource, an access control check will be done to make sure that the user is authorized

� The Policy Manager looks for all the access control policies that match the combination of the user, the action, and the target resource

� From those policies, it will find all policies that apply to theorganization that owns the resource

� If there is at least one such policy, the Policy Manager grants access, otherwise, access is denied

IBM Software Group


Policy Manager: Example

� PolicyManager cycles through each policy until it finds one that applies

� Policy1: User group does not match, -1002 not in AccessGroup_X

� Policy2: Action group does not match, Execute not in ActionGroup_X

� Policy3: Resource group does not match, MyCmdImpl not in ResourceGroup_X

� Policy4: Applies, passed?= true

isAllowed? User = -1002 ; Action = Execute ; Resource = MyCmdImpl ;

Policy_1 [AccessGroup_X , ActionGroup_A, ResourceGroup_A] - Fail

Policy_2 [AccessGroup_X , ActionGroup_X, ResourceGroup_A] - Fail

Policy_3 [AccessGroup_A , ActionGroup_A, ResourceGroup_X] - Fail

Policy_4 [AccessGroup_A , ActionGroup_A, ResourceGroup_A] – Success!

IBM Software Group


Policy Manager: Command-level check

� Checks who can do what in the current store

� Also known as ‘role-based’ access control, for example:

� All sellers can execute seller commands

� Command-level check on controller commands:

� Policy to all Execute action on command resource (interface)

� Generally targeting single role (ie. Sellers)

� Command-level check on views:

� Done if view called direct from URL or a redirect from command

� Action is the viewname

IBM Software Group


Policy Manager: Resource-level check

� Checks who can execute what command on which resources in the current store, for example:

� Only display data from Order which you created

� Only modify promotion in organization which you play a role

� Resource-level check done on command if:

1. Command implements getResources()

2. Command’s performExecute calls checkIsAllowed()

� Resource-level check done on beans:

� If bean invoked by Databean Manager’s activate()

� Ensures there is a policy which grants the user authority to perform the Display action on the primary data bean resource

IBM Software Group


Troubleshooting: How to read the trace

� How to find out if it is Access Control:[8/30/06 13:44:27:141 CDT] 6a36e74e CommerceSrvr E AccManager

isAllowed CMN1501E: User 408002 does not have the authority to perform action “MyNewView" on resource " com.myco.HttpForwardViewCommandlmpl"

� Turn on Access Control component tracing com.ibm.websphere.commerce.WC_ACCESSCONTROL

� Starting from the end of the file, perform a backward search for ‘=false’ to find access control check that failed

WC_ACCESSCONT ... PolicyManagerImpl.isAllowed PASSED? =false

� To determine what was being checked, perform another backward search for the string isAllowed?

WC_ACCESSCONT ... PolicyManagerImpl.isAllowed isAllowed?

User=408002; Action=MyNewView;

Resource= com.myco.HttpForwardViewCommandlmpl; Owner=7001;

Resource Ancestor Orgs=7001,-2001; Resource Applicable Orgs=7001

IBM Software Group


Problem 1: Missing policy for a new view

� Added a new view without an accompanying policy, and only SiteAdminCanDoEverything policy shows in the trace:

PolicyManagerlmpl.isAllowed isAllowed? User=123; Action=MyNewView; Resource=com.ibm.commerce.command.HttpForwardViewCommandlmpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable

Orgs=-2001

PolicyManagerlmpl.isAllowed Found PolicyName: SiteAdministractorsCanDoEverything; PolicyType: 2; PolicyOwner:-2001

PolicyManagerlmpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001

PolicyManagerlmpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything WC_ACCESSCONT d

PolicyManagerlmpl.isAllowed PASSED?=false

� How to fix:

� Trace shows only policies with both the correct action group (ie. action is in that group) and resource group (ie. Resource is in that group)

� Here, no policy has an action group which includes your view as an action

� For brand new view, the view needs to be defined as an action, and then associated to an action group

IBM Software Group


Problem 2: No Command-level policy for command

� A controller command was added without an accompanying access control policy

� Execute action will match several policies, but no resource groups will match

PolicyManagerImpl.isAllowed isAllowed? User=510; Action=Execute; Resource=com.xyz.MyOrderItemAddCmdImpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 ...

PolicyManagerImpl.isAllowed Found PolicyName: AllUsersExecuteAllSiteUserCmd; PolicyType: 2; PolicyOwner: -2001 ...

PolicyManagerImpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001 ...

PolicyManagerImpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything ...

PolicyManagerImpl.evaluatePolicy Normal User Group does not match ...

PolicyManagerImpl.isAllowed PASSED? =false

� How to fix:

� Define the command as a resource in your policy

� Allow the ‘Execute’ action on this newly defined resource

IBM Software Group


Problem 3: No Resource-level policy for command

� A controller command extended without adding the resource-level access control

directives for the new command

� However, base command implements getResources()

� Resource-level failure would look similar to:

PolicyManagerImpl.isAllowed isAllowed? User=510;

Action=com.xyz.MyOrderItemAddCmd;

Resource=com.ibm.commerce.order.objects._Order_Stub; Owner=2002;

Resource Ancestor Orgs=2002,-2001; Resource Applicable Orgs=2002 ...

PolicyManagerImpl.isAllowed PASSED? =false

� How to fix:

� Define the command as an action, and the resource category.

� Associate the command as a ResourceAction for the particular resource.

IBM Software Group


Problem 4: Wrong class implementation

� Get command-level access control failure, one cause could be that the command implements the wrong interface, ie.

public interface MyOrderStatusUpdateCmd extends ToolsControllerCommand { Static final String defaultCommandClassName = "com.mytools. commands.MyOrderStatusUpdateCmdImpl";}

public class MyOrderStatusUpdateCmdImpl extends ToolsControllerCommandImplimplements MyOrderProcessCmd {

private static final String CLASSNAME = "com.mytools.commands.MyOrderStatusUpdateCmdImpl";

� Checks if MyOrderStatusUpdateCmd,which is the resource, is an instance of MyOrderProcessCmd

� The check passes if you have access control setup for MyOrderProcessCmd and that command is executed instead of the one you expect

� If no Access control is setup and you have for instance a typo in the command name, you may see a command level check fail

� How to fix:

� Ensure that interface is using properly defined implementation

IBM Software Group


Problem 5: No Policy group subscription

� Policy appears in the trace however is not applied with messages :

� No organizations subscribe to a policy group with this policy

� Policy does not apply to the resource's applicable organizations

� How to fix:

1. Ensure that the resource owner is subscribing to the correct policy groups.

<PolicyGroup Name="B2CPolicyGroup" OwnerID="RootOrganization">

<PolicyGroupPolicy Name="AllUsersExecuteResellerUserViews"

PolicyOwnerID="RootOrganization"/>

<PolicyGroupSubscription OrganizationID="RootOrganization"/>

</PolicyGroup>

2. Check the policy subscriptions and the organizational hierarchy to ensure expected policy inheritance is in place

� ie. If an organization subscribes to at least one of its own policy groups, it will no longer inherit any from its ancestors

IBM Software Group


Problem 6: CSR cannot impersonate customer

� Command is to be run by CSR-type user, acting on behalf of a registered customer, however it fails similar to:

isAllowed CMN1501E: User 132004 does not have the authority to

perform action "becomeUser" on resource

"com.xyz.customerservice.commands.CSROrderPlaceCmdImpl" for

command "CSROrderPlaceCmd".

� BecomeUserCustomerServiceGroupExecutesBecomeUserCmdsResourceGroup

policy is a special policy that allows certain admin users to run specified commands on behalf of other users

� How to fix:

� Add CSR commands into this policy (by adding action into BecomeUserActionGroup action group)

IBM Software Group


Problem 7: Commands fail when storeID not set

� Users receive a blank page when trying to access the Storefront,with an error similar to the following :

AccManager isAllowedCMN1501E: User -1002 does not have the authority to perform action "Execute" on resource "com.ibm.commerce.catalog.commands.ProductDisplayCmdImpl"

for command "ProductDisplay".

� How to fix:

� This usually happens when the store ID is wrong for the command being called

� For instance calling commands with storeID=0, a value that does not exist or when the storeID is missing altogether

� Make sure to call the URL with the proper storeID

IBM Software Group


Problem 8: Improper cookie domain

� After adding to cart, redirect to shopping cart page results in Access control error, with trace showing failure on chained commands with different user IDs:

isAllowed? User=201921192; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemAddCmdImpl; Owner=7000000000000000051

isAllowed? User=201921193; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemDisplayCmdImpl; Owner=7000000000000000051

� How to fix:

� Verify the wc-server.xml is setup to accept cookies from the proper domain

<cookie domain=mydomain.com

� If your current domain is for instance host.mydomain.com, you will see this problem

� File must be changed to reflect current domain or must be left as blank

IBM Software Group


Problem 9: Authorized user cannot invoke command

� User with the correct authority cannot run a command, ie. Access control check passes:

PolicyManagerImpl.isAllowed org=IBM prod=WebSphere Commerce component=WC_ACCESSCONTROL

PASSED? =true

� Yet user still gets message ‘The user does not have the authority to run this command’ and cannot execute command

� How to fix:

� Custom command must override the isGeneric() method of the superclass.

� This method allows a command to be run by a generic user (userid -1002)

IBM Software Group


Problem 10: PolicyManager does not initialize

� Starting the server after loading in new policies, you get:

[2/11/08 19:05:30:680 IST] 396222fe CommerceSrvr A RequestServlet initPolicyManager CMN0007S: Initialization has started for "Policy Manager".

[2/11/08 19:05:39:695 IST] 396222fe CommerceSrvr E PolicyRegistry loadCache CMN0103E: Could not obtain the key from the registry.java.lang.NullPointerException

at com.ibm.commerce.accesscontrol.policymanager.

Policy.equals(Policy.java(Compiled Code))

� Having other actions in the DoEverything action group will cause this, only the '*' action should be in that group

� Do not need to explicitly list all actions in this group, wildcard matches all actions during policy evaluation

� How to fix:

� Remove additional action from DoEverything group, by definition, and put in another group if necessary

IBM Software Group


Problem 11: Sporadic resource-level failures

� Sporadically receive errors relating to resource-level checks, such as this:

isAllowed CMN1501E: User 16077287 does not have the authority

to perform action

"com.ibm.commerce.order.commands.OrderProcessCmd" on resource

"com.ibm.commerce.order.objects._Order_Stub"

for command "OrderProcess".

� The problem may be that an action is to be performed on a resource, but the resource is no longer in the proper state, ie. For classname = com.ibm.commerce.order.objects.Order

<ResourceGroup Name="OrderResourceGroupwithPEStatus" OwnerID="RootOrganization">

<ResourceCondition>….

<simpleCondition>

<variable name="Status"/>

<operator name="="/>

<value data="P"/>

</simpleCondition>

IBM Software Group


Summary

� Access control policy:

�Member, action, resource groups, relation

� Potentially two levels of checking done per action

�Command-level and resource-level

� Access control failures a result of:

� Improper policies

� Improper Subscriptions

�Various other runtime aspects, not directly related to the policy configurations

IBM Software Group


Additional Access Control Resources

� Understanding Access Control

http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm

erce.developer.doc/concepts/caxunderstandaccessmain.htm

� Evaluating Access Control


erce.admin.doc/concepts/caxevaluate.htm

� Troubleshooting Access Control


erce.developer.doc/refs/raxtroubleshooting.htm

� Access Control Data Model


erce.data.doc/refs/rdmaccess.htm

IBM Software Group


Additional WebSphere Product Resources

� Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/

� Learn about other upcoming webcasts, conferences and events: http://www.ibm.com/software/websphere/events_1.html

� Join the Global WebSphere User Group Community: http://www.websphere.org

� Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant

� View a Flash replay with step-by-step instructions for using the Electronic Service Request (ESR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html

� Sign up to receive weekly technical My support emails: http://www.ibm.com/software/support/einfo.html

IBM Software Group


Questions and Answers