Evaluate(Operation: Integer): ABACEvaluateResult;
Evaluate(System.Int32): Prognoz.Platform.Interop.ABAC.ABACEvaluateResult;
Operation. The value of main or specific operation with an object. The lists of specific operation codes are contained in enumerations of the Metabase assembly.
NOTE. If the objective has the OPERATION environment attribute set with the IN condition, the parameter can take child operation value. For example, the 2 - Read operation is set in the attribute-based access control objective, then the method parameter can take the value 256 - Read descriptor.
The Evaluate method returns result of subject access to object.
If the objective has the OPERATION environment attribute set with the IN condition, to calculate the Evaluate method, use the IABACEngine.SetOperations method, or set value of the Operation variable identically to value in the attribute-base access control objective.
Executing the example requires the following conditions to be satisfied:
The security manager contains at least one user.
For users an attribute with the ATTR1 identifier and the Integer data type is set.
The repository contains an object with the 12254 key.
The attribute-based access control structure contains a rule:
Objective: OPERATION IN 2.
Condition: SUBJECT.ATTR1 = 123.
Effect: Allow.
All attribute-based access control structure is allowed by overriding. If at least one of the calculation results returns permission, the user is allowed to execute operation with object.
Add links to the ABAC, Metabase system assemblies.
Public Class Callback:Object, IABACEvaluateCallback
Public Function AttrValue(Id: String; Var Success: Boolean): Object;
Begin
Success := False;
Return Null;
End Function AttrValue;
Public Function AttrValueRaw(Id:String; Var Result:Variant):Boolean;
Var
Success: Boolean;
Begin
If Id = "ATTR1" Then
Result := 123;
Success := True;
Else
Success := False;
End If;
Return Success;
End Function AttrValueRaw;
End Class Callback;
Sub UserProc;
Var
MB: IMetabase;
MS: IMetabaseSecurity;
Calb: Callback;
Engine: IABACEngine;
Res: ABACEvaluateResult;
User, Obj, Env: IABACAttributeInstances;
Begin
MB := MetabaseClass.Active;
MS := MB.Security;
// Get environment attributes
Env := MS.EnvironmentAttributes;
// Get first user and object attributes with the key 12254
User := MS.Users.Item(0).Attributes;
Obj := MB.Root.Children.FindByKey(12254).Attributes;
// Display name of obtained user or object in the console
Debug.WriteLine("User: " + MS.Users.Item(0).Name);
Debug.WriteLine("Object: " + MB.Root.Children.FindByKey(12254).Name);
// Set methods to calculate user access to object
Engine := New ABACEngine.Create;
Engine.SetEnvironment(Env);
Engine.SetParams(User, Obj);
Engine.SetCallback(Calb);
Engine.SetOperations(2,4,1);
// Set attribute-based access control structure that is contained in security manager
Engine.SetPolicy(MB.Security.Policy.ABACRules);
// Check access to read object descriptor and display result in the console
Res := Engine.Evaluate(256);
Select Case Res As Integer
Case 0: Debug.WriteLine("Access is not determined");
Case 1: Debug.WriteLine("Rule cannot be applied");
Case 2: Debug.WriteLine("Access is allowed");
Case 3: Debug.WriteLine("Access is denied");
End Select;
End Sub UserProc;
Imports Prognoz.Platform.Interop.ABAC;
Imports Prognoz.Platform.Interop.Metabase;
…
Public Class Callback:Object, IABACEvaluateCallback
Public Function AttrValueRaw(Id: String; Result: IntPtr): SByte;
Var
Success: SByte;
Begin
If Id = "ATTR1" Then
Result := 123 As IntPtr;
Success := 1;
Else
Success := 0;
Result := Null As IntPtr;
End If;
Return Success;
End Function AttrValueRaw;
Public Function AttrValue(Id: String; Var Success: Boolean): Object;
Var
Result: Object;
Begin
If Id = "ATTR1" Then
Result := 123 As Object;
Success := True;
Else
Success := False;
Result := 0;
End If;
Return Result;
End Function AttrValue;
End Class Callback;
Public Class Program
[STAThread]
Public Shared Sub Main(Params: StartParams);
Var
MB: IMetabase;
MS: IMetabaseSecurity;
Calb: Callback;
Engine: IABACEngine;
Res: ABACEvaluateResult;
User, Obj, Env: IABACAttributeInstances;
Begin
MB := Params.Metabase;
MS := MB.Security;
// Get environment attributes
Env := MS.EnvironmentAttributes;
// Get attributes of the first user and object with the 12254 key
User := MS.Users.Item[0].Attributes;
Obj := MB.Root.Children.FindByKey(12254).Attributes;
// Display name of obtained user and object in the console
System.Diagnostics.Debug.WriteLine("User: " + MS.Users.Item[0].Name);
System.Diagnostics.Debug.WriteLine("Object: " + MB.Root.Children.FindByKey(12254).Name);
// Set methods to calculate user access to object
Engine := New ABACEngine.Create();
Engine.SetEnvironment(Env);
Engine.SetParams(User, Obj);
Engine.SetCallback(Calb);
Engine.SetOperations(2,4,1);
// Set attribute-based access control structure that is contained in security manager
Engine.SetPolicy(MB.Security.Policy.ABACRules);
// Check access to read object descriptor and display result in the console
Res := Engine.Evaluate(256);
Select Case Res As Integer
Case 0: System.Diagnostics.Debug.WriteLine("Access is not determined");
Case 1: System.Diagnostics.Debug.WriteLine("Rule cannot be applied");
Case 2: System.Diagnostics.Debug.WriteLine("Access is allowed");
Case 3: System.Diagnostics.Debug.WriteLine("Access is denied");
End Select;
End Sub;
End Class;
After executing the example:
When attribute-based access control objective is checked, the ATTR1 attribute will be found without specified value.
The calculator is addressed to the AttrValue function to get value of the 123 attribute.
The condition is checked after successful objective execution. The condition is executed if the ATTR1 attribute with the 123 value is found.
The user can read object descriptor.
The console displays the access result:
User: ADMIN
Object: System objects
Access is allowed
See also: