Secure > Authorization > Customize default access control policies > Examples: Customizing access control policies using the Organization Administration Console
Example: Allowing RMA approvers to approve all RMAs
By default, return merchandise authorization (RMA) approvers for a store are only permitted to approve RMAs for their own stores. In some cases, you may want to allow RMA approvers to approve RMAs for any store. This might be desirable if several stores are owned by the same organization or if the same person handles the RMA approvals for multiple stores.
In this example, we will create a new access group and use it in a new resource-level policy.
To allow RMA approvers to approve RMAs against any store, do the following:
- Determine the resource-level policy that permits RMA approvers for an organization to approve RMAs for their organization.
- Note the name of the resource group and action group used in the policy.
- View the policy's access group, RMAApproversForOrg, and note the roles it includes. The access group is defined using both organizations and roles as selection criteria.
To give users authority to perform an action across multiple organizations, the access group must be defined without organizational criteria.
- Create a new access group, RMAApprovers, that uses the same roles but does not include the organizational criteria.
- Create a new policy using:
- The new access group, RMAApprovers
- The action group from the existing policy
- The resource group from the existing policy
Identify the action group and resource group to use in defining the new policy
- Determine the resource-level policy that authorizes RMAApproversForOrg to approve RMAs for their stores. The policy is: RMAApproversForOrgExecuteRMAApproveCommandsOnRMAResource
- From the Organization Administration Console, click Access Management > Policies.
- For View, select Root Organization to display the policies that it owns.
- Locate the policy in the list.
- Note the name of the policy's action group--RMAApproveCommands. This is the action group we will use in defining the new policy.
- Note the name of the resource group--RMADataResourceGroup, This is the resource group we will use in defining the new policy.
- Note the name of the access group--RMAApproversForOrg. View this access group to see the roles to include in the new access group.
Identify the roles to be used in the new access group
- Click Access Management > Access Groups.
- From the list of access groups, select RMAApproversForOrg.
- Click Change.
- Select Criteria to display the Criteria page.
- Under Selected Roles and Organizations, note the roles used in the access group:
- Customer Service Supervisor
- Seller
- Sales Manager
- Operations Manager
- Click Cancel to return to the list of access groups.
Define the new access group
- Click New to display the Details page for the new access group.
- For Name, specify RMAApprovers.
- For Description, specify a description of the access group.
- For Parent Organization, select Root Organization.
- Click Next to display the Criteria page for the new access group.
- Click Criteria based on organizations and roles.
- From the list of roles, select the following roles:
- Customer Service Supervisor
- Seller
- Sales Manager
- Operations Manager
- Click Finish.
Define the new policy
- Click Access Management > Policies.
- Click New to display the New Policy page.
- For Name, specify: RMAApproversExecuteRMAApproveCommandsOnRMAResource
- For Display Name, specify a short description of the policy in the local language.
- For Description, specify a longer description of what the policy does, in the local language.
- For User Group, click Find and select RMAApprovers.
- Click OK.
- For Resource Group, select RMADataResourceGroup.
- For Action Group, select RMAApproveCommands.
- Click OK.
Update the access control policy registry with the changes
- Open the Administration Console.
- Click Configuration > Registry.
- From the list of registries, select Access Control Policies.
- Click Update.