You are designing the access control policies for a Web-based retail store. Customers access the store via the Web, browse product information, input their address and payment information, and purchase products. Suppliers can add new products, update product information, and receive orders. The store owner sets the retail prices, makes tailored offers to customers based on their purchasing profiles, and provides marketing services. You have to deal with three actors: StoreAdministrator, Supplier, and Customer. Design an access control policy for all three actors. Customers can be created via the Web, whereas Suppliers are created by the StoreAdministrator.

What will be an ideal response?

---

An access control policy is represented with a matrix. The columns represent objects whose access is controlled, the
rows represent the actors accessing the objects, the cells contain the operations that an actor is allowed to invoke for a
specific object. In this exercise, there are four objects under access control: the product (including product
information and price), the customer information, the supplier information, and the order. There are four actors which
should be taken into account: the three actors mentioned in the exercise and the unregistered web user which can
browse the product catalog and the create a new customer (as indicated in the last sentence of the exercise. Table 7-1
depicts a possible access matrix for the text above. The name of the operations may be different from one solution to
another. The instructor may consider correct solutions which merge the unregistered user row with the customer row.
![14128|591x208]
(upload://b9b8rZdkW5jbdhmK9kNYO2rgl7T.png)