SlideShare une entreprise Scribd logo

Acp policies

L
Laxmi Kanth Kshatriya

Perform ACCESS CONTROL POLICIES

TechnologieBusiness
1  sur  35
Télécharger pour lire hors ligne
IBM Software Group ® WebSphere® Support Technical Exchange Understanding WebSphere Commerce Access Control Mike Callaghan and Sidy Doumbia
IBM Software Group WebSphere® Support Technical Exchange 2 Agenda What is Access Control Access Control Policies and Components Policy Manager Resource-level versus Command-level check Troubleshooting: How to read the trace Basic and Complex Problems Questions and Answers
IBM Software Group WebSphere® Support Technical Exchange 3 What is Access Control? The process of restricting access to specific individuals within specific organizations Access control can be defined as security guidelines that: Allow or deny a user of a system access to the resources managed by the system Specify what actions the user can perform on each resource If access control criteria is met, user is granted authority, and action is invoked Otherwise, user does not have the authority, access is denied, action is not invoked
IBM Software Group WebSphere® Support Technical Exchange 4 Access Control Policies Authorize a group of users to perform a group of actions on a group of resources, and consists of four main parts: Member (Access/User) group (ie. Registered Customers) • Group of users to which the policy applies (implicit and explicit grouping of users) Action group (ie. Group must contain OrderItemAddCmd) • A group of actions performed by the user on resources Resource group (ie. Target resource of command, OrderBean) • Objects like an order, or a set of related commands such as all the commands that users of a particular role can perform. Relationship (ie. User must be creator of the OrderBean) • Relationship between the user and the resource.
IBM Software Group WebSphere® Support Technical Exchange 5 Access Control Policy - Components Policy MemberGroup ActionGroup ResourceGroup Relation <Policy Name= AllUsersDisplayOrderDatabeanResourceGroup OwnerID="RootOrganization" UserGroup="AllUsers" ActionGroupName= "DisplayDatabeanActionGroup" ResourceGroupName= "OrderDatabeanResourceGroup" RelationName="creator" PolicyType="groupableStandard"> </Policy>
IBM Software Group WebSphere® Support Technical Exchange 6 Access Control Policy – Member Group Policy MemberGroup ActionGroup ResourceGroup Relation MemberGroupCond <UserGroup Name="RegisteredCustomers" OwnerID="RootOrganization" Description=“Users with Registered Customer role" MemberGroupID="-197"> <UserCondition> <![CDATA[ <profile> <orListCondition> <simpleCondition> <variable name="role"/> <operator name="="/> <value data="Registered Customer"/> </simpleCondition> </orListCondition> </profile> ]]> </UserCondition> </UserGroup>
IBM Software Group WebSphere® Support Technical Exchange 7 Access Control Policy – Action Group Policy MemberGroup ActionGroup ResourceGroup Relation Action1 Action2 <Action Name="DisplayDatabean" CommandName="Display"> </Action> <ActionGroup Name="DisplayDatabeanActionGroup" OwnerID="RootOrganization"> <ActionGroupAction Name="DisplayDatabean"/> </ActionGroup>
IBM Software Group WebSphere® Support Technical Exchange 8 Access Control Policy – Resource Group Policy MemberGroup ActionGroup ResourceGroup Relation Resource1 Resource2 <ResourceCategory Name= "com.ibm.commerce.order.beans. OrderDataBeanResourceCategory" ResourceBeanClass= "com.ibm.commerce.order.beans.OrderDataBean"> <ResourceAction Name="DisplayDatabean"/> </ResourceCategory> <ResourceGroup Name="OrderDatabeanResourceGroup" OwnerID="RootOrganization"> <ResourceGroupResource Name= "com.ibm.commerce.order.beans.OrderDataBeanReso urceCategory"/> </ResourceGroup>
IBM Software Group WebSphere® Support Technical Exchange 9 Access Control Policy – Resource Group (2) Policy MemberGroup ActionGroup ResourceGroup Relation Resource1 Resource2 <ResourceCategory Name= "com.ibm.commerce.user.beans. UserDataBeanResourceCategory" ResourceBeanClass= "com.ibm.commerce.user.beans.UserDataBean" PrimaryResourceTable="users" PrimaryResourceOwnerTable="users" PrimaryResourceOwnerColumn="users_id"> <ResourceAction Name="DisplayDatabean"/> <ResourceRelation Name="owner" RelationTable="users" RelationKeyColumn="users_id" RelationMemberColumn="users_id"/> </ResourceCategory>
IBM Software Group WebSphere® Support Technical Exchange 10 Access Control Policy - Relationship Policy MemberGroup ActionGroup ResourceGroup Relation Relation <Relation Name="owner“ /> <Relation Name="creator“/ > <Relation Name= "sameOrganizationalEntityAsCreator“ /> <Relation Name="owner of RFQ“ /> <Relation Name="Approver“ /> <Relation Name="Submitter“ />
IBM Software Group WebSphere® Support Technical Exchange 11 Access Control Policy: Subscriptions (ORG A) Subscribes to Policy Group 1 (Policy 1, 2, 3 apply to them) (ORG B) Subscribes to Policy Group 2 (Policy 3, 4, 5 apply to them) (ORG C) No direct subscriptions. Therefore it inherits subscriptions of its parent(ORG A) , Policy Group 1 (Policies 1,2,3) Policy 1 Policy 2 Policy 3 Org A Org C Org B Org A Policy Group Policy 3 Policy 4 Policy 5 Org B Policy Group Subscribes Subscribes
IBM Software Group WebSphere® Support Technical Exchange 12 Access Control Policy - PolicyType Two types of access control policies: Groupable standard policies (policy type -2) Groupable template policies (policy type -3) Both types of policies must belong to a policy group in order to be applied in the system Groupable standard policies: Applied once, at organizations that subscribe to a policy group that contains the policy Groupable template policies: Dynamic in nature (have an access group that is scoped) to the organization that owns the resource E.g. when policy is applied to a resource owned by Org XYZ, it would check if the user played one of the specified roles for Org XYZ or any of its ancestors
IBM Software Group WebSphere® Support Technical Exchange 13 Access Control Policy – Standard example C_Org Policy group Access groups: Policy 1 (Approvers for Jewelry) Policy 2 (Approves for Clothing) User_A, User_B play approver role in the respective Org Jewelry and Clothing (approve orders for those orgs) Root Organization subscription contains both Policy 1 and 2 User A can approve all Jewelry orders, User B can approve all Clothing orders Minimal access control complexity is achieved by using a minimum of two policies, 2 policy group and direct subscription from the orgs owning the stores. Root Org Jewelry Org Clothing Org User_A User_B Store J Store C Policy 1 J_Org Policy group Policy 2 subscribes subscribes
IBM Software Group WebSphere® Support Technical Exchange 14 Access Control Policy – Template example Policy 3 Root Org Policy group Access groups: Policy 3 (Approvers for Orgs) User_A, User_B play approver role in the respective Org Jewelry and Clothing (approve orders for those orgs) Roles are same for user_A and user_B, but Access group is parameterized (user executing action only checked against the Org that owning resource or its ancestors) Root Organization subscription contains only Policy 3 User A can only approve Jewelry orders, User B can only approve Clothing orders Achieve same access control restrictions with one less policy compared to standard Root Org Jewelry Org Clothing Org User_A User_B Store J Store C subscribes
IBM Software Group WebSphere® Support Technical Exchange 15 Access Control Policy - Tables 1002110199-2AllUsersExecuteAllSiteUsersViews ACREL_IDACRESGRP_IDACACTGRP_IDMBRGRP_IDPolicy Name AllUsers-2 MBRGRPNAMEMBRGRP_ID <profile> <trueCondition> <trueCondition> <profile> -2 ConditionMBRGRP_ID AllSiteUsersViews10199 GROUPNAMEACACTGRP_ID 1000010199 ACACTION_IDACACTGRP_ID AlertDialogView10000 ACACTION_IDACACTION_ID ViewCommandResourc eGroup 10021 GROUPNAMEACRESGRP_ID 1000010021 ACRESCGRY_IDACRESGRP_ID com.ibm.commerce.co mmand.ViewCommand 10079 ResClassnameACRESCGRY_ID …… Creator10002 Owner10001 RELATIONNAMEACRELATION_ID MBRGROUP MBRGROUPCOND ACACTGRP ACACTACTGP ACACTION ACRESGRP ACRESGPRES ACRESCGRY ACRELATION ACPOLICY
IBM Software Group WebSphere® Support Technical Exchange 16 Policy Manager When a user attempts to perform an action on a resource, an access control check will be done to make sure that the user is authorized The Policy Manager looks for all the access control policies that match the combination of the user, the action, and the target resource From those policies, it will find all policies that apply to the organization that owns the resource If there is at least one such policy, the Policy Manager grants access, otherwise, access is denied
IBM Software Group WebSphere® Support Technical Exchange 17 Policy Manager: Example PolicyManager cycles through each policy until it finds one that applies Policy1: User group does not match, -1002 not in AccessGroup_X Policy2: Action group does not match, Execute not in ActionGroup_X Policy3: Resource group does not match, MyCmdImpl not in ResourceGroup_X Policy4: Applies, passed?= true isAllowed? User = -1002 ; Action = Execute ; Resource = MyCmdImpl ; Policy_1 [AccessGroup_X , ActionGroup_A, ResourceGroup_A] - Fail Policy_2 [AccessGroup_X , ActionGroup_X, ResourceGroup_A] - Fail Policy_3 [AccessGroup_A , ActionGroup_A, ResourceGroup_X] - Fail Policy_4 [AccessGroup_A , ActionGroup_A, ResourceGroup_A] – Success!
IBM Software Group WebSphere® Support Technical Exchange 18 Policy Manager: Command-level check Checks who can do what in the current store Also known as ‘role-based’ access control, for example: All sellers can execute seller commands Command-level check on controller commands: Policy to all Execute action on command resource (interface) Generally targeting single role (ie. Sellers) Command-level check on views: Done if view called direct from URL or a redirect from command Action is the viewname
IBM Software Group WebSphere® Support Technical Exchange 19 Policy Manager: Resource-level check Checks who can execute what command on which resources in the current store, for example: Only display data from Order which you created Only modify promotion in organization which you play a role Resource-level check done on command if: 1. Command implements getResources() 2. Command’s performExecute calls checkIsAllowed() Resource-level check done on beans: If bean invoked by Databean Manager’s activate() Ensures there is a policy which grants the user authority to perform the Display action on the primary data bean resource
IBM Software Group WebSphere® Support Technical Exchange 20 Troubleshooting: How to read the trace How to find out if it is Access Control: [8/30/06 13:44:27:141 CDT] 6a36e74e CommerceSrvr E AccManager isAllowed CMN1501E: User 408002 does not have the authority to perform action “MyNewView" on resource " com.myco.HttpForwardViewCommandlmpl" Turn on Access Control component tracing com.ibm.websphere.commerce.WC_ACCESSCONTROL Starting from the end of the file, perform a backward search for ‘=false’ to find access control check that failed WC_ACCESSCONT ... PolicyManagerImpl.isAllowed PASSED? =false To determine what was being checked, perform another backward search for the string isAllowed? WC_ACCESSCONT ... PolicyManagerImpl.isAllowed isAllowed? User=408002; Action=MyNewView; Resource= com.myco.HttpForwardViewCommandlmpl; Owner=7001; Resource Ancestor Orgs=7001,-2001; Resource Applicable Orgs=7001
IBM Software Group WebSphere® Support Technical Exchange 21 Problem 1: Missing policy for a new view Added a new view without an accompanying policy, and only SiteAdminCanDoEverything policy shows in the trace: PolicyManagerlmpl.isAllowed isAllowed? User=123; Action=MyNewView; Resource=com.ibm.commerce.command.HttpForwardViewCommandlmpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 PolicyManagerlmpl.isAllowed Found PolicyName: SiteAdministractorsCanDoEverything; PolicyType: 2; PolicyOwner:-2001 PolicyManagerlmpl.getPolicyApplicableOrgs Policy Applicable Orgs=- 2001 PolicyManagerlmpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything WC_ACCESSCONT d PolicyManagerlmpl.isAllowed PASSED?=false How to fix: Trace shows only policies with both the correct action group (ie. action is in that group) and resource group (ie. Resource is in that group) Here, no policy has an action group which includes your view as an action For brand new view, the view needs to be defined as an action, and then associated to an action group
IBM Software Group WebSphere® Support Technical Exchange 22 Problem 2: No Command-level policy for command A controller command was added without an accompanying access control policy Execute action will match several policies, but no resource groups will match PolicyManagerImpl.isAllowed isAllowed? User=510; Action=Execute; Resource=com.xyz.MyOrderItemAddCmdImpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 ... PolicyManagerImpl.isAllowed Found PolicyName: AllUsersExecuteAllSiteUserCmd; PolicyType: 2; PolicyOwner: -2001 ... PolicyManagerImpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001 ... PolicyManagerImpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything ... PolicyManagerImpl.evaluatePolicy Normal User Group does not match ... PolicyManagerImpl.isAllowed PASSED? =false How to fix: Define the command as a resource in your policy Allow the ‘Execute’ action on this newly defined resource
IBM Software Group WebSphere® Support Technical Exchange 23 Problem 3: No Resource-level policy for command A controller command extended without adding the resource-level access control directives for the new command However, base command implements getResources() Resource-level failure would look similar to: PolicyManagerImpl.isAllowed isAllowed? User=510; Action=com.xyz.MyOrderItemAddCmd; Resource=com.ibm.commerce.order.objects._Order_Stub; Owner=2002; Resource Ancestor Orgs=2002,-2001; Resource Applicable Orgs=2002 ... PolicyManagerImpl.isAllowed PASSED? =false How to fix: Define the command as an action, and the resource category. Associate the command as a ResourceAction for the particular resource.
IBM Software Group WebSphere® Support Technical Exchange 24 Problem 4: Wrong class implementation Get command-level access control failure, one cause could be that the command implements the wrong interface, ie. public interface MyOrderStatusUpdateCmd extends ToolsControllerCommand { Static final String defaultCommandClassName = "com.mytools. commands.MyOrderStatusUpdateCmdImpl";} public class MyOrderStatusUpdateCmdImpl extends ToolsControllerCommandImpl implements MyOrderProcessCmd { private static final String CLASSNAME = "com.mytools.commands.MyOrderStatusUpdateCmdImpl"; Checks if MyOrderStatusUpdateCmd,which is the resource, is an instance of MyOrderProcessCmd The check passes if you have access control setup for MyOrderProcessCmd and that command is executed instead of the one you expect If no Access control is setup and you have for instance a typo in the command name, you may see a command level check fail How to fix: Ensure that interface is using properly defined implementation
IBM Software Group WebSphere® Support Technical Exchange 25 Problem 5: No Policy group subscription Policy appears in the trace however is not applied with messages : No organizations subscribe to a policy group with this policy Policy does not apply to the resource's applicable organizations How to fix: 1. Ensure that the resource owner is subscribing to the correct policy groups. <PolicyGroup Name="B2CPolicyGroup" OwnerID="RootOrganization"> <PolicyGroupPolicy Name="AllUsersExecuteResellerUserViews" PolicyOwnerID="RootOrganization"/> <PolicyGroupSubscription OrganizationID="RootOrganization"/> </PolicyGroup> 2. Check the policy subscriptions and the organizational hierarchy to ensure expected policy inheritance is in place ie. If an organization subscribes to at least one of its own policy groups, it will no longer inherit any from its ancestors
IBM Software Group WebSphere® Support Technical Exchange 26 Problem 6: CSR cannot impersonate customer Command is to be run by CSR-type user, acting on behalf of a registered customer, however it fails similar to: isAllowed CMN1501E: User 132004 does not have the authority to perform action "becomeUser" on resource "com.xyz.customerservice.commands.CSROrderPlaceCmdImpl" for command "CSROrderPlaceCmd". BecomeUserCustomerServiceGroupExecutesBecomeUserCmdsResourceGroup policy is a special policy that allows certain admin users to run specified commands on behalf of other users How to fix: Add CSR commands into this policy (by adding action into BecomeUserActionGroup action group)
IBM Software Group WebSphere® Support Technical Exchange 27 Problem 7: Commands fail when storeID not set Users receive a blank page when trying to access the Storefront, with an error similar to the following : AccManager isAllowed CMN1501E: User -1002 does not have the authority to perform action "Execute" on resource "com.ibm.commerce.catalog.commands.ProductDisplayCmdImpl" for command "ProductDisplay". How to fix: This usually happens when the store ID is wrong for the command being called For instance calling commands with storeID=0, a value that does not exist or when the storeID is missing altogether Make sure to call the URL with the proper storeID
IBM Software Group WebSphere® Support Technical Exchange 28 Problem 8: Improper cookie domain After adding to cart, redirect to shopping cart page results in Access control error, with trace showing failure on chained commands with different user IDs: isAllowed? User=201921192; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemAddC mdImpl; Owner=7000000000000000051 isAllowed? User=201921193; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemDisp layCm dImpl; Owner=7000000000000000051 How to fix: Verify the wc-server.xml is setup to accept cookies from the proper domain <cookie domain=mydomain.com If your current domain is for instance host.mydomain.com, you will see this problem File must be changed to reflect current domain or must be left as blank
IBM Software Group WebSphere® Support Technical Exchange 29 Problem 9: Authorized user cannot invoke command User with the correct authority cannot run a command, ie. Access control check passes: PolicyManagerImpl.isAllowed org=IBM prod=WebSphere Commerce component=WC_ACCESSCONTROL PASSED? =true Yet user still gets message ‘The user does not have the authority to run this command’ and cannot execute command How to fix: Custom command must override the isGeneric() method of the superclass. This method allows a command to be run by a generic user (userid -1002)
IBM Software Group WebSphere® Support Technical Exchange 30 Problem 10: PolicyManager does not initialize Starting the server after loading in new policies, you get: [2/11/08 19:05:30:680 IST] 396222fe CommerceSrvr A RequestServlet initPolicyManager CMN0007S: Initialization has started for "Policy Manager". [2/11/08 19:05:39:695 IST] 396222fe CommerceSrvr E PolicyRegistry loadCache CMN0103E: Could not obtain the key from the registry.java.lang.NullPointerException at com.ibm.commerce.accesscontrol.policymanager. Policy.equals(Policy.java(Compiled Code)) Having other actions in the DoEverything action group will cause this, only the '*' action should be in that group Do not need to explicitly list all actions in this group, wildcard matches all actions during policy evaluation How to fix: Remove additional action from DoEverything group, by definition, and put in another group if necessary
IBM Software Group WebSphere® Support Technical Exchange 31 Problem 11: Sporadic resource-level failures Sporadically receive errors relating to resource-level checks, such as this: isAllowed CMN1501E: User 16077287 does not have the authority to perform action "com.ibm.commerce.order.commands.OrderProcessCmd" on resource "com.ibm.commerce.order.objects._Order_Stub" for command "OrderProcess". The problem may be that an action is to be performed on a resource, but the resource is no longer in the proper state, ie. For classname = com.ibm.commerce.order.objects.Order <ResourceGroup Name="OrderResourceGroupwithPEStatus" OwnerID="RootOrganization"> <ResourceCondition>…. <simpleCondition> <variable name="Status"/> <operator name="="/> <value data="P"/> </simpleCondition>
IBM Software Group WebSphere® Support Technical Exchange 32 Summary Access control policy: Member, action, resource groups, relation Potentially two levels of checking done per action Command-level and resource-level Access control failures a result of: Improper policies Improper Subscriptions Various other runtime aspects, not directly related to the policy configurations
IBM Software Group WebSphere® Support Technical Exchange 33 Additional Access Control Resources Understanding Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.developer.doc/concepts/caxunderstandaccessmain.htm Evaluating Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.admin.doc/concepts/caxevaluate.htm Troubleshooting Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.developer.doc/refs/raxtroubleshooting.htm Access Control Data Model http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.data.doc/refs/rdmaccess.htm
IBM Software Group WebSphere® Support Technical Exchange 34 Additional WebSphere Product Resources Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/ Learn about other upcoming webcasts, conferences and events: http://www.ibm.com/software/websphere/events_1.html Join the Global WebSphere User Group Community: http://www.websphere.org Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant View a Flash replay with step-by-step instructions for using the Electronic Service Request (ESR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html Sign up to receive weekly technical My support emails: http://www.ibm.com/software/support/einfo.html
IBM Software Group WebSphere® Support Technical Exchange 35 Questions and Answers

Recommandé

Sonarqube
SonarqubeSonarqube
SonarqubeKalkey
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerManu Pk
 
Android - Graphics Animation in Android
Android - Graphics Animation in AndroidAndroid - Graphics Animation in Android
Android - Graphics Animation in AndroidVibrant Technologies & Computers
 
Sonarlint
SonarlintSonarlint
Sonarlintpenetration Tester
 
Greach'19 SonarLint
Greach'19 SonarLintGreach'19 SonarLint
Greach'19 SonarLintAlberto Barón Cuevas
 
Sonar Review
Sonar ReviewSonar Review
Sonar ReviewKate Semizhon
 
우아한 객체지향
우아한 객체지향우아한 객체지향
우아한 객체지향Young-Ho Cho
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriverRajathi-QA
 

Recommandé

Sonarqube
SonarqubeSonarqube
SonarqubeKalkey
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerManu Pk
 
Android - Graphics Animation in Android
Android - Graphics Animation in AndroidAndroid - Graphics Animation in Android
Android - Graphics Animation in AndroidVibrant Technologies & Computers
 
Sonarlint
SonarlintSonarlint
Sonarlintpenetration Tester
 
Greach'19 SonarLint
Greach'19 SonarLintGreach'19 SonarLint
Greach'19 SonarLintAlberto Barón Cuevas
 
Sonar Review
Sonar ReviewSonar Review
Sonar ReviewKate Semizhon
 
우아한 객체지향
우아한 객체지향우아한 객체지향
우아한 객체지향Young-Ho Cho
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriverRajathi-QA
 
Sonar
SonarSonar
SonarPeerapat Asoktummarungsri
 
A guide to getting started with WebdriverIO
A guide to getting started with WebdriverIOA guide to getting started with WebdriverIO
A guide to getting started with WebdriverIONilenth Selvaraja
 
Webdriver io presentation
Webdriver io presentationWebdriver io presentation
Webdriver io presentationJoão Nabais
 
Spring beans
Spring beansSpring beans
Spring beansRoman Dovgan
 
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWSKRUG - AWS한국사용자모임
 
Sonarqube
SonarqubeSonarqube
SonarqubePeerapat Asoktummarungsri
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?connectwebex
 
Open APIs: What's Hot, What's Not?
Open APIs: What's Hot, What's Not?Open APIs: What's Hot, What's Not?
Open APIs: What's Hot, What's Not?John Musser
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentGabriel Walt
 
Basics of Solr and Solr Integration with AEM6
Basics of Solr and Solr Integration with AEM6Basics of Solr and Solr Integration with AEM6
Basics of Solr and Solr Integration with AEM6DEEPAK KHETAWAT
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with SonarlintUT, San Antonio
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
Synchronization in Selenium WebDriver
Synchronization in Selenium WebDriverSynchronization in Selenium WebDriver
Synchronization in Selenium WebDriverSHUBHAM PATIL
 
Webdriver.io
Webdriver.io Webdriver.io
Webdriver.io LinkMe Srl
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpaJeevesh Pandey
 
WebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingWebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingDaniel Chivescu
 
Architecting Applications the Microsoft Way
Architecting Applications the Microsoft WayArchitecting Applications the Microsoft Way
Architecting Applications the Microsoft WayClint Edmonson
 
Rich domain model
Rich domain modelRich domain model
Rich domain modelYoung-Ho Cho
 
Java Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeJava Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeAngelin R
 
Fastman Permissions Manager
Fastman Permissions ManagerFastman Permissions Manager
Fastman Permissions ManagerFastman
 
Iss lecture 6
Iss lecture 6Iss lecture 6
Iss lecture 6Ali Habeeb
 

Contenu connexe

Tendances

A guide to getting started with WebdriverIO
A guide to getting started with WebdriverIOA guide to getting started with WebdriverIO
A guide to getting started with WebdriverIONilenth Selvaraja
 
Webdriver io presentation
Webdriver io presentationWebdriver io presentation
Webdriver io presentationJoão Nabais
 
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWSKRUG - AWS한국사용자모임
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?connectwebex
 
Open APIs: What's Hot, What's Not?
Open APIs: What's Hot, What's Not?Open APIs: What's Hot, What's Not?
Open APIs: What's Hot, What's Not?John Musser
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentGabriel Walt
 
Basics of Solr and Solr Integration with AEM6
Basics of Solr and Solr Integration with AEM6Basics of Solr and Solr Integration with AEM6
Basics of Solr and Solr Integration with AEM6DEEPAK KHETAWAT
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with SonarlintUT, San Antonio
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
Synchronization in Selenium WebDriver
Synchronization in Selenium WebDriverSynchronization in Selenium WebDriver
Synchronization in Selenium WebDriverSHUBHAM PATIL
 
WebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingWebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingDaniel Chivescu
 
Architecting Applications the Microsoft Way
Architecting Applications the Microsoft WayArchitecting Applications the Microsoft Way
Architecting Applications the Microsoft WayClint Edmonson
 
Java Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeJava Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeAngelin R
 

Tendances (20)

Sonar
SonarSonar
Sonar
 
A guide to getting started with WebdriverIO
A guide to getting started with WebdriverIOA guide to getting started with WebdriverIO
A guide to getting started with WebdriverIO
 
Webdriver io presentation
Webdriver io presentationWebdriver io presentation
Webdriver io presentation
 
Spring beans
Spring beansSpring beans
Spring beans
 
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
 
Sonarqube
SonarqubeSonarqube
Sonarqube
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?
 
Open APIs: What's Hot, What's Not?
Open APIs: What's Hot, What's Not?Open APIs: What's Hot, What's Not?
Open APIs: What's Hot, What's Not?
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component Development
 
Basics of Solr and Solr Integration with AEM6
Basics of Solr and Solr Integration with AEM6Basics of Solr and Solr Integration with AEM6
Basics of Solr and Solr Integration with AEM6
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template Language
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
 
Synchronization in Selenium WebDriver
Synchronization in Selenium WebDriverSynchronization in Selenium WebDriver
Synchronization in Selenium WebDriver
 
Webdriver.io
Webdriver.io Webdriver.io
Webdriver.io
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpa
 
WebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingWebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testing
 
Architecting Applications the Microsoft Way
Architecting Applications the Microsoft WayArchitecting Applications the Microsoft Way
Architecting Applications the Microsoft Way
 
Rich domain model
Rich domain modelRich domain model
Rich domain model
 
Java Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeJava Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQube
 

Similaire à Acp policies

Fastman Permissions Manager
Fastman Permissions ManagerFastman Permissions Manager
Fastman Permissions ManagerFastman
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
recordsharingmodelinsalesforce-170519074428.pdf
recordsharingmodelinsalesforce-170519074428.pdfrecordsharingmodelinsalesforce-170519074428.pdf
recordsharingmodelinsalesforce-170519074428.pdfrohitgupt1
 
Record sharing model in salesforce
Record sharing model in salesforceRecord sharing model in salesforce
Record sharing model in salesforceSunil kumar
 
Group Manager
Group ManagerGroup Manager
Group ManagerEmpowerID
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)Rui Miguel Feio
 
White Paper, The Basics Of Data Security
White Paper, The Basics Of Data SecurityWhite Paper, The Basics Of Data Security
White Paper, The Basics Of Data SecurityDan O'Dea
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!Dayalan Punniyamoorthy
 
Presentation strategies for monitoring large data centers with oracle ente...
Presentation strategies for monitoring large data centers with oracle ente...Presentation strategies for monitoring large data centers with oracle ente...
Presentation strategies for monitoring large data centers with oracle ente...xKinAnx
 
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!Dayalan Punniyamoorthy
 
Enterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin BlockEnterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin Blockmcgurk
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013AntonioMaio2
 

Similaire à Acp policies (20)

Fastman Permissions Manager
Fastman Permissions ManagerFastman Permissions Manager
Fastman Permissions Manager
 
Iss lecture 6
Iss lecture 6Iss lecture 6
Iss lecture 6
 
Data base security
Data base securityData base security
Data base security
 
Security Authorization Strategy
Security Authorization StrategySecurity Authorization Strategy
Security Authorization Strategy
 
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
 
Chapter 14 - Protection
Chapter 14 - ProtectionChapter 14 - Protection
Chapter 14 - Protection
 
recordsharingmodelinsalesforce-170519074428.pdf
recordsharingmodelinsalesforce-170519074428.pdfrecordsharingmodelinsalesforce-170519074428.pdf
recordsharingmodelinsalesforce-170519074428.pdf
 
Record sharing model in salesforce
Record sharing model in salesforceRecord sharing model in salesforce
Record sharing model in salesforce
 
Group Manager
Group ManagerGroup Manager
Group Manager
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)
 
White Paper, The Basics Of Data Security
White Paper, The Basics Of Data SecurityWhite Paper, The Basics Of Data Security
White Paper, The Basics Of Data Security
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!
 
Presentation strategies for monitoring large data centers with oracle ente...
Presentation strategies for monitoring large data centers with oracle ente...Presentation strategies for monitoring large data centers with oracle ente...
Presentation strategies for monitoring large data centers with oracle ente...
 
Presentation gggffggggg.pdf
Presentation gggffggggg.pdfPresentation gggffggggg.pdf
Presentation gggffggggg.pdf
 
Chapter 12 Access Management
Chapter 12 Access ManagementChapter 12 Access Management
Chapter 12 Access Management
 
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
 
Enterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin BlockEnterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin Block
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013
 
Protection
ProtectionProtection
Protection
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Acp policies

  • 1. IBM Software Group ® WebSphere® Support Technical Exchange Understanding WebSphere Commerce Access Control Mike Callaghan and Sidy Doumbia
  • 2. IBM Software Group WebSphere® Support Technical Exchange 2 Agenda What is Access Control Access Control Policies and Components Policy Manager Resource-level versus Command-level check Troubleshooting: How to read the trace Basic and Complex Problems Questions and Answers
  • 3. IBM Software Group WebSphere® Support Technical Exchange 3 What is Access Control? The process of restricting access to specific individuals within specific organizations Access control can be defined as security guidelines that: Allow or deny a user of a system access to the resources managed by the system Specify what actions the user can perform on each resource If access control criteria is met, user is granted authority, and action is invoked Otherwise, user does not have the authority, access is denied, action is not invoked
  • 4. IBM Software Group WebSphere® Support Technical Exchange 4 Access Control Policies Authorize a group of users to perform a group of actions on a group of resources, and consists of four main parts: Member (Access/User) group (ie. Registered Customers) • Group of users to which the policy applies (implicit and explicit grouping of users) Action group (ie. Group must contain OrderItemAddCmd) • A group of actions performed by the user on resources Resource group (ie. Target resource of command, OrderBean) • Objects like an order, or a set of related commands such as all the commands that users of a particular role can perform. Relationship (ie. User must be creator of the OrderBean) • Relationship between the user and the resource.
  • 5. IBM Software Group WebSphere® Support Technical Exchange 5 Access Control Policy - Components Policy MemberGroup ActionGroup ResourceGroup Relation <Policy Name= AllUsersDisplayOrderDatabeanResourceGroup OwnerID="RootOrganization" UserGroup="AllUsers" ActionGroupName= "DisplayDatabeanActionGroup" ResourceGroupName= "OrderDatabeanResourceGroup" RelationName="creator" PolicyType="groupableStandard"> </Policy>
  • 6. IBM Software Group WebSphere® Support Technical Exchange 6 Access Control Policy – Member Group Policy MemberGroup ActionGroup ResourceGroup Relation MemberGroupCond <UserGroup Name="RegisteredCustomers" OwnerID="RootOrganization" Description=“Users with Registered Customer role" MemberGroupID="-197"> <UserCondition> <![CDATA[ <profile> <orListCondition> <simpleCondition> <variable name="role"/> <operator name="="/> <value data="Registered Customer"/> </simpleCondition> </orListCondition> </profile> ]]> </UserCondition> </UserGroup>
  • 7. IBM Software Group WebSphere® Support Technical Exchange 7 Access Control Policy – Action Group Policy MemberGroup ActionGroup ResourceGroup Relation Action1 Action2 <Action Name="DisplayDatabean" CommandName="Display"> </Action> <ActionGroup Name="DisplayDatabeanActionGroup" OwnerID="RootOrganization"> <ActionGroupAction Name="DisplayDatabean"/> </ActionGroup>
  • 8. IBM Software Group WebSphere® Support Technical Exchange 8 Access Control Policy – Resource Group Policy MemberGroup ActionGroup ResourceGroup Relation Resource1 Resource2 <ResourceCategory Name= "com.ibm.commerce.order.beans. OrderDataBeanResourceCategory" ResourceBeanClass= "com.ibm.commerce.order.beans.OrderDataBean"> <ResourceAction Name="DisplayDatabean"/> </ResourceCategory> <ResourceGroup Name="OrderDatabeanResourceGroup" OwnerID="RootOrganization"> <ResourceGroupResource Name= "com.ibm.commerce.order.beans.OrderDataBeanReso urceCategory"/> </ResourceGroup>
  • 9. IBM Software Group WebSphere® Support Technical Exchange 9 Access Control Policy – Resource Group (2) Policy MemberGroup ActionGroup ResourceGroup Relation Resource1 Resource2 <ResourceCategory Name= "com.ibm.commerce.user.beans. UserDataBeanResourceCategory" ResourceBeanClass= "com.ibm.commerce.user.beans.UserDataBean" PrimaryResourceTable="users" PrimaryResourceOwnerTable="users" PrimaryResourceOwnerColumn="users_id"> <ResourceAction Name="DisplayDatabean"/> <ResourceRelation Name="owner" RelationTable="users" RelationKeyColumn="users_id" RelationMemberColumn="users_id"/> </ResourceCategory>
  • 10. IBM Software Group WebSphere® Support Technical Exchange 10 Access Control Policy - Relationship Policy MemberGroup ActionGroup ResourceGroup Relation Relation <Relation Name="owner“ /> <Relation Name="creator“/ > <Relation Name= "sameOrganizationalEntityAsCreator“ /> <Relation Name="owner of RFQ“ /> <Relation Name="Approver“ /> <Relation Name="Submitter“ />
  • 11. IBM Software Group WebSphere® Support Technical Exchange 11 Access Control Policy: Subscriptions (ORG A) Subscribes to Policy Group 1 (Policy 1, 2, 3 apply to them) (ORG B) Subscribes to Policy Group 2 (Policy 3, 4, 5 apply to them) (ORG C) No direct subscriptions. Therefore it inherits subscriptions of its parent(ORG A) , Policy Group 1 (Policies 1,2,3) Policy 1 Policy 2 Policy 3 Org A Org C Org B Org A Policy Group Policy 3 Policy 4 Policy 5 Org B Policy Group Subscribes Subscribes
  • 12. IBM Software Group WebSphere® Support Technical Exchange 12 Access Control Policy - PolicyType Two types of access control policies: Groupable standard policies (policy type -2) Groupable template policies (policy type -3) Both types of policies must belong to a policy group in order to be applied in the system Groupable standard policies: Applied once, at organizations that subscribe to a policy group that contains the policy Groupable template policies: Dynamic in nature (have an access group that is scoped) to the organization that owns the resource E.g. when policy is applied to a resource owned by Org XYZ, it would check if the user played one of the specified roles for Org XYZ or any of its ancestors
  • 13. IBM Software Group WebSphere® Support Technical Exchange 13 Access Control Policy – Standard example C_Org Policy group Access groups: Policy 1 (Approvers for Jewelry) Policy 2 (Approves for Clothing) User_A, User_B play approver role in the respective Org Jewelry and Clothing (approve orders for those orgs) Root Organization subscription contains both Policy 1 and 2 User A can approve all Jewelry orders, User B can approve all Clothing orders Minimal access control complexity is achieved by using a minimum of two policies, 2 policy group and direct subscription from the orgs owning the stores. Root Org Jewelry Org Clothing Org User_A User_B Store J Store C Policy 1 J_Org Policy group Policy 2 subscribes subscribes
  • 14. IBM Software Group WebSphere® Support Technical Exchange 14 Access Control Policy – Template example Policy 3 Root Org Policy group Access groups: Policy 3 (Approvers for Orgs) User_A, User_B play approver role in the respective Org Jewelry and Clothing (approve orders for those orgs) Roles are same for user_A and user_B, but Access group is parameterized (user executing action only checked against the Org that owning resource or its ancestors) Root Organization subscription contains only Policy 3 User A can only approve Jewelry orders, User B can only approve Clothing orders Achieve same access control restrictions with one less policy compared to standard Root Org Jewelry Org Clothing Org User_A User_B Store J Store C subscribes
  • 15. IBM Software Group WebSphere® Support Technical Exchange 15 Access Control Policy - Tables 1002110199-2AllUsersExecuteAllSiteUsersViews ACREL_IDACRESGRP_IDACACTGRP_IDMBRGRP_IDPolicy Name AllUsers-2 MBRGRPNAMEMBRGRP_ID <profile> <trueCondition> <trueCondition> <profile> -2 ConditionMBRGRP_ID AllSiteUsersViews10199 GROUPNAMEACACTGRP_ID 1000010199 ACACTION_IDACACTGRP_ID AlertDialogView10000 ACACTION_IDACACTION_ID ViewCommandResourc eGroup 10021 GROUPNAMEACRESGRP_ID 1000010021 ACRESCGRY_IDACRESGRP_ID com.ibm.commerce.co mmand.ViewCommand 10079 ResClassnameACRESCGRY_ID …… Creator10002 Owner10001 RELATIONNAMEACRELATION_ID MBRGROUP MBRGROUPCOND ACACTGRP ACACTACTGP ACACTION ACRESGRP ACRESGPRES ACRESCGRY ACRELATION ACPOLICY
  • 16. IBM Software Group WebSphere® Support Technical Exchange 16 Policy Manager When a user attempts to perform an action on a resource, an access control check will be done to make sure that the user is authorized The Policy Manager looks for all the access control policies that match the combination of the user, the action, and the target resource From those policies, it will find all policies that apply to the organization that owns the resource If there is at least one such policy, the Policy Manager grants access, otherwise, access is denied
  • 17. IBM Software Group WebSphere® Support Technical Exchange 17 Policy Manager: Example PolicyManager cycles through each policy until it finds one that applies Policy1: User group does not match, -1002 not in AccessGroup_X Policy2: Action group does not match, Execute not in ActionGroup_X Policy3: Resource group does not match, MyCmdImpl not in ResourceGroup_X Policy4: Applies, passed?= true isAllowed? User = -1002 ; Action = Execute ; Resource = MyCmdImpl ; Policy_1 [AccessGroup_X , ActionGroup_A, ResourceGroup_A] - Fail Policy_2 [AccessGroup_X , ActionGroup_X, ResourceGroup_A] - Fail Policy_3 [AccessGroup_A , ActionGroup_A, ResourceGroup_X] - Fail Policy_4 [AccessGroup_A , ActionGroup_A, ResourceGroup_A] – Success!
  • 18. IBM Software Group WebSphere® Support Technical Exchange 18 Policy Manager: Command-level check Checks who can do what in the current store Also known as ‘role-based’ access control, for example: All sellers can execute seller commands Command-level check on controller commands: Policy to all Execute action on command resource (interface) Generally targeting single role (ie. Sellers) Command-level check on views: Done if view called direct from URL or a redirect from command Action is the viewname
  • 19. IBM Software Group WebSphere® Support Technical Exchange 19 Policy Manager: Resource-level check Checks who can execute what command on which resources in the current store, for example: Only display data from Order which you created Only modify promotion in organization which you play a role Resource-level check done on command if: 1. Command implements getResources() 2. Command’s performExecute calls checkIsAllowed() Resource-level check done on beans: If bean invoked by Databean Manager’s activate() Ensures there is a policy which grants the user authority to perform the Display action on the primary data bean resource
  • 20. IBM Software Group WebSphere® Support Technical Exchange 20 Troubleshooting: How to read the trace How to find out if it is Access Control: [8/30/06 13:44:27:141 CDT] 6a36e74e CommerceSrvr E AccManager isAllowed CMN1501E: User 408002 does not have the authority to perform action “MyNewView" on resource " com.myco.HttpForwardViewCommandlmpl" Turn on Access Control component tracing com.ibm.websphere.commerce.WC_ACCESSCONTROL Starting from the end of the file, perform a backward search for ‘=false’ to find access control check that failed WC_ACCESSCONT ... PolicyManagerImpl.isAllowed PASSED? =false To determine what was being checked, perform another backward search for the string isAllowed? WC_ACCESSCONT ... PolicyManagerImpl.isAllowed isAllowed? User=408002; Action=MyNewView; Resource= com.myco.HttpForwardViewCommandlmpl; Owner=7001; Resource Ancestor Orgs=7001,-2001; Resource Applicable Orgs=7001
  • 21. IBM Software Group WebSphere® Support Technical Exchange 21 Problem 1: Missing policy for a new view Added a new view without an accompanying policy, and only SiteAdminCanDoEverything policy shows in the trace: PolicyManagerlmpl.isAllowed isAllowed? User=123; Action=MyNewView; Resource=com.ibm.commerce.command.HttpForwardViewCommandlmpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 PolicyManagerlmpl.isAllowed Found PolicyName: SiteAdministractorsCanDoEverything; PolicyType: 2; PolicyOwner:-2001 PolicyManagerlmpl.getPolicyApplicableOrgs Policy Applicable Orgs=- 2001 PolicyManagerlmpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything WC_ACCESSCONT d PolicyManagerlmpl.isAllowed PASSED?=false How to fix: Trace shows only policies with both the correct action group (ie. action is in that group) and resource group (ie. Resource is in that group) Here, no policy has an action group which includes your view as an action For brand new view, the view needs to be defined as an action, and then associated to an action group
  • 22. IBM Software Group WebSphere® Support Technical Exchange 22 Problem 2: No Command-level policy for command A controller command was added without an accompanying access control policy Execute action will match several policies, but no resource groups will match PolicyManagerImpl.isAllowed isAllowed? User=510; Action=Execute; Resource=com.xyz.MyOrderItemAddCmdImpl; Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001 ... PolicyManagerImpl.isAllowed Found PolicyName: AllUsersExecuteAllSiteUserCmd; PolicyType: 2; PolicyOwner: -2001 ... PolicyManagerImpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001 ... PolicyManagerImpl.evaluatePolicy Evaluating PolicyName: SiteAdministratorsCanDoEverything ... PolicyManagerImpl.evaluatePolicy Normal User Group does not match ... PolicyManagerImpl.isAllowed PASSED? =false How to fix: Define the command as a resource in your policy Allow the ‘Execute’ action on this newly defined resource
  • 23. IBM Software Group WebSphere® Support Technical Exchange 23 Problem 3: No Resource-level policy for command A controller command extended without adding the resource-level access control directives for the new command However, base command implements getResources() Resource-level failure would look similar to: PolicyManagerImpl.isAllowed isAllowed? User=510; Action=com.xyz.MyOrderItemAddCmd; Resource=com.ibm.commerce.order.objects._Order_Stub; Owner=2002; Resource Ancestor Orgs=2002,-2001; Resource Applicable Orgs=2002 ... PolicyManagerImpl.isAllowed PASSED? =false How to fix: Define the command as an action, and the resource category. Associate the command as a ResourceAction for the particular resource.
  • 24. IBM Software Group WebSphere® Support Technical Exchange 24 Problem 4: Wrong class implementation Get command-level access control failure, one cause could be that the command implements the wrong interface, ie. public interface MyOrderStatusUpdateCmd extends ToolsControllerCommand { Static final String defaultCommandClassName = "com.mytools. commands.MyOrderStatusUpdateCmdImpl";} public class MyOrderStatusUpdateCmdImpl extends ToolsControllerCommandImpl implements MyOrderProcessCmd { private static final String CLASSNAME = "com.mytools.commands.MyOrderStatusUpdateCmdImpl"; Checks if MyOrderStatusUpdateCmd,which is the resource, is an instance of MyOrderProcessCmd The check passes if you have access control setup for MyOrderProcessCmd and that command is executed instead of the one you expect If no Access control is setup and you have for instance a typo in the command name, you may see a command level check fail How to fix: Ensure that interface is using properly defined implementation
  • 25. IBM Software Group WebSphere® Support Technical Exchange 25 Problem 5: No Policy group subscription Policy appears in the trace however is not applied with messages : No organizations subscribe to a policy group with this policy Policy does not apply to the resource's applicable organizations How to fix: 1. Ensure that the resource owner is subscribing to the correct policy groups. <PolicyGroup Name="B2CPolicyGroup" OwnerID="RootOrganization"> <PolicyGroupPolicy Name="AllUsersExecuteResellerUserViews" PolicyOwnerID="RootOrganization"/> <PolicyGroupSubscription OrganizationID="RootOrganization"/> </PolicyGroup> 2. Check the policy subscriptions and the organizational hierarchy to ensure expected policy inheritance is in place ie. If an organization subscribes to at least one of its own policy groups, it will no longer inherit any from its ancestors
  • 26. IBM Software Group WebSphere® Support Technical Exchange 26 Problem 6: CSR cannot impersonate customer Command is to be run by CSR-type user, acting on behalf of a registered customer, however it fails similar to: isAllowed CMN1501E: User 132004 does not have the authority to perform action "becomeUser" on resource "com.xyz.customerservice.commands.CSROrderPlaceCmdImpl" for command "CSROrderPlaceCmd". BecomeUserCustomerServiceGroupExecutesBecomeUserCmdsResourceGroup policy is a special policy that allows certain admin users to run specified commands on behalf of other users How to fix: Add CSR commands into this policy (by adding action into BecomeUserActionGroup action group)
  • 27. IBM Software Group WebSphere® Support Technical Exchange 27 Problem 7: Commands fail when storeID not set Users receive a blank page when trying to access the Storefront, with an error similar to the following : AccManager isAllowed CMN1501E: User -1002 does not have the authority to perform action "Execute" on resource "com.ibm.commerce.catalog.commands.ProductDisplayCmdImpl" for command "ProductDisplay". How to fix: This usually happens when the store ID is wrong for the command being called For instance calling commands with storeID=0, a value that does not exist or when the storeID is missing altogether Make sure to call the URL with the proper storeID
  • 28. IBM Software Group WebSphere® Support Technical Exchange 28 Problem 8: Improper cookie domain After adding to cart, redirect to shopping cart page results in Access control error, with trace showing failure on chained commands with different user IDs: isAllowed? User=201921192; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemAddC mdImpl; Owner=7000000000000000051 isAllowed? User=201921193; Action=Execute; Protectable=com.ibm.commerce.orderitems.commands.OrderItemDisp layCm dImpl; Owner=7000000000000000051 How to fix: Verify the wc-server.xml is setup to accept cookies from the proper domain <cookie domain=mydomain.com If your current domain is for instance host.mydomain.com, you will see this problem File must be changed to reflect current domain or must be left as blank
  • 29. IBM Software Group WebSphere® Support Technical Exchange 29 Problem 9: Authorized user cannot invoke command User with the correct authority cannot run a command, ie. Access control check passes: PolicyManagerImpl.isAllowed org=IBM prod=WebSphere Commerce component=WC_ACCESSCONTROL PASSED? =true Yet user still gets message ‘The user does not have the authority to run this command’ and cannot execute command How to fix: Custom command must override the isGeneric() method of the superclass. This method allows a command to be run by a generic user (userid -1002)
  • 30. IBM Software Group WebSphere® Support Technical Exchange 30 Problem 10: PolicyManager does not initialize Starting the server after loading in new policies, you get: [2/11/08 19:05:30:680 IST] 396222fe CommerceSrvr A RequestServlet initPolicyManager CMN0007S: Initialization has started for "Policy Manager". [2/11/08 19:05:39:695 IST] 396222fe CommerceSrvr E PolicyRegistry loadCache CMN0103E: Could not obtain the key from the registry.java.lang.NullPointerException at com.ibm.commerce.accesscontrol.policymanager. Policy.equals(Policy.java(Compiled Code)) Having other actions in the DoEverything action group will cause this, only the '*' action should be in that group Do not need to explicitly list all actions in this group, wildcard matches all actions during policy evaluation How to fix: Remove additional action from DoEverything group, by definition, and put in another group if necessary
  • 31. IBM Software Group WebSphere® Support Technical Exchange 31 Problem 11: Sporadic resource-level failures Sporadically receive errors relating to resource-level checks, such as this: isAllowed CMN1501E: User 16077287 does not have the authority to perform action "com.ibm.commerce.order.commands.OrderProcessCmd" on resource "com.ibm.commerce.order.objects._Order_Stub" for command "OrderProcess". The problem may be that an action is to be performed on a resource, but the resource is no longer in the proper state, ie. For classname = com.ibm.commerce.order.objects.Order <ResourceGroup Name="OrderResourceGroupwithPEStatus" OwnerID="RootOrganization"> <ResourceCondition>…. <simpleCondition> <variable name="Status"/> <operator name="="/> <value data="P"/> </simpleCondition>
  • 32. IBM Software Group WebSphere® Support Technical Exchange 32 Summary Access control policy: Member, action, resource groups, relation Potentially two levels of checking done per action Command-level and resource-level Access control failures a result of: Improper policies Improper Subscriptions Various other runtime aspects, not directly related to the policy configurations
  • 33. IBM Software Group WebSphere® Support Technical Exchange 33 Additional Access Control Resources Understanding Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.developer.doc/concepts/caxunderstandaccessmain.htm Evaluating Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.admin.doc/concepts/caxevaluate.htm Troubleshooting Access Control http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.developer.doc/refs/raxtroubleshooting.htm Access Control Data Model http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.comm erce.data.doc/refs/rdmaccess.htm
  • 34. IBM Software Group WebSphere® Support Technical Exchange 34 Additional WebSphere Product Resources Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/ Learn about other upcoming webcasts, conferences and events: http://www.ibm.com/software/websphere/events_1.html Join the Global WebSphere User Group Community: http://www.websphere.org Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant View a Flash replay with step-by-step instructions for using the Electronic Service Request (ESR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html Sign up to receive weekly technical My support emails: http://www.ibm.com/software/support/einfo.html
  • 35. IBM Software Group WebSphere® Support Technical Exchange 35 Questions and Answers