The Order Owner Security Policy extends the Standard Security Policy, which has all the base functionality for interpreting the Access Control Lists (ACL). ACLs grant or deny access to secure objects. The atg.security.StandardSecurityPolicy class is provided as part of the Oracle Commerce Core Platform. For more information on the Standard Security Policy, see the Managing Access Control chapter of the Platform Programming Guide.

The Order Owner Security Policy appends the ACL returned by Standard Security Policy with additional ACLs that either grant or deny access to specific personas. Personas can be users, roles or organizations. The Order Owner Security Policy appends the ACL with the persona of the order owner. The order object is an incoming method parameter.

The orderParameterNames property of the /atg/commerce/security/orderOwnerSecurityPolicy component allows you to configure the parameter names that can represent the order. By default the orderParametNames is set to look for an order parameter with one of the following names: Order, Orderobj, orderId, or order (in that order). If the method being secured uses a different name for the parameter that represents the order, you can reconfigure the orderParameterNames property to include that name.