Setting up custom execute ACL for huge number of services

Sanket_Pandey1 · April 4, 2016, 2:41pm

Hi All,

Here in our project we have thousands of existing services where we have the below execute ACL:

(Inherited).

Now as part of best practices we need to set it as below:

For services which are being called by external services we need to set a custom ACL.
For others as (Inherited) as Execute ACL.

Now the task is uphill due to thousands of services, do we have any way to do it simultaneously for all the services instead of editing one by one?

Please suggest the most efficient solution here.

Regards,
Sanket

Holger_von_Thomsen · April 4, 2016, 4:46pm

Hi Sanket,

this will depend on how many different custom ACLs you will have and if there are some patterns (or regex) to determine which custom ACL should go to which service.

Make sure that you have created the custom ACLs on the IS and have them equipped with the correct groups/roles.
This is neccessary to assign the ACLs to the services.

Inherited means that the ACL for this service has not been explicitly set, but has been set somewhere above in the package structure of this service and applies for this one too.
When changing this from “Default (Inherited)” to “Internal”, it will be no longer an inherited one as long as the place above is not changed accordingly.

Can you precise the service names/service types which are to be changed from Default to Internal?

Regards,
Holger

Sanket_Pandey1 · April 5, 2016, 12:11pm

Thanks a lot Holger…!!!

I am not sure of numbers of ACLs as of now, but I am afraid it can be as big as 100 or may be even less. As I told before we have around 4500 services in two different layers (servers) out of those 4500 we have to set the custom execute ACLs for around 100 services. For the remaining one where execute ACL is as Default (Inherited), that needs to be changed to Internal (Inherited).

Further, we have no pattern in terms of services, rather we have set of inboxes which has services. Usually we have parent services which are being called by external asset (where we need to set the custom execute ACL) and for several child services (where we need to set the internal execute ACL) which are being called by these parent services.

Most of them are flow services.

Please let me know if you need more information on this.

Regards,
Sanket

Holger_von_Thomsen · April 5, 2016, 12:20pm

Hi Sanket,

if the ACL is changed it will be no longer an inherited one.

Are these normal Services or WebServices?

If these are Webservice it is sufficient to change the ACL for the WSD-node.

Regards,
Holger

Sanket_Pandey1 · April 5, 2016, 12:54pm

Thanks again Holger,

The services which are being used by external assets, are shared as WSDL i.e. we are the provider. Further, we need to change the execute custom ACL for these services alone. For our internal services which are being called by the exposed services we need to make it internal (inherited).

I see, whenever we create any service by default the execute ACL is as Internal (Inherited), I am not sure how come do we have it as Default (Inherited) for existing services.

Let me know if I need to share any other specific information.

Thanks,

Sanket

Holger_von_Thomsen · April 5, 2016, 2:44pm

Hi Sanket,

when the ACL changed from “Internal (Inherited)” to “Default (Inherited)”, this means that somewhere above in the folder tree of this service the ACL was changed from “Internal” to “Default” explicitly and got propagated (inherited) down to the service.

If you change the Execute ACL for the WSD provider this will apply to all methods/operations inside this WSD provider. This means, when there are several operations in one WSD provider you will only have to modify one node (the WSD provider) instead of modifying each operation service.

Regards,
Holger

Sanket_Pandey1 · April 5, 2016, 7:42pm

Thanks again Holger…!!!

So if I may reiterate what you said, if we change the anonymous or default ACL to the custom execute ACL for provider parent service, would it change the execute ACL of child services as Internal (Inherited) from Default (Inherited).

Please correct me if I am wrong in my understanding.

Sorry for being repetitive.

Regards,
Sanket

Holger_von_Thomsen · April 5, 2016, 8:02pm

Hi Sanket,

the Execute ACL of the child services (the operations as of the WSDL) would not change, but the WebService handler will only allow the members of the custom ACL to execute these as WSD Provider is the only object which should be exposed to the outside. The other services are meant to be internal.

When there are changes to the WebService you will only have to re-apply the Execute ACL to the recreated WSD-node.
Remember to backup the implementation for the child services before the recreation and re-apply it afterwards.

Regards,
Holger

Sanket_Pandey1 · April 6, 2016, 8:21am

Hi Holger,

Thanks a lot… again…!!!

For another scenario, where we have 80+ services, where we have shared URL e.g. https://hostname:portname/invoke/folder.subfolder:serviceName, with the external system who is calling it.
Is there any way to change it to custom execute ACL in one shot, i.e. using any inbuilt service and looping over the services where we need to change the execute ACL to some custom ACL?

And then how would we change the execute ACL of the child services (which are gain in 1000s) from Default to Internal? Would it taken care of if we change the parent execute ACLs?

Regards,
Sanket

Venkata_V · April 6, 2016, 8:28am

U can use com.wm.app.b2b.server.ACLManager.setAclGroup(node, ACL) to set ACL

Sanket_Pandey1 · April 6, 2016, 10:57am

Thanks Venkata…!!!

Could you please throw more light on usage of com.wm.app.b2b.server.ACLManager.setAclGroup?

Where to find it and how to implement it. If its any API?

Regards,
Sanket

Venkata_V · April 6, 2016, 12:56pm

U can write a java service in webMethods with the following code,

	IDataCursor pipelineCursor = pipeline.getCursor();
	String	element = IDataUtil.getString(pipelineCursor, "element");
	String	group = IDataUtil.getString(pipelineCursor, "group");
	pipelineCursor.destroy();
	
	com.wm.app.b2b.server.ACLManager.setAclGroup(element, group);

Sanket_Pandey1 · April 6, 2016, 9:26pm

Thanks a ton Venkata …It worked like anything …!!!

Regards,
Sanket

Sanket_Pandey1 · July 19, 2016, 11:12am

Hi Venkata,

From where you found the utility? Can we get the similar to change List, Read and Write ACL?

Thanks,

Sanket

Vishwadeep_Trivedi · July 19, 2016, 3:24pm

Dear Sanket,

You can do things like if you have very less packages where these child services are present,You can change the execute ACL to specfic package or folder then it will be effected as inherited if it is not manually done previously.

Yo can use 1 service wm.server.services:serviceinfoSet to set the any ACL in list of many servers.

Create a flow service for this to set.