Configuring access control policies

WebSphere® Service Registry and Repository (WSRR) provides fine grained access controls that can be mapped onto the Access Control Roles defined for WSRR.

WSRR Access Control is based on the use of Permissions that are attributed to appropriate Roles. Each named permission defines the action that can be performed and the target (and thus objects) to which it applies expressed as an XPath expression.

By assigning a Permission to a Role the access control will allow users in that role to perform that action on objects that match the target BUT deny access to users in any other Roles for that action and target. Effectively the permission defines a set of objects (defined by the target) and an action that are in the "CHECKED" security domain. This means that whenever the action is requested on those objects the user MUST have an explicit permission to undertake the action otherwise it will fail.

If an object is in the "CHECKED" domain, a user can be granted access to perform the action provided that any assigned permission target matches the object for the action being requested. This means that care must be taken in defining the XPath target in a permission to ensure that protection provided by one permission is not overridden by another. In general, administrators might consider a narrow target scope for what needs to have restricted access, rather than denying access to users with a broad scope and then trying to grant permissions to those users that need access.

Care must be taken not to set up permissions that might cause unusual behavior in the web UI. For example, if a role has create permission but not retrieve permission.

To publish documents to WSRR using the Load Documents facility in the web UI, a user must have permission to create a Generic Object of type DocumentGroup, which is used as a container for the documents that are loaded in a single load operation. This Generic Object, named UIPreviewCollection, is used as a container for the documents that are loaded in a single load operation. It is classified with the following URI:

http://www.ibm.com/xmlns/prod/serviceregistry/6/0/core#DocumentGroup

Therefore, to permit a user to load documents in the web UI, but without affecting any other Generic Object based permissions, use the following XPath expression to define the permission target:

/WSRR/GenericObject[exactlyClassifiedByAllOf
  ('http://www.ibm.com/xmlns/prod/serviceregistry/6/0/core#DocumentGroup')]

There is an MBean method, getRolesWithPermissions(), to query the existing roles and permissions. See the Javadoc topic, ServiceRegistryRepository MBean for details.

Configuring access control policies is described in the following subtopics: