Showing posts with label Secured Repositories. Show all posts
Showing posts with label Secured Repositories. Show all posts

Secured Repository

Secured Repositories


The Oracle ATG Web Commerce secured repository system works in conjunction with the Oracle ATG Web Commerce Security System to provide fine-grained access control to repository item descriptors, individual repository items, and individual properties through Access Control List (ACL) settings.

Features:
•    Control access to repository item descriptors: Control who can create, add, remove, and query items defined by an item descriptor; similar to controlling access to a whole database table.
•    Control access to individual repository items: Control who can read, write, destroy, and query a repository item.; similar to controlling access to a single database row.
•    Control access to properties of all repository items in a repository item descriptor: Control who can read or write a property in any repository item defined by an item descriptor; similar to controlling access to a database table column.
•    Control access to properties of an individual repository item: Control who can read or write a particular property in a repository item; similar to controlling the field of a database table row.
•    Limit query results: Control who can receive repository items that are returned by a repository query.
•    Set ownership of a repository item: At creation time, the current user is assigned as the owner of the new repository item. The owner can query a repository item and modify its ACL; otherwise this is simply an association of an identity to an Item.
•    Automatically generate ACLs for new repository items: When a repository item is created, it is assigned an ACL that is constructed out of an ACL fragment and a template for the creator/owner (creator) and each group the owner belongs to.

Creating a Secured Repository
1.    Modify the Underlying Repository:
Add properties to the repository definition as follows

<item-descriptor name=”my”……………. >
….
<property name="item_owner" column-names="item_owner" data-type="string"/>
<property name="item_acl" column-names="item_acl" data-type="string"/>
<property name="secured_property_acl" column-names="secured_property_acl" data-type="string"/>
</item- descriptor>

2.    Configure the Secured Repository Adapter Component:

File name: SecuredMyRepository.properties
# SecuredMyRepository.properties
$class=atg.adapter.secure.GenericSecuredMutableRepository
$scope=global
name=My repository for the secured repository implementation
repositoryName=SecuredMyRepository
# the repository that we're wrapping
repository=MyRepository
# The template file that configures the repository
configurationFile=secured-My-repository.xml
# The security configuration component used by the repository
securityConfiguration=/atg/dynamo/security/SecuredRepositorySecurityConfiguration
# Various Dynamo services we need
XMLToolsFactory=/atg/dynamo/service/xml/XMLToolsFactory
transactionManager=/atg/dynamo/transaction/TransactionManager


3.    Register the Secured Repository Adapter Component:
/atg/registry/ContentRepositories

initialRepositories+=/MyRepository,/SecuredMyRepository

4.    Create the Secured Repository Definition File:
<!-- secured-my-repository.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE secured-repository-template
 PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN"
 "http://www.atg.com/dtds/security/secured_repository_template_1.1.dtd">
<secured-repository-template>
 <item-descriptor name="my">

   <!-- The ACL that applies to the item view/descriptor -->
   <descriptor-acl value="Admin$role$administrators-group:
     read,write,create,delete;Admin$role$everyone-group:read"/>

   <!-- The property where the ownership is stored -->
   <owner-property name="item_owner"/>

   <!-- The property where ACL is stored in -->
   <acl-property name="item_acl"/>

   <!-- An ACL fragment that is assigned to all new items -->
   <creation-base-acl value="Admin$role$administrators-group:
      read,write,list,destroy,read_owner,write_owner,read_acl,write_acl;
      Admin$role$everyone-group:read,list"/>

   <!-- Access rights assigned to the owner when an item is created -->
   <creation-owner-acl-template value="$:read,write,list,destroy"/>

   <!-- Access rights assigned to all owner groups when an item is created. 
        WARNING: This feature can be dangerous. -->
   <creation-group-acl-template value="$:read,list"/>

   <property name="secured_property">
     <!-- The ACL that applies to this property across all repository items -->
     <descriptor-acl value="Admin$role$administrators-group:
        read,write;Admin$role$everyone-group:read"/>

     <!-- The name of the item property where this property's ACL is stored. -->
     <acl-property name="secured_property_acl"/>

     <!-- An ACL fragment assigned to this property when an item is created. -->
     <creation-base-acl value="Admin$role$administrators-group:read,write"/>

     <!-- Access rights assigned to the owner when an item is created -->
     <creation-owner-acl-template value="$:read,write"/>

     <!-- Access rights assigned to all owner groups when an item is created. 
          WARNING: This feature can be dangerous. -->
     <creation-group-acl-template value="$:read,write"/>

   </property>
 </item-descriptor>
</secured-repository-template>

5.    Modify the SQL for the Repository Data Store:
Add following columns to table.
item_owner varchar,
item_acl varchar,
secured_property_acl varchar

6.    Rebuild your EAR.

7.    Modify the Repository Mapping in Admin/Console to map SecuredMyRepository to both MyRepository_staging and MyRepository_production.