The /atg/userprofiling/security/RelativeRoleByProfileOrgPolicy
component (class atg.userprofiling.security.RelativeRoleByProfileOrgPolicy
) is a security policy implementation that extends the abstract class atg.userprofiling.security.RelativeRoleByOrganizationPolicy
(see ATG Platform API Reference for more information). It allows you to grant access to users with specific relative roles (also called organizational roles – for more information, see Working with the Dynamo User Directory). The roles allowed access are those assigned to the parent organization of the profile supplied in the input argument.
This policy takes a method argument containing a profile object of type String
or RepositoryItem
.
By default, the RelativeRoleByProfileOrgPolicy
looks for profile objects named pProfileId
, Profile
, profileId
, and profile
, in that order, and uses the first corresponding object that it finds. You can change these names by editing the value of the profileParameterNames
property in the RelativeRoleByProfileOrgPolicy
component.
Assume you have a Web service that you want to be used exclusively by supervisors. You create a security policy for it called SupervisorsOnly
that is an implementation of RelativeRoleByProfileOrgPolicy
.
You configure the SupervisorsOnly
component with a roleFunctionName
property set to a single value:
roleFunctionNames=supervisor
When a user calls the Web service, the security policy creates an ACL that grants access to the supervisor role in the user’s parent organization:
$Profile:role:supervisorRoleId
The security sub-system grants access if the calling user has an assigned relative role with the ID supervisorRoleId
; otherwise access is denied.