The ATG Control Center allows users to create, edit, and delete price lists. When a user attempts to view or edit a price list, the security system checks the security information associated with the object and grants or denies access based on the information. For example, if a user does not have write access to a particular item, then the ACC will display the item in gray characters. Additionally, certain objects might not be visible to certain users. The ACC is capable of checking this security information for all items contained in the price list repository:
Price List
Prices
Complex Prices
Folders
While having the ability to specify security information for each item is a very powerful concept, it can place a burden on both the system as well as the administrator entering security information. To alleviate this burden, policies can be created that group logical items together. By having a logical policy, users would only need to enter data for some of the items and then other items could derive their security information from these few items. This prevents an administrator from having to enter security information for every object in the repository. The goal of this section is to outline a policy that Commerce implemented.
Note: You can also plug in a different security policy if your business needs are not met by the policy described in this section.
For more information, see the discussion on security measures for deployment in the ATG Installation and Configuration Guide.
The default security policy returns the ACL information stored on each repository item. The price list security policy “walks” up the tree until an item finds the priceList to which it belongs and then retrieves the security information from the price list item.
In the price list security policy, all security information flows from a priceList down. This means that if there is a group of price and complexPrice that live in a priceList, these objects will have the same security information as the priceList. Therefore, if only users in the admin group can edit a particular price list, then those same users would be the only ones that could edit the price entries in the price list.
In the following example, all objects under Price List A would share the same security information.
Price List A
Price Entry for SKU A
Price Entry for SKU B
Complex Price
The PriceListSecurityPolicy Class
The PriceListSecurityPolicy class is located in the atg.commerce.security package. The class needs to has the following signatures:
public class PriceListSecurityPolicy
extends SecuredRepositorySecurityPolicy
{
// overridden method from the super class. This is method
// that will perform special logic to get ACLs for a repository
// item that lives in the PriceList repository. It should
// figure out if the repository item type is "interesting"
// and then dispatch to an appropriate method. The methods
// it could dispatch to are below.
public AccessControlList getEffectiveAccessControlList(Object pObject);
// get the ACL for a Price repository item
protected AccessControlList getACLForPrice(SecuredRepositoryItem pItem;)
// get ACL for complexPrice repository item
protected AccessControlList getACLForComplexPrice(SecuredRepositoryItem pItem);
}Configuring the Price List Security Policy
Follow these steps to implement the security policy used by the SecuredPriceList repository:
Note: These configuration steps should be performed at the Commerce configuration layer.
Create a new
PriceListSecurityPolicycomponent located in/atg/dynamo/security/. This component should havePriceListSecurityPolicyas its class.Create a new
PriceListSecurityConfigurationcomponent located in/atg/dynamo/security/. This component should reference thePriceListSecurityPolicycomponent created in the previous step.Edit the configuration of the
SecurePriceListscomponent located in/atg/commerce/pricing/priceLists/. Point thesecurityConfigurationproperty to thePriceListSecurityConfigurationcomponent defined in the previous step.
