Attribute-based access control method allows for setting access permissions for specific elements of table MDM dictionary.
The attribute element is set as OBJECT.ELEMENT.<attribute identifier>. Attribute identifiers are contained on the Attributes tab on opening dictionary for edit.
NOTE. An element attribute is set only in additional condition of the rule.
Operations with MDM dictionary elements are contained in the DictionarySpecificRights enumeration.
For details see the Access Permissions for MDM Repository Objects section.
Consider an example of denying user access to read the table MDM dictionary element with the 1 key.
Executing the example requires the following conditions to be satisfied:
The security manager contains the USER user.
The repository root contains a table MDM dictionary with the DICTIONARY identifier and objects that are included into the dictionary:
Database with the 60 identifier.
Table with the TABLE identifier.
The Elements have Attribute-Based Access Permissions checkbox is selected in the table MDM dictionary.
Add links to the ABAC, Metabase, ForeSystem (for the Fore.NET example) system assemblies.
Sub UserProc;
Var
PolicyObject: IABACRootPolicyObject;
PolicySet: IABACPolicySet;
Policy: IABACPolicy;
Rules: IABACRules;
Rule: IABACRule;
MB: IMetabase;
MS: IMetabaseSecurity;
Lic: Object;
Begin
MB := MetabaseClass.Active;
//Get license to work with security manager
Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
MS := MB.Security;
// Activate attribute-based access control
MS.Policy.AttributeBasedAccessControl := True;
// Get attribute-based access control structure
PolicyObject := MB.Security.Policy.ABACRules;
// Clear attribute-based access control structure and set a new one
PolicyObject.Policies.Clear;
// Set algorithm of root policy of attribute-based access control - allow overriding
PolicyObject.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Add a policies set
PolicySet := PolicyObject.Policies.Add;
PolicySet.Name(MB.CurrentLocale) := "Policies set for the USER user";
PolicySet.Target.AttributeId := "SUBJECT.NAME";
PolicySet.Target.Operation := ABACTargetOperation.Equal;
PolicySet.Target.AttributeValue := "USER";
PolicySet.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Add a policy to access database with the 60 key
Policy := PolicySet.Policies.Add;
Policy.Name(MB.CurrentLocale) := "Allow access to database";
Policy.Target.AttributeId := "OBJECT.KEY";
Policy.Target.Operation := ABACTargetOperation.Equal;
Policy.Target.AttributeValue := 60;
Policy.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Add rules to read object data and metadata
Rules := Policy.Rules;
Rule := Rules.Add;
Rule.Name(LocaleCodeID.Russian) := "Data read access";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.IN_;
Rule.Target.AttributeValue := 2;
Rule.Effect := ABACRuleEffect.Permit;
Rule := Rules.Add;
Rule.Name(LocaleCodeID.Russian) := "Metadata read access";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.Equal;
Rule.Target.AttributeValue := 4096;
Rule.Effect := ABACRuleEffect.Permit;
// Add a policy to access table with the TABLE identifier used by table MDM dictionary
Policy := PolicySet.Policies.Add;
Policy.Name(MB.CurrentLocale) := "Allow access to table";
Policy.Target.AttributeId := "OBJECT.ID";
Policy.Target.Operation := ABACTargetOperation.Equal;
Policy.Target.AttributeValue := "TABLE";
Policy.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Add a rule for full access to table
Rules := Policy.Rules;
Rule := Rules.Add;
Rule.Name(LocaleCodeID.Russian) := "Full access to table";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.IN_;
Rule.Target.AttributeValue := 1;
Rule.Effect := ABACRuleEffect.Permit;
// Add a policy to access table MDM dictionary with the DICTIONARY identifier
Policy := PolicySet.Policies.Add;
Policy.Name(MB.CurrentLocale) := "Allow access to MDM dictionary";
Policy.Target.AttributeId := "OBJECT.ID";
Policy.Target.Operation := ABACTargetOperation.Equal;
Policy.Target.AttributeValue := "DICTIONARY";
Policy.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Add a rule for full access to table MDM dictionary
Rules := Policy.Rules;
Rule := Rules.Add;
Rule.Name(LocaleCodeID.Russian) := "Full access to MDM dictionary";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.IN_;
Rule.Target.AttributeValue := 1;
Rule.Effect := ABACRuleEffect.Permit;
// Add a rule to deny access element of MDM dictionary with the 1 key
Rules := Policy.Rules;
Rule := Rules.Add;
Rule.Name(LocaleCodeID.Russian) := "Access to MDM dictionary element";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.Equal;
Rule.Target.AttributeValue := 1048576;
Rule.Condition.AsString := "OBJECT.ELEMENT.KEY = 1";
Rule.Effect := ABACRuleEffect.Deny;
// Apply changes in security manager
MS.Apply;
// Check in license
Lic := Null;
End Sub UserProc;
Imports Prognoz.Platform.Interop.ABAC;
Imports Prognoz.Platform.Interop.Metabase;
Imports Prognoz.Platform.Interop.ForeSystem;
…
Public Shared Sub Main(Params: StartParams);
Var
PolicyObject: IABACRootPolicyObject;
PolicySet: IABACPolicySet;
Policy: IABACPolicy;
Rules: IABACRules;
Rule: IABACRule;
MB: IMetabase;
MS: IMetabaseSecurity;
Lic: Object;
Begin
MB := Params.Metabase;
//Get license to work with security manager
Lic := MB.RequestLicense(UiLicenseFeatureType.lftAdm);
MS := MB.Security;
// Activate attribute-based access control
MS.Policy.AttributeBasedAccessControl := True;
// Get attribute-based access control structure
PolicyObject := MB.Security.Policy.ABACRules;
// Clear attribute-based access control structure and set a new one
PolicyObject.Policies.Clear;
// Set algorithm of root policy of attribute-based access control - allow overriding
PolicyObject.CombineAlgorithm := ABACCombineAlgorithm.abacrcaPermitOverride;
// Add a policies set
PolicySet := PolicyObject.Policies.Add();
PolicySet.Name[MB.CurrentLocale] := "Policies set for the USER user";
PolicySet.Target.AttributeId := "SUBJECT.NAME";
PolicySet.Target.Operation := ABACTargetOperation.abactoEqual;
PolicySet.Target.AttributeValue := "USER";
PolicySet.CombineAlgorithm := ABACCombineAlgorithm.abacrcaPermitOverride;
// Add a policy to access database with the 60 key
Policy := PolicySet.Policies.Add();
Policy.Name[MB.CurrentLocale] := "Allow access to database";
Policy.Target.AttributeId := "OBJECT.KEY";
Policy.Target.Operation := ABACTargetOperation.abactoEqual;
Policy.Target.AttributeValue := 60;
Policy.CombineAlgorithm := ABACCombineAlgorithm.abacrcaPermitOverride;
// Add rules to read object data and metadata
Rules := Policy.Rules;
Rule := Rules.Add();
Rule.Name[MB.CurrentLocale] := "Data read access";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.abactoIN;
Rule.Target.AttributeValue := 2;
Rule.Effect := ABACRuleEffect.abacrePermit;
Rule := Rules.Add();
Rule.Name[MB.CurrentLocale] := "Metadata read access";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.abactoEqual;
Rule.Target.AttributeValue := 4096;
Rule.Effect := ABACRuleEffect.abacrePermit;
// Add a policy to access table with the TABLE identifier used by table MDM dictionary
Policy := PolicySet.Policies.Add();
Policy.Name[MB.CurrentLocale] := "Allow access to table";
Policy.Target.AttributeId := "OBJECT.ID";
Policy.Target.Operation := ABACTargetOperation.abactoEqual;
Policy.Target.AttributeValue := "TABLE";
Policy.CombineAlgorithm := ABACCombineAlgorithm.abacrcaPermitOverride;
// Add a rule for full access to table
Rules := Policy.Rules;
Rule := Rules.Add();
Rule.Name[MB.CurrentLocale] := "Full access to table";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.abactoIN;
Rule.Target.AttributeValue := 1;
Rule.Effect := ABACRuleEffect.abacrePermit;
// Add a policy to access table MDM dictionary with the DICTIONARY identifier
Policy := PolicySet.Policies.Add();
Policy.Name[MB.CurrentLocale] := "Allow access to MDM dictionary";
Policy.Target.AttributeId := "OBJECT.ID";
Policy.Target.Operation := ABACTargetOperation.abactoEqual;
Policy.Target.AttributeValue := "DICTIONARY";
Policy.CombineAlgorithm := ABACCombineAlgorithm.abacrcaPermitOverride;
// Add a rule for full access to table MDM dictionary
Rules := Policy.Rules;
Rule := Rules.Add();
Rule.Name[MB.CurrentLocale] := "Full access to MDM dictionary";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.abactoIN;
Rule.Target.AttributeValue := 1;
Rule.Effect := ABACRuleEffect.abacrePermit;
// Add a rule to deny access element of MDM dictionary with the 1 key
Rules := Policy.Rules;
Rule := Rules.Add();
Rule.Name[MB.CurrentLocale] := "Access to MDM dictionary element";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.abactoEqual;
Rule.Target.AttributeValue := 1048576;
Rule.Condition.AsString := "OBJECT.ELEMENT.KEY = 1";
Rule.Effect := ABACRuleEffect.abacreDeny;
// Apply changes in security manager
MS.Apply();
// Check in license
Lic := Null;
End Sub;
After executing the example attribute-based access control is activated in the security manager, and the specified attribute-based access control structure is added with denial of user access to read the MDM dictionary element with the 1 key:
When the attribute-based access control is implemented in the object navigator, the MDM dictionary element with the 1 key is not displayed for the USER user.
See also:
Examples | Access Permissions for MDM Repository Objects | Basic Dictionary Settings