The 7 Things I Know About Cyber Security After 25 Years | April 2024
Acp policies
1. IBM Software Group
®
WebSphere® Support Technical Exchange
Understanding WebSphere Commerce
Access Control
Mike Callaghan and Sidy Doumbia
2. IBM Software Group
WebSphere® Support Technical Exchange 2
Agenda
What is Access Control
Access Control Policies and Components
Policy Manager
Resource-level versus Command-level check
Troubleshooting: How to read the trace
Basic and Complex Problems
Questions and Answers
3. IBM Software Group
WebSphere® Support Technical Exchange 3
What is Access Control?
The process of restricting access to specific individuals within
specific organizations
Access control can be defined as security guidelines that:
Allow or deny a user of a system access to the resources
managed by the system
Specify what actions the user can perform on each
resource
If access control criteria is met, user is granted authority, and
action is invoked
Otherwise, user does not have the authority, access is
denied, action is not invoked
4. IBM Software Group
WebSphere® Support Technical Exchange 4
Access Control Policies
Authorize a group of users to perform a group of actions on a group of
resources, and consists of four main parts:
Member (Access/User) group (ie. Registered Customers)
• Group of users to which the policy applies (implicit and explicit
grouping of users)
Action group (ie. Group must contain OrderItemAddCmd)
• A group of actions performed by the user on resources
Resource group (ie. Target resource of command, OrderBean)
• Objects like an order, or a set of related commands such as all the
commands that users of a particular role can perform.
Relationship (ie. User must be creator of the OrderBean)
• Relationship between the user and the resource.
5. IBM Software Group
WebSphere® Support Technical Exchange 5
Access Control Policy - Components
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
<Policy Name=
AllUsersDisplayOrderDatabeanResourceGroup
OwnerID="RootOrganization"
UserGroup="AllUsers"
ActionGroupName=
"DisplayDatabeanActionGroup"
ResourceGroupName=
"OrderDatabeanResourceGroup"
RelationName="creator"
PolicyType="groupableStandard">
</Policy>
6. IBM Software Group
WebSphere® Support Technical Exchange 6
Access Control Policy – Member Group
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
MemberGroupCond
<UserGroup Name="RegisteredCustomers"
OwnerID="RootOrganization"
Description=“Users with Registered Customer role"
MemberGroupID="-197">
<UserCondition>
<![CDATA[
<profile>
<orListCondition>
<simpleCondition>
<variable name="role"/>
<operator name="="/>
<value data="Registered
Customer"/>
</simpleCondition>
</orListCondition>
</profile>
]]>
</UserCondition>
</UserGroup>
7. IBM Software Group
WebSphere® Support Technical Exchange 7
Access Control Policy – Action Group
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
Action1
Action2
<Action Name="DisplayDatabean"
CommandName="Display">
</Action>
<ActionGroup
Name="DisplayDatabeanActionGroup"
OwnerID="RootOrganization">
<ActionGroupAction
Name="DisplayDatabean"/>
</ActionGroup>
8. IBM Software Group
WebSphere® Support Technical Exchange 8
Access Control Policy – Resource Group
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
Resource1
Resource2
<ResourceCategory Name=
"com.ibm.commerce.order.beans.
OrderDataBeanResourceCategory"
ResourceBeanClass=
"com.ibm.commerce.order.beans.OrderDataBean">
<ResourceAction Name="DisplayDatabean"/>
</ResourceCategory>
<ResourceGroup
Name="OrderDatabeanResourceGroup"
OwnerID="RootOrganization">
<ResourceGroupResource Name=
"com.ibm.commerce.order.beans.OrderDataBeanReso
urceCategory"/>
</ResourceGroup>
9. IBM Software Group
WebSphere® Support Technical Exchange 9
Access Control Policy – Resource Group (2)
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
Resource1
Resource2
<ResourceCategory Name=
"com.ibm.commerce.user.beans.
UserDataBeanResourceCategory"
ResourceBeanClass=
"com.ibm.commerce.user.beans.UserDataBean"
PrimaryResourceTable="users"
PrimaryResourceOwnerTable="users"
PrimaryResourceOwnerColumn="users_id">
<ResourceAction Name="DisplayDatabean"/>
<ResourceRelation Name="owner"
RelationTable="users"
RelationKeyColumn="users_id"
RelationMemberColumn="users_id"/>
</ResourceCategory>
10. IBM Software Group
WebSphere® Support Technical Exchange 10
Access Control Policy - Relationship
Policy
MemberGroup
ActionGroup
ResourceGroup
Relation
Relation
<Relation Name="owner“ />
<Relation Name="creator“/ >
<Relation Name=
"sameOrganizationalEntityAsCreator“ />
<Relation Name="owner of RFQ“ />
<Relation Name="Approver“ />
<Relation Name="Submitter“ />
11. IBM Software Group
WebSphere® Support Technical Exchange 11
Access Control Policy: Subscriptions
(ORG A) Subscribes to Policy Group 1 (Policy 1, 2, 3 apply to them)
(ORG B) Subscribes to Policy Group 2 (Policy 3, 4, 5 apply to them)
(ORG C) No direct subscriptions. Therefore it inherits subscriptions of
its parent(ORG A) , Policy Group 1 (Policies 1,2,3)
Policy 1
Policy 2
Policy 3
Org A
Org C Org B
Org A Policy Group
Policy 3
Policy 4
Policy 5
Org B Policy Group
Subscribes
Subscribes
12. IBM Software Group
WebSphere® Support Technical Exchange 12
Access Control Policy - PolicyType
Two types of access control policies:
Groupable standard policies (policy type -2)
Groupable template policies (policy type -3)
Both types of policies must belong to a policy group in order to be applied in
the system
Groupable standard policies:
Applied once, at organizations that subscribe to a policy group that
contains the policy
Groupable template policies:
Dynamic in nature (have an access group that is scoped) to the
organization that owns the resource
E.g. when policy is applied to a resource owned by Org XYZ, it would
check if the user played one of the specified roles for Org XYZ or any
of its ancestors
13. IBM Software Group
WebSphere® Support Technical Exchange 13
Access Control Policy – Standard example
C_Org Policy group Access groups:
Policy 1 (Approvers for Jewelry)
Policy 2 (Approves for Clothing)
User_A, User_B play approver role in
the respective Org Jewelry and Clothing
(approve orders for those orgs)
Root Organization subscription
contains both Policy 1 and 2
User A can approve all Jewelry orders,
User B can approve all Clothing orders
Minimal access control complexity is
achieved by using a minimum of two
policies, 2 policy group and direct
subscription from the orgs owning the
stores.
Root Org
Jewelry Org Clothing Org
User_A User_B
Store J Store C
Policy 1
J_Org Policy group
Policy 2
subscribes
subscribes
14. IBM Software Group
WebSphere® Support Technical Exchange 14
Access Control Policy – Template example
Policy 3
Root Org Policy group
Access groups:
Policy 3 (Approvers for Orgs)
User_A, User_B play approver role in the
respective Org Jewelry and Clothing
(approve orders for those orgs)
Roles are same for user_A and user_B,
but Access group is parameterized (user
executing action only checked against the
Org that owning resource or its ancestors)
Root Organization subscription contains
only Policy 3
User A can only approve Jewelry orders,
User B can only approve Clothing orders
Achieve same access control restrictions
with one less policy compared to standard
Root Org
Jewelry Org Clothing Org
User_A User_B
Store J Store C
subscribes
16. IBM Software Group
WebSphere® Support Technical Exchange 16
Policy Manager
When a user attempts to perform an action on a resource, an
access control check will be done to make sure that the user
is authorized
The Policy Manager looks for all the access control policies
that match the combination of the user, the action, and the
target resource
From those policies, it will find all policies that apply to the
organization that owns the resource
If there is at least one such policy, the Policy Manager grants
access, otherwise, access is denied
17. IBM Software Group
WebSphere® Support Technical Exchange 17
Policy Manager: Example
PolicyManager cycles through each policy until it finds one that applies
Policy1: User group does not match, -1002 not in AccessGroup_X
Policy2: Action group does not match, Execute not in ActionGroup_X
Policy3: Resource group does not match, MyCmdImpl not in ResourceGroup_X
Policy4: Applies, passed?= true
isAllowed? User = -1002 ; Action = Execute ; Resource = MyCmdImpl ;
Policy_1 [AccessGroup_X , ActionGroup_A, ResourceGroup_A] - Fail
Policy_2 [AccessGroup_X , ActionGroup_X, ResourceGroup_A] - Fail
Policy_3 [AccessGroup_A , ActionGroup_A, ResourceGroup_X] - Fail
Policy_4 [AccessGroup_A , ActionGroup_A, ResourceGroup_A] – Success!
18. IBM Software Group
WebSphere® Support Technical Exchange 18
Policy Manager: Command-level check
Checks who can do what in the current store
Also known as ‘role-based’ access control, for example:
All sellers can execute seller commands
Command-level check on controller commands:
Policy to all Execute action on command resource (interface)
Generally targeting single role (ie. Sellers)
Command-level check on views:
Done if view called direct from URL or a redirect from
command
Action is the viewname
19. IBM Software Group
WebSphere® Support Technical Exchange 19
Policy Manager: Resource-level check
Checks who can execute what command on which resources in the
current store, for example:
Only display data from Order which you created
Only modify promotion in organization which you play a role
Resource-level check done on command if:
1. Command implements getResources()
2. Command’s performExecute calls checkIsAllowed()
Resource-level check done on beans:
If bean invoked by Databean Manager’s activate()
Ensures there is a policy which grants the user authority to
perform the Display action on the primary data bean resource
20. IBM Software Group
WebSphere® Support Technical Exchange 20
Troubleshooting: How to read the trace
How to find out if it is Access Control:
[8/30/06 13:44:27:141 CDT] 6a36e74e CommerceSrvr E AccManager
isAllowed CMN1501E: User 408002 does not have the authority
to perform action “MyNewView" on resource "
com.myco.HttpForwardViewCommandlmpl"
Turn on Access Control component tracing
com.ibm.websphere.commerce.WC_ACCESSCONTROL
Starting from the end of the file, perform a backward search for ‘=false’ to
find access control check that failed
WC_ACCESSCONT ... PolicyManagerImpl.isAllowed PASSED? =false
To determine what was being checked, perform another backward search for
the string isAllowed?
WC_ACCESSCONT ... PolicyManagerImpl.isAllowed isAllowed?
User=408002; Action=MyNewView;
Resource= com.myco.HttpForwardViewCommandlmpl; Owner=7001;
Resource Ancestor Orgs=7001,-2001; Resource Applicable
Orgs=7001
21. IBM Software Group
WebSphere® Support Technical Exchange 21
Problem 1: Missing policy for a new view
Added a new view without an accompanying policy, and only
SiteAdminCanDoEverything policy shows in the trace:
PolicyManagerlmpl.isAllowed isAllowed? User=123; Action=MyNewView;
Resource=com.ibm.commerce.command.HttpForwardViewCommandlmpl;
Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable
Orgs=-2001
PolicyManagerlmpl.isAllowed Found PolicyName:
SiteAdministractorsCanDoEverything; PolicyType: 2; PolicyOwner:-2001
PolicyManagerlmpl.getPolicyApplicableOrgs Policy Applicable Orgs=-
2001
PolicyManagerlmpl.evaluatePolicy Evaluating PolicyName:
SiteAdministratorsCanDoEverything WC_ACCESSCONT d
PolicyManagerlmpl.isAllowed PASSED?=false
How to fix:
Trace shows only policies with both the correct action group (ie. action is in
that group) and resource group (ie. Resource is in that group)
Here, no policy has an action group which includes your view as an action
For brand new view, the view needs to be defined as an action, and then
associated to an action group
22. IBM Software Group
WebSphere® Support Technical Exchange 22
Problem 2: No Command-level policy for command
A controller command was added without an accompanying access control policy
Execute action will match several policies, but no resource groups will match
PolicyManagerImpl.isAllowed isAllowed? User=510; Action=Execute;
Resource=com.xyz.MyOrderItemAddCmdImpl; Owner=-2001; Resource
Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 ...
PolicyManagerImpl.isAllowed Found PolicyName:
AllUsersExecuteAllSiteUserCmd; PolicyType: 2; PolicyOwner: -2001 ...
PolicyManagerImpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001
...
PolicyManagerImpl.evaluatePolicy Evaluating PolicyName:
SiteAdministratorsCanDoEverything ...
PolicyManagerImpl.evaluatePolicy Normal User Group does not match ...
PolicyManagerImpl.isAllowed PASSED? =false
How to fix:
Define the command as a resource in your policy
Allow the ‘Execute’ action on this newly defined resource
23. IBM Software Group
WebSphere® Support Technical Exchange 23
Problem 3: No Resource-level policy for command
A controller command extended without adding the resource-level access control
directives for the new command
However, base command implements getResources()
Resource-level failure would look similar to:
PolicyManagerImpl.isAllowed isAllowed? User=510;
Action=com.xyz.MyOrderItemAddCmd;
Resource=com.ibm.commerce.order.objects._Order_Stub; Owner=2002;
Resource Ancestor Orgs=2002,-2001; Resource Applicable Orgs=2002 ...
PolicyManagerImpl.isAllowed PASSED? =false
How to fix:
Define the command as an action, and the resource category.
Associate the command as a ResourceAction for the particular resource.
24. IBM Software Group
WebSphere® Support Technical Exchange 24
Problem 4: Wrong class implementation
Get command-level access control failure, one cause could be that the command
implements the wrong interface, ie.
public interface MyOrderStatusUpdateCmd extends ToolsControllerCommand {
Static final String defaultCommandClassName =
"com.mytools. commands.MyOrderStatusUpdateCmdImpl";}
public class MyOrderStatusUpdateCmdImpl extends ToolsControllerCommandImpl
implements MyOrderProcessCmd {
private static final String CLASSNAME =
"com.mytools.commands.MyOrderStatusUpdateCmdImpl";
Checks if MyOrderStatusUpdateCmd,which is the resource, is an instance of
MyOrderProcessCmd
The check passes if you have access control setup for MyOrderProcessCmd and
that command is executed instead of the one you expect
If no Access control is setup and you have for instance a typo in the command name,
you may see a command level check fail
How to fix:
Ensure that interface is using properly defined implementation
25. IBM Software Group
WebSphere® Support Technical Exchange 25
Problem 5: No Policy group subscription
Policy appears in the trace however is not applied with messages :
No organizations subscribe to a policy group with this policy
Policy does not apply to the resource's applicable organizations
How to fix:
1. Ensure that the resource owner is subscribing to the correct policy groups.
<PolicyGroup Name="B2CPolicyGroup" OwnerID="RootOrganization">
<PolicyGroupPolicy Name="AllUsersExecuteResellerUserViews"
PolicyOwnerID="RootOrganization"/>
<PolicyGroupSubscription OrganizationID="RootOrganization"/>
</PolicyGroup>
2. Check the policy subscriptions and the organizational hierarchy to ensure
expected policy inheritance is in place
ie. If an organization subscribes to at least one of its own policy groups, it
will no longer inherit any from its ancestors
26. IBM Software Group
WebSphere® Support Technical Exchange 26
Problem 6: CSR cannot impersonate customer
Command is to be run by CSR-type user, acting on behalf of a
registered customer, however it fails similar to:
isAllowed CMN1501E: User 132004 does not have the authority to
perform action "becomeUser" on resource
"com.xyz.customerservice.commands.CSROrderPlaceCmdImpl" for
command "CSROrderPlaceCmd".
BecomeUserCustomerServiceGroupExecutesBecomeUserCmdsResourceGroup
policy is a special policy that allows certain admin users to run
specified commands on behalf of other users
How to fix:
Add CSR commands into this policy (by adding action into
BecomeUserActionGroup action group)
27. IBM Software Group
WebSphere® Support Technical Exchange 27
Problem 7: Commands fail when storeID not set
Users receive a blank page when trying to access the Storefront,
with an error similar to the following :
AccManager isAllowed
CMN1501E: User -1002 does not have the authority to perform
action "Execute" on resource
"com.ibm.commerce.catalog.commands.ProductDisplayCmdImpl"
for command "ProductDisplay".
How to fix:
This usually happens when the store ID is wrong for the
command being called
For instance calling commands with storeID=0, a value that
does not exist or when the storeID is missing altogether
Make sure to call the URL with the proper storeID
28. IBM Software Group
WebSphere® Support Technical Exchange 28
Problem 8: Improper cookie domain
After adding to cart, redirect to shopping cart page results in Access control
error, with trace showing failure on chained commands with different user IDs:
isAllowed? User=201921192; Action=Execute;
Protectable=com.ibm.commerce.orderitems.commands.OrderItemAddC
mdImpl;
Owner=7000000000000000051
isAllowed? User=201921193; Action=Execute;
Protectable=com.ibm.commerce.orderitems.commands.OrderItemDisp
layCm
dImpl; Owner=7000000000000000051
How to fix:
Verify the wc-server.xml is setup to accept cookies from the proper
domain
<cookie domain=mydomain.com
If your current domain is for instance host.mydomain.com, you will see
this problem
File must be changed to reflect current domain or must be left as blank
29. IBM Software Group
WebSphere® Support Technical Exchange 29
Problem 9: Authorized user cannot invoke command
User with the correct authority cannot run a command, ie. Access
control check passes:
PolicyManagerImpl.isAllowed org=IBM prod=WebSphere Commerce
component=WC_ACCESSCONTROL
PASSED? =true
Yet user still gets message ‘The user does not have the authority to
run this command’ and cannot execute command
How to fix:
Custom command must override the isGeneric() method of the
superclass.
This method allows a command to be run by a generic user
(userid -1002)
30. IBM Software Group
WebSphere® Support Technical Exchange 30
Problem 10: PolicyManager does not initialize
Starting the server after loading in new policies, you get:
[2/11/08 19:05:30:680 IST] 396222fe CommerceSrvr A
RequestServlet initPolicyManager CMN0007S: Initialization
has started for "Policy Manager".
[2/11/08 19:05:39:695 IST] 396222fe CommerceSrvr E
PolicyRegistry loadCache CMN0103E: Could not obtain the key
from the registry.java.lang.NullPointerException
at com.ibm.commerce.accesscontrol.policymanager.
Policy.equals(Policy.java(Compiled Code))
Having other actions in the DoEverything action group will cause this, only
the '*' action should be in that group
Do not need to explicitly list all actions in this group, wildcard matches all
actions during policy evaluation
How to fix:
Remove additional action from DoEverything group, by definition, and
put in another group if necessary
31. IBM Software Group
WebSphere® Support Technical Exchange 31
Problem 11: Sporadic resource-level failures
Sporadically receive errors relating to resource-level checks, such as this:
isAllowed CMN1501E: User 16077287 does not have the authority
to perform action
"com.ibm.commerce.order.commands.OrderProcessCmd" on resource
"com.ibm.commerce.order.objects._Order_Stub"
for command "OrderProcess".
The problem may be that an action is to be performed on a resource, but the
resource is no longer in the proper state, ie. For classname =
com.ibm.commerce.order.objects.Order
<ResourceGroup Name="OrderResourceGroupwithPEStatus"
OwnerID="RootOrganization">
<ResourceCondition>….
<simpleCondition>
<variable name="Status"/>
<operator name="="/>
<value data="P"/>
</simpleCondition>
32. IBM Software Group
WebSphere® Support Technical Exchange 32
Summary
Access control policy:
Member, action, resource groups, relation
Potentially two levels of checking done per action
Command-level and resource-level
Access control failures a result of:
Improper policies
Improper Subscriptions
Various other runtime aspects, not directly related to the
policy configurations
33. IBM Software Group
WebSphere® Support Technical Exchange 33
Additional Access Control Resources
Understanding Access Control
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm
erce.developer.doc/concepts/caxunderstandaccessmain.htm
Evaluating Access Control
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm
erce.admin.doc/concepts/caxevaluate.htm
Troubleshooting Access Control
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm
erce.developer.doc/refs/raxtroubleshooting.htm
Access Control Data Model
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm
erce.data.doc/refs/rdmaccess.htm
34. IBM Software Group
WebSphere® Support Technical Exchange 34
Additional WebSphere Product Resources
Discover the latest trends in WebSphere Technology and implementation, participate in
technically-focused briefings, webcasts and podcasts at:
http://www.ibm.com/developerworks/websphere/community/
Learn about other upcoming webcasts, conferences and events:
http://www.ibm.com/software/websphere/events_1.html
Join the Global WebSphere User Group Community: http://www.websphere.org
Access key product show-me demos and tutorials by visiting IBM Education Assistant:
http://www.ibm.com/software/info/education/assistant
View a Flash replay with step-by-step instructions for using the Electronic Service
Request (ESR) tool for submitting problems electronically:
http://www.ibm.com/software/websphere/support/d2w.html
Sign up to receive weekly technical My support emails:
http://www.ibm.com/software/support/einfo.html