intra-mart Accel Platform 2014 Winter(Iceberg) / Release Note Initial Version 2014-12-01

Table Of Contents ≪  8.3.2. IM-HybridSSO / External Menu Linkage 8.3.4. Calendar  ≫

8.3.3. Authorization

8.3.3.1. Policy setting on Authorization Setting Screen will be in effect immediately.

  • Policy setting on the authorization setting screen (permitted, not permitted) will be in effect immediately.

8.3.3.2. There are remarks about add/update/delete of authorization subject.

  • Authorization subject is made common across each function.
    Please be aware that add/update/delete of authorization subject will affect each setting screen.

    • Authorization Setting Screen

    • Authorization Setting Screen for Company

    • Authorization Setting Screen for Menu Group

    • Access Right Setting Screen for Portlet
      <*> Subject is screened only for portlet.
      • Display Authentication, User, Role
      • Non Display Department, Post, Public Group

    • TableMaintenance Table Access Right Setting

    • Event Navigator Access Right Setting

    • IMBox Operations Authority Setting

    Please make sure that update/delete is not used in other functions.
    Special care must be taken for the deletion of subject.
    If the subject is deleted, related policy setting is deleted too.
    Therefore, if the subject is deleted, policy that was set by other functions is also deleted.

8.3.3.3. Validity check of Authorization for the router path will not be performed on the dynamic routing.

  • In the unit test environment, router checks if different authorization setting is made for the path at initialization time.
    This checking is not performed for dynamic routing.
    Following routings are considered as dynamic routing.
    • routing which uses PathVariables
    • routing by folder-mapping of jssp-routing
    • routing by application-mapping of service-routing

8.3.3.4. Authorization setting for “/home” is defined as separate resources. Care should be taken when the authorization is changed.

  • At present /home does not represent any particular application.
    If /home is accessed in the initial setting stage, portal (/imart/portal/desktop) will be displayed.
    This was made possible by making both paths in the routing table point to the same page.
    Since they are defined as separate resources from the authorization viewpoint, you should be careful when you change their authorities.
    Portal Resource
    Screen/Process
    Portal
    Portal Display
    Portal
    /home Resource
    Screen/Process
    Tenant
    Default Home
    In the example of default status stated above, even if you disable authorization of only the portal resource,
    /home can be accessed and portal can be viewed unless you disable the authorization of default home.

8.3.3.5. Latest authorization setting may not be always in effect.

  • If the network trouble has occurred between clusters in the distributed environment,
    cache information at the node in trouble may not be cleared, and iAP may function with old authorization setting.
    There are following alternatives to avoid this situation.
    • Do not change the authorization setting in Operation Phase (= operation that does not cause cache to be cleared).
    • Identify the node in which the trouble has occurred, and perform rebooting etc.
    • Do not cache authorization setting.
    • Make the cache validity time short for authorization setting.
    If authorization setting change is executed while any node is separated from the cluster because of network trouble or other causes,
    cache in the separated node is not cleared.
    When the node joins the cluster again,
    authorization setting that was cached before it left the cluster will be applied for the access control.

8.3.3.6. Addition or deletion of access/control authorization of menu group category in authorization setting would not affect the display of menu setting screen.

  • If you open authorization setting screen, and select [Menu Setting] from resource type, list of menu group categories and menu group resources are displayed.
    In the initial state, nothing is set for access/control authority for menu group category (example: [Global Navigation (for PC)].
    Even if you set the access/control authority to the menu group category on this screen, contents that are displayed for category selection on menu setting screen will not change (All menu group categories will always be displayed regardless of authority setting).

    This is because of the fact that the menu group categories displayed on the authorization setting screen are registered only for grouping the menu groups and do not represent the menu group categories themselves.
    Therefore, even if you set the authority to the menu group category, the setting will be inherited only to the subordinate menu group, and the respective authority setting to the menu group category will not take place.

8.3.3.7. If the authorized resource of the page registered in the menu is deleted, system error will occur when the screen is accessed.

  • If the authorized resource of the menu is deleted without deleting the corresponding menu,
    following error will occur, because authorized resource cannot be found when the menu such as global navigation is displayed.

    jp.co.intra_mart.foundation.authz.services.ResourceNotFoundException: [E.IWP.AUTHZ.DECISION.10007] Resource group is not registered. URI = service://test/test
    Since all the screens that display menu will cause system error, most of the screens cannot be displayed.

    Please do not delete authorized resource of menu without deleting the corresponding menu.
    (Do not delete authorized resource during Operation Phase.)

    If you have deleted the resource, please register the authorized resource again in the following steps.
    1. Search for the target screen URL from the routing setting below, delete or comment it out, and reboot the server.

      %CONTEXT_PATH%/WEB-INF/conf/routing-xxx-config/***.xml

    2. Delete the corresponding menu item from the menu setting screen.

    3. Resume original routing setting, and reboot the server.

    4. Register the target authorized resource on the authorization setting screen.

    For your information backup function for the deletion of authorized resource has been added to the intra-mart Accel Platform 2013 Summer version.
    If any unexpected operation should occur because of the deletion of of authorized resource,
    backup files could be restored through job net, and the authorized resource can be resumed to the state before deletion.
    For detail, please refer to [ Backup when deleting resource ] chapter of [Authorization Specifications ].

8.3.3.8. Authorized resource provided by intra-mart Accel Platform should not be deleted.

  • If the authorized resource provided by intra-mart Accel Platform is deleted, tenant environment setup may not work properly.
    For example, please assume that the authorized resource provided by [8.0.0] or [8.0.1] is deleted.
    If you try to set up the tenant environment deploying the WAR file which selectes the product version [8.0.2] or later,
    your tenant environment setup will fail.

8.3.3.9. On the authorization setting screen, resources and conditions are filtered by the display name of locale of log-in user.

  • In the search function on authorization setting screen, resources and conditions that have no display name by the locale of log-in user would not be the target data for the search function.

8.3.3.10. Target user conditions for IM-Authz (Authorization) only handle default department sets.

  • Specifically, following searches are applicable.
    ・User Search
    ・Company Department Search
    ・Post Search

Table Of Contents ≪  8.3.2. IM-HybridSSO / External Menu Linkage 8.3.4. Calendar  ≫

Copyright © 2014 NTT DATA INTRAMART CORPORATION

⇄ Sidebar Top