Acp policies

  • 221 views
Uploaded on

Perform ACCESS CONTROL POLICIES

Perform ACCESS CONTROL POLICIES

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
221
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. IBM Software Group ® WebSphere® Support Technical Exchange Understanding WebSphere Commerce Access Control Mike Callaghan and Sidy Doumbia
  • 2. IBM Software Group WebSphere® Support Technical Exchange 2 Agenda What is Access Control Access Control Policies and Components Policy Manager Resource-level versus Command-level check Troubleshooting: How to read the trace Basic and Complex Problems Questions and Answers
  • 3. IBM Software Group WebSphere® Support Technical Exchange 3 What is Access Control? The process of restricting access to specific individuals within specific organizations Access control can be defined as security guidelines that: Allow or deny a user of a system access to the resources managed by the system Specify what actions the user can perform on each resource If access control criteria is met, user is granted authority, and action is invoked Otherwise, user does not have the authority, access is denied, action is not invoked
  • 4. IBM Software Group WebSphere® Support Technical Exchange 4 Access Control Policies Authorize a group of users to perform a group of actions on a group of resources, and consists of four main parts: Member (Access/User) group (ie. Registered Customers) • Group of users to which the policy applies (implicit and explicit grouping of users) Action group (ie. Group must contain OrderItemAddCmd) • A group of actions performed by the user on resources Resource group (ie. Target resource of command, OrderBean) • Objects like an order, or a set of related commands such as all the commands that users of a particular role can perform. Relationship (ie. User must be creator of the OrderBean) • Relationship between the user and the resource.
  • 5. IBM Software Group WebSphere® Support Technical Exchange 5 Access Control Policy - Components Policy MemberGroup ActionGroup ResourceGroup Relation <Policy Name= AllUsersDisplayOrderDatabeanResourceGroup OwnerID="RootOrganization" UserGroup="AllUsers" ActionGroupName= "DisplayDatabeanActionGroup" ResourceGroupName= "OrderDatabeanResourceGroup" RelationName="creator" PolicyType="groupableStandard"> </Policy>
  • 6. IBM Software Group WebSphere® Support Technical Exchange 6 Access Control Policy – Member Group Policy MemberGroup ActionGroup ResourceGroup Relation MemberGroupCond <UserGroup Name="RegisteredCustomers" OwnerID="RootOrganization" Description=“Users with Registered Customer role" MemberGroupID="-197"> <UserCondition> <![CDATA[ <profile> <orListCondition> <simpleCondition> <variable name="role"/> <operator name="="/> <value data="Registered Customer"/> </simpleCondition> </orListCondition> </profile> ]]> </UserCondition> </UserGroup>
  • 7. IBM Software Group WebSphere® Support Technical Exchange 7 Access Control Policy – Action Group Policy MemberGroup ActionGroup ResourceGroup Relation Action1 Action2 <Action Name="DisplayDatabean" CommandName="Display"> </Action> <ActionGroup Name="DisplayDatabeanActionGroup" OwnerID="RootOrganization"> <ActionGroupAction Name="DisplayDatabean"/> </ActionGroup>
  • 8. IBM Software Group WebSphere® Support Technical Exchange 8 Access Control Policy – Resource Group Policy MemberGroup ActionGroup ResourceGroup Relation Resource1 Resource2 <ResourceCategory Name= "com.ibm.commerce.order.beans. OrderDataBeanResourceCategory" ResourceBeanClass= "com.ibm.commerce.order.beans.OrderDataBean"> <ResourceAction Name="DisplayDatabean"/> </ResourceCategory> <ResourceGroup Name="OrderDatabeanResourceGroup" OwnerID="RootOrganization"> <ResourceGroupResource Name= "com.ibm.commerce.order.beans.OrderDataBeanReso urceCategory"/> </ResourceGroup>
  • 9. IBM Software Group WebSphere® Support Technical Exchange 9 Access Control Policy – Resource Group (2) Policy MemberGroup ActionGroup ResourceGroup Relation Resource1 Resource2 <ResourceCategory Name= "com.ibm.commerce.user.beans. UserDataBeanResourceCategory" ResourceBeanClass= "com.ibm.commerce.user.beans.UserDataBean" PrimaryResourceTable="users" PrimaryResourceOwnerTable="users" PrimaryResourceOwnerColumn="users_id"> <ResourceAction Name="DisplayDatabean"/> <ResourceRelation Name="owner" RelationTable="users" RelationKeyColumn="users_id" RelationMemberColumn="users_id"/> </ResourceCategory>
  • 10. IBM Software Group WebSphere® Support Technical Exchange 10 Access Control Policy - Relationship Policy MemberGroup ActionGroup ResourceGroup Relation Relation <Relation Name="owner“ /> <Relation Name="creator“/ > <Relation Name= "sameOrganizationalEntityAsCreator“ /> <Relation Name="owner of RFQ“ /> <Relation Name="Approver“ /> <Relation Name="Submitter“ />
  • 11. IBM Software Group WebSphere® Support Technical Exchange 11 Access Control Policy: Subscriptions (ORG A) Subscribes to Policy Group 1 (Policy 1, 2, 3 apply to them) (ORG B) Subscribes to Policy Group 2 (Policy 3, 4, 5 apply to them) (ORG C) No direct subscriptions. Therefore it inherits subscriptions of its parent(ORG A) , Policy Group 1 (Policies 1,2,3) Policy 1 Policy 2 Policy 3 Org A Org C Org B Org A Policy Group Policy 3 Policy 4 Policy 5 Org B Policy Group Subscribes Subscribes
  • 12. IBM Software Group WebSphere® Support Technical Exchange 12 Access Control Policy - PolicyType Two types of access control policies: Groupable standard policies (policy type -2) Groupable template policies (policy type -3) Both types of policies must belong to a policy group in order to be applied in the system Groupable standard policies: Applied once, at organizations that subscribe to a policy group that contains the policy Groupable template policies: Dynamic in nature (have an access group that is scoped) to the organization that owns the resource E.g. when policy is applied to a resource owned by Org XYZ, it would check if the user played one of the specified roles for Org XYZ or any of its ancestors
  • 13. IBM Software Group WebSphere® Support Technical Exchange 13 Access Control Policy – Standard example C_Org Policy group Access groups: Policy 1 (Approvers for Jewelry) Policy 2 (Approves for Clothing) User_A, User_B play approver role in the respective Org Jewelry and Clothing (approve orders for those orgs) Root Organization subscription contains both Policy 1 and 2 User A can approve all Jewelry orders, User B can approve all Clothing orders Minimal access control complexity is achieved by using a minimum of two policies, 2 policy group and direct subscription from the orgs owning the stores. Root Org Jewelry Org Clothing Org User_A User_B Store J Store C Policy 1 J_Org Policy group Policy 2 subscribes subscribes
  • 14. IBM Software Group WebSphere® Support Technical Exchange 14 Access Control Policy – Template example Policy 3 Root Org Policy group Access groups: Policy 3 (Approvers for Orgs) User_A, User_B play approver role in the respective Org Jewelry and Clothing (approve orders for those orgs) Roles are same for user_A and user_B, but Access group is parameterized (user executing action only checked against the Org that owning resource or its ancestors) Root Organization subscription contains only Policy 3 User A can only approve Jewelry orders, User B can only approve Clothing orders Achieve same access control restrictions with one less policy compared to standard Root Org Jewelry Org Clothing Org User_A User_B Store J Store C subscribes
  • 15. IBM Software Group WebSphere® Support Technical Exchange 15 Access Control Policy - Tables 1002110199-2AllUsersExecuteAllSiteUsersViews ACREL_IDACRESGRP_IDACACTGRP_IDMBRGRP_IDPolicy Name AllUsers-2 MBRGRPNAMEMBRGRP_ID <profile> <trueCondition> <trueCondition> <profile> -2 ConditionMBRGRP_ID AllSiteUsersViews10199 GROUPNAMEACACTGRP_ID 1000010199 ACACTION_IDACACTGRP_ID AlertDialogView10000 ACACTION_IDACACTION_ID ViewCommandResourc eGroup 10021 GROUPNAMEACRESGRP_ID 1000010021 ACRESCGRY_IDACRESGRP_ID com.ibm.commerce.co mmand.ViewCommand 10079 ResClassnameACRESCGRY_ID …… Creator10002 Owner10001 RELATIONNAMEACRELATION_ID MBRGROUP MBRGROUPCOND ACACTGRP ACACTACTGP ACACTION ACRESGRP ACRESGPRES ACRESCGRY ACRELATION ACPOLICY
  • 16. IBM Software Group WebSphere® Support Technical Exchange 16 Policy Manager When a user attempts to perform an action on a resource, an access control check will be done to make sure that the user is authorized The Policy Manager looks for all the access control policies that match the combination of the user, the action, and the target resource From those policies, it will find all policies that apply to the organization that owns the resource If there is at least one such policy, the Policy Manager grants access, otherwise, access is denied
  • 17. IBM Software Group WebSphere® Support Technical Exchange 17 Policy Manager: Example PolicyManager cycles through each policy until it finds one that applies Policy1: User group does not match, -1002 not in AccessGroup_X Policy2: Action group does not match, Execute not in ActionGroup_X Policy3: Resource group does not match, MyCmdImpl not in ResourceGroup_X Policy4: Applies, passed?= true isAllowed? User = -1002 ; Action = Execute ; Resource = MyCmdImpl ; Policy_1 [AccessGroup_X , ActionGroup_A, ResourceGroup_A] - Fail Policy_2 [AccessGroup_X , ActionGroup_X, ResourceGroup_A] - Fail Policy_3 [AccessGroup_A , ActionGroup_A, ResourceGroup_X] - Fail Policy_4 [AccessGroup_A , ActionGroup_A, ResourceGroup_A] – Success!
  • 18. IBM Software Group WebSphere® Support Technical Exchange 18 Policy Manager: Command-level check Checks who can do what in the current store Also known as ‘role-based’ access control, for example: All sellers can execute seller commands Command-level check on controller commands: Policy to all Execute action on command resource (interface) Generally targeting single role (ie. Sellers) Command-level check on views: Done if view called direct from URL or a redirect from command Action is the viewname
  • 19. IBM Software Group WebSphere® Support Technical Exchange 19 Policy Manager: Resource-level check Checks who can execute what command on which resources in the current store, for example: Only display data from Order which you created Only modify promotion in organization which you play a role Resource-level check done on command if: 1. Command implements getResources() 2. Command’s performExecute calls checkIsAllowed() Resource-level check done on beans: If bean invoked by Databean Manager’s activate() Ensures there is a policy which grants the user authority to perform the Display action on the primary data bean resource
  • 20. IBM Software Group WebSphere® Support Technical Exchange 20 Troubleshooting: How to read the trace How to find out if it is Access Control: [8/30/06 13:44:27:141 CDT] 6a36e74e CommerceSrvr E AccManager isAllowed CMN1501E: User 408002 does not have the authority to perform action “MyNewView" on resource " com.myco.HttpForwardViewCommandlmpl" Turn on Access Control component tracing com.ibm.websphere.commerce.WC_ACCESSCONTROL Starting from the end of the file, perform a backward search for ‘=false’ to find access control check that failed WC_ACCESSCONT ... PolicyManagerImpl.isAllowed PASSED? =false To determine what was being checked, perform another backward search for the string isAllowed? WC_ACCESSCONT ... PolicyManagerImpl.isAllowed isAllowed? User=408002; Action=MyNewView; Resource= com.myco.HttpForwardViewCommandlmpl; Owner=7001; Resource Ancestor Orgs=7001,-2001; Resource Applicable Orgs=7001
  • 21. IBM Software Group WebSphere® Support Technical Exchange 21 Problem 1: Missing policy for a new view Added a new view without an accompanying policy, and only SiteAdminCanDoEverything policy shows in the trace: PolicyManagerlmpl.isAllowed isAllowed? User=123; Action=MyNewView; Resource=com.ibm.commerce.command.HttpForwardViewCommandlmpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 PolicyManagerlmpl.isAllowed Found PolicyName: SiteAdministractorsCanDoEverything; PolicyType: 2; PolicyOwner:-2001 PolicyManagerlmpl.getPolicyApplicableOrgs Policy Applicable Orgs=- 2001 PolicyManagerlmpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything WC_ACCESSCONT d PolicyManagerlmpl.isAllowed PASSED?=false How to fix: Trace shows only policies with both the correct action group (ie. action is in that group) and resource group (ie. Resource is in that group) Here, no policy has an action group which includes your view as an action For brand new view, the view needs to be defined as an action, and then associated to an action group
  • 22. IBM Software Group WebSphere® Support Technical Exchange 22 Problem 2: No Command-level policy for command A controller command was added without an accompanying access control policy Execute action will match several policies, but no resource groups will match PolicyManagerImpl.isAllowed isAllowed? User=510; Action=Execute; Resource=com.xyz.MyOrderItemAddCmdImpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 ... PolicyManagerImpl.isAllowed Found PolicyName: AllUsersExecuteAllSiteUserCmd; PolicyType: 2; PolicyOwner: -2001 ... PolicyManagerImpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001 ... PolicyManagerImpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything ... PolicyManagerImpl.evaluatePolicy Normal User Group does not match ... PolicyManagerImpl.isAllowed PASSED? =false How to fix: Define the command as a resource in your policy Allow the ‘Execute’ action on this newly defined resource
  • 23. IBM Software Group WebSphere® Support Technical Exchange 23 Problem 3: No Resource-level policy for command A controller command extended without adding the resource-level access control directives for the new command However, base command implements getResources() Resource-level failure would look similar to: PolicyManagerImpl.isAllowed isAllowed? User=510; Action=com.xyz.MyOrderItemAddCmd; Resource=com.ibm.commerce.order.objects._Order_Stub; Owner=2002; Resource Ancestor Orgs=2002,-2001; Resource Applicable Orgs=2002 ... PolicyManagerImpl.isAllowed PASSED? =false How to fix: Define the command as an action, and the resource category. Associate the command as a ResourceAction for the particular resource.
  • 24. IBM Software Group WebSphere® Support Technical Exchange 24 Problem 4: Wrong class implementation Get command-level access control failure, one cause could be that the command implements the wrong interface, ie. public interface MyOrderStatusUpdateCmd extends ToolsControllerCommand { Static final String defaultCommandClassName = "com.mytools. commands.MyOrderStatusUpdateCmdImpl";} public class MyOrderStatusUpdateCmdImpl extends ToolsControllerCommandImpl implements MyOrderProcessCmd { private static final String CLASSNAME = "com.mytools.commands.MyOrderStatusUpdateCmdImpl"; Checks if MyOrderStatusUpdateCmd,which is the resource, is an instance of MyOrderProcessCmd The check passes if you have access control setup for MyOrderProcessCmd and that command is executed instead of the one you expect If no Access control is setup and you have for instance a typo in the command name, you may see a command level check fail How to fix: Ensure that interface is using properly defined implementation
  • 25. IBM Software Group WebSphere® Support Technical Exchange 25 Problem 5: No Policy group subscription Policy appears in the trace however is not applied with messages : No organizations subscribe to a policy group with this policy Policy does not apply to the resource's applicable organizations How to fix: 1. Ensure that the resource owner is subscribing to the correct policy groups. <PolicyGroup Name="B2CPolicyGroup" OwnerID="RootOrganization"> <PolicyGroupPolicy Name="AllUsersExecuteResellerUserViews" PolicyOwnerID="RootOrganization"/> <PolicyGroupSubscription OrganizationID="RootOrganization"/> </PolicyGroup> 2. Check the policy subscriptions and the organizational hierarchy to ensure expected policy inheritance is in place ie. If an organization subscribes to at least one of its own policy groups, it will no longer inherit any from its ancestors
  • 26. IBM Software Group WebSphere® Support Technical Exchange 26 Problem 6: CSR cannot impersonate customer Command is to be run by CSR-type user, acting on behalf of a registered customer, however it fails similar to: isAllowed CMN1501E: User 132004 does not have the authority to perform action "becomeUser" on resource "com.xyz.customerservice.commands.CSROrderPlaceCmdImpl" for command "CSROrderPlaceCmd". BecomeUserCustomerServiceGroupExecutesBecomeUserCmdsResourceGroup policy is a special policy that allows certain admin users to run specified commands on behalf of other users How to fix: Add CSR commands into this policy (by adding action into BecomeUserActionGroup action group)
  • 27. IBM Software Group WebSphere® Support Technical Exchange 27 Problem 7: Commands fail when storeID not set Users receive a blank page when trying to access the Storefront, with an error similar to the following : AccManager isAllowed CMN1501E: User -1002 does not have the authority to perform action "Execute" on resource "com.ibm.commerce.catalog.commands.ProductDisplayCmdImpl" for command "ProductDisplay". How to fix: This usually happens when the store ID is wrong for the command being called For instance calling commands with storeID=0, a value that does not exist or when the storeID is missing altogether Make sure to call the URL with the proper storeID
  • 28. IBM Software Group WebSphere® Support Technical Exchange 28 Problem 8: Improper cookie domain After adding to cart, redirect to shopping cart page results in Access control error, with trace showing failure on chained commands with different user IDs: isAllowed? User=201921192; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemAddC mdImpl; Owner=7000000000000000051 isAllowed? User=201921193; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemDisp layCm dImpl; Owner=7000000000000000051 How to fix: Verify the wc-server.xml is setup to accept cookies from the proper domain <cookie domain=mydomain.com If your current domain is for instance host.mydomain.com, you will see this problem File must be changed to reflect current domain or must be left as blank
  • 29. IBM Software Group WebSphere® Support Technical Exchange 29 Problem 9: Authorized user cannot invoke command User with the correct authority cannot run a command, ie. Access control check passes: PolicyManagerImpl.isAllowed org=IBM prod=WebSphere Commerce component=WC_ACCESSCONTROL PASSED? =true Yet user still gets message ‘The user does not have the authority to run this command’ and cannot execute command How to fix: Custom command must override the isGeneric() method of the superclass. This method allows a command to be run by a generic user (userid -1002)
  • 30. IBM Software Group WebSphere® Support Technical Exchange 30 Problem 10: PolicyManager does not initialize Starting the server after loading in new policies, you get: [2/11/08 19:05:30:680 IST] 396222fe CommerceSrvr A RequestServlet initPolicyManager CMN0007S: Initialization has started for "Policy Manager". [2/11/08 19:05:39:695 IST] 396222fe CommerceSrvr E PolicyRegistry loadCache CMN0103E: Could not obtain the key from the registry.java.lang.NullPointerException at com.ibm.commerce.accesscontrol.policymanager. Policy.equals(Policy.java(Compiled Code)) Having other actions in the DoEverything action group will cause this, only the '*' action should be in that group Do not need to explicitly list all actions in this group, wildcard matches all actions during policy evaluation How to fix: Remove additional action from DoEverything group, by definition, and put in another group if necessary
  • 31. IBM Software Group WebSphere® Support Technical Exchange 31 Problem 11: Sporadic resource-level failures Sporadically receive errors relating to resource-level checks, such as this: isAllowed CMN1501E: User 16077287 does not have the authority to perform action "com.ibm.commerce.order.commands.OrderProcessCmd" on resource "com.ibm.commerce.order.objects._Order_Stub" for command "OrderProcess". The problem may be that an action is to be performed on a resource, but the resource is no longer in the proper state, ie. For classname = com.ibm.commerce.order.objects.Order <ResourceGroup Name="OrderResourceGroupwithPEStatus" OwnerID="RootOrganization"> <ResourceCondition>…. <simpleCondition> <variable name="Status"/> <operator name="="/> <value data="P"/> </simpleCondition>
  • 32. IBM Software Group WebSphere® Support Technical Exchange 32 Summary Access control policy: Member, action, resource groups, relation Potentially two levels of checking done per action Command-level and resource-level Access control failures a result of: Improper policies Improper Subscriptions Various other runtime aspects, not directly related to the policy configurations
  • 33. IBM Software Group WebSphere® Support Technical Exchange 33 Additional Access Control Resources Understanding Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.developer.doc/concepts/caxunderstandaccessmain.htm Evaluating Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.admin.doc/concepts/caxevaluate.htm Troubleshooting Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.developer.doc/refs/raxtroubleshooting.htm Access Control Data Model http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.data.doc/refs/rdmaccess.htm
  • 34. IBM Software Group WebSphere® Support Technical Exchange 34 Additional WebSphere Product Resources Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/ Learn about other upcoming webcasts, conferences and events: http://www.ibm.com/software/websphere/events_1.html Join the Global WebSphere User Group Community: http://www.websphere.org Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant View a Flash replay with step-by-step instructions for using the Electronic Service Request (ESR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html Sign up to receive weekly technical My support emails: http://www.ibm.com/software/support/einfo.html
  • 35. IBM Software Group WebSphere® Support Technical Exchange 35 Questions and Answers