The /atg/userprofiling/security/RelativeRoleByProfileOrgPolicy component (class atg.userprofiling.security.RelativeRoleByProfileOrgPolicy) is a security policy implementation that extends the abstract class atg.userprofiling.security.RelativeRoleByOrganizationPolicy (see ATG Platform API Reference for more information). It allows you to grant access to users with specific relative roles (also called organizational roles – for more information, see Working with the Dynamo User Directory). The roles allowed access are those assigned to the parent organization of the profile supplied in the input argument.

This policy takes a method argument containing a profile object of type String or RepositoryItem.

By default, the RelativeRoleByProfileOrgPolicy looks for profile objects named pProfileId, Profile, profileId, and profile, in that order, and uses the first corresponding object that it finds. You can change these names by editing the value of the profileParameterNames property in the RelativeRoleByProfileOrgPolicy component.

Assume you have a Web service that you want to be used exclusively by supervisors. You create a security policy for it called SupervisorsOnly that is an implementation of RelativeRoleByProfileOrgPolicy.

You configure the SupervisorsOnly component with a roleFunctionName property set to a single value:

roleFunctionNames=supervisor

When a user calls the Web service, the security policy creates an ACL that grants access to the supervisor role in the user’s parent organization:

$Profile:role:supervisorRoleId

The security sub-system grants access if the calling user has an assigned relative role with the ID supervisorRoleId; otherwise access is denied.