The /atg/userprofiling/security/ProfileAsXMLOwnerPolicy component (class atg.userprofiling.security.ProfileAsXMLOwnerPolicy) is a security policy that is provided with the Personalization layer. It is similar to the ProfileOwnerPolicy, but it expects a method argument that contains a profile in Repo2Xml form. It examines this Repo2Xml item to check that the profile associated with the current session matches the profile in the method argument.

The behavior provided by this policy can be useful for the UpdateUser service, where you may want to ensure that only the owner of a given profile is allowed to update it. For example, if a user whose ID is 700 attempts to call the updateUser method with a Repo2Xml item that represents a profile with ID 900, the ProfileAsXMLOwnerPolicy prevents the method from being called. Specifically, the ProfileAsXMLOwnerPolicy looks for method arguments named pProfileAsXML and ProfileAsXML in that order. If either of those arguments is present, it uses the value for that argument to determine if the method caller has permission to execute the method.

By default, the ProfileAsXMLOwnerPolicy looks for profile objects named pProfileAsXML, ProfileAsXML, and profileAsXML, in that order, and uses the first corresponding object that it finds. You can change these names by editing the value of the profileParameterNames property in the ProfileAsXMLOwnerPolicy component.