To enforce permissions on the network, we will define some access control for participants over assets with the following rules:
- Only factories can create FoodBoxes:
rule FoodBoxFactoryCreation {
description: "Factories can create FoodBoxes"
participant: "com.packtpublishing.businessnetwork.foodsafety.FoodFactory"
operation: CREATE
resource: "com.packtpublishing.businessnetwork.foodsafety.FoodBox"
action: ALLOW
}
- Since a food factory can also see what their FoodBoxes are and transfer them to a transporter, we can use a conditional rule to define these restrictions:
rule FoodBoxFactoryUpdateAndRead {
description: "Factories can update and read owned FoodBoxes"
participant(p): "com.packtpublishing.businessnetwork.foodsafety.FoodFactory"
operation: UPDATE, READ
resource(b): "com.packtpublishing.businessnetwork.foodsafety.FoodBox"
condition: (p == b.owner)
action: ALLOW
}
- The next rule refers to Transporters. These can read and update their own FoodBoxes. We will do the same thing for FoodBoxPallets:
rule FoodBoxTransportersUpdateAndRead {
description: "Transporters can update and read owned FoodBoxes"
participant(p): "com.packtpublishing.businessnetwork.foodsafety.Transporter"
operation: UPDATE, READ
resource(b): "com.packtpublishing.businessnetwork.foodsafety.FoodBox"
condition: (p == b.owner )
action: ALLOW
}
rule FoodBoxPalletTransportersUpdateAndRead {
description: "ransporters can update and read owned FoodBoxes"
participant(p): "com.packtpublishing.businessnetwork.foodsafety.Transporter"
operation: UPDATE, READ
resource(b): "com.packtpublishing.businessnetwork.foodsafety.FoodBoxPallet"
condition: (p == b.owner )
action: ALLOW
}
- Warehouses can also read and update their FoodBoxes, as well as creating, updating, and reading FoodBoxPallets:
rule FoodBoxPalletWarehouseCreate {
description: "Warehouses can create FoodBoxPallets"
participant: "com.packtpublishing.businessnetwork.foodsafety.Warehouse"
operation: CREATE
resource: "com.packtpublishing.businessnetwork.foodsafety.FoodBoxPallet"
action: ALLOW
}
rule FoodBoxWarehouseUpdateAndRead {
description: "Warehouses can update and read owned FoodBoxes"
participant(p): "com.packtpublishing.businessnetwork.foodsafety.Warehouse"
operation: UPDATE, READ
resource(b): "com.packtpublishing.businessnetwork.foodsafety.FoodBox"
condition: (p == b.owner )
action: ALLOW
}
rule FoodBoxPalletWarehouseUpdateAndRead {
description: "Warehouses can update and read owned FoodBoxes"
participant(p): "com.packtpublishing.businessnetwork.foodsafety.Warehouse"
operation: UPDATE, READ
resource(b): "com.packtpublishing.businessnetwork.foodsafety.FoodBoxPallet"
condition: (p == b.owner)
action: ALLOW
}
- Finally, stores can read the FoodBoxes they own, while consumers can read all FoodBoxes:
// Store Rules
rule StoreCanReadFoodBoxes {
description: "Stores can update and read owned FoodBoxes"
participant(p): "com.packtpublishing.businessnetwork.foodsafety.Store"
operation: READ
resource(b): "com.packtpublishing.businessnetwork.foodsafety.FoodBoxPallet"
condition: (p == b.owner )
action: ALLOW
}
// Consumer Rules
rule ConsumersCanReadFoodBoxes {
description: "Factories can update and read owned FoodBoxes"
participant: "com.packtpublishing.businessnetwork.foodsafety.Consumer"
operation: READ
resource: "com.packtpublishing.businessnetwork.foodsafety.FoodBox"
action: ALLOW
}
After applying these rules, the network is ready to be tested.