IABACRootPolicyObject.Policies

Syntax

Policies: IABACPolicySets;

Policies: Prognoz.Platform.Interop.ABAC.IABACPolicySets;

Description

The Policies property is used to address the policies sets collection.

Comments

This property is relevant when attribute-based access control structure is determined.

Example

To execute the example, make sure that there is the USERS group and an object with the 52 key.

Add links to the ABAC, Metabase, Dal, ForeSystem (for the Fore.NET example) system assemblies.

Sub UserProc;
Var
    PolicyObject: IABACRootPolicyObject;
    PolicySet: IABACPolicySet;
    Policy: IABACPolicy;
    Rules: IABACRules;
    Rule: IABACRule;
    MB: IMetabase;
    MS: IMetabaseSecurity;
    Lic: Object;
Begin
    MB:= MetabaseClass.Active;
    
// Get license to be able to work with security manager
    Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
    MS:= MB.Security;
    
// Activate attribute-based access control
    MS.Policy.AttributeBasedAccessControl := True;
    PolicyObject := MS.Policy.ABACRules;
    // Set attribute-based access control algorithm - Allow overriding
    PolicyObject.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    
// Clear attribute-based access control structure
    PolicyObject.Policies.Clear;
    
// Add a policies set
    PolicySet := PolicyObject.Policies.Add;
    
PolicySet.Name(MB.CurrentLocale) := "Test policies set";
    PolicySet.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    
// Add a policy
    Policy := PolicySet.Policies.Add;
    
Policy.Active := True;
    Policy.Name(LocaleCodeID.Russian) := 
"Test policy";
    Policy.Id := 
"POLICY";
    
Policy.Description(LocaleCodeID.Russian) := "Policy contains rule for access to read object";
    Policy.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    Policy.Target.AttributeId := 
"SUBJECT.NAME";
    Policy.Target.Operation := ABACTargetOperation.Equal;
    Policy.Target.AttributeValue := 
"USERS";
    
// Add a rule
    Rules := Policy.Rules;  
    Rule := Rules.Add;
    Rule.Active := 
True;
    
Rule.Name(LocaleCodeID.Russian) := "Test rule";
    Rule.Id := 
"RULE";
    Rule.Description(LocaleCodeID.Russian) := 
"Read rule for the USERS group";
    
Rule.Target.AttributeId := "OPERATION";
    Rule.Target.Operation := ABACTargetOperation.Equal;
    Rule.Target.AttributeValue := 
2;
    Rule.Condition.AsString := 
"OBJECT.KEY = 52";
    Rule.Effect := ABACRuleEffect.Permit;
    Debug.WriteLine(
"Rule key: " + Rule.Key.ToString);
    
// Apply changes in security manager
    MS.Apply;
    
// Check in license
    Lic := Null;
End Sub UserProc;

Imports Prognoz.Platform.Interop.ABAC;
Imports Prognoz.Platform.Interop.Metabase;
Imports Prognoz.Platform.Interop.ForeSystem;

Public Shared Sub Main(Params: StartParams);
Var
    PolicyObject: IABACRootPolicyObject;
    PolicySet: IABACPolicySet;
    Policy: IABACPolicy;
    Rules: IABACRules;
    Rule: IABACRule;
    MB: IMetabase;
    MS: IMetabaseSecurity;
    Lic: Object;
Begin
    MB:= Params.Metabase;
    
// Get license to be able to work with security manager
    Lic := MB.RequestLicense(UiLicenseFeatureType.lftAdm);
    MS := MB.Security;
    
// Activate attribute-based access control
    MS.Policy.AttributeBasedAccessControl := True;
    PolicyObject := MS.Policy.ABACRules;
    // Set attribute-based access control algorithm - Allow overriding
    PolicyObject.CombineAlgorithm := ABACCombineAlgorithm.abacrcaPermitOverride;
    
// Clear attribute-based access control structure
    PolicyObject.Policies.Clear();
    
// Add a policies set
    PolicySet := PolicyObject.Policies.Add();
    
PolicySet.Name(MB.CurrentLocale) := "Test policies set";
    PolicySet.CombineAlgorithm := ABACCombineAlgorithm.abacrcaPermitOverride;
    
// Add a policy
    Policy := PolicySet.Policies.Add();
    
Policy.Active := True;
    
Policy.Name[LocaleCodeID.lcidRussian] := "Test policy";
    Policy.Id := 
"POLICY";
    Policy.Description[LocaleCodeID.lcidRussian] := 
"Policy contains rule for access to read object";
    Policy.CombineAlgorithm := ABACCombineAlgorithm.abacrcaPermitOverride;
    Policy.Target.AttributeId := 
"SUBJECT.NAME";
    Policy.Target.Operation := ABACTargetOperation.abactoEqual;
    Policy.Target.AttributeValue := 
"USERS";
    
// Add a rule
    Rules := Policy.Rules;  
    Rule := Rules.Add();
    Rule.Active := 
True;
    
Rule.Name[LocaleCodeID.lcidRussian] := "Test rule";
    Rule.Id := 
"RULE";
    Rule.Description[LocaleCodeID.lcidRussian] := 
"Read rule for the USERS group";
    
Rule.Target.AttributeId := "OPERATION";
    Rule.Target.Operation := ABACTargetOperation.abactoEqual;
    Rule.Target.AttributeValue := 
2;
    Rule.Condition.AsString := 
"OBJECT.KEY = 52";
    Rule.Effect := ABACRuleEffect.abacrePermit;
    System.Diagnostics.Debug.WriteLine(
"Rule key: " + Rule.Key.ToString());
    
// Apply changes in security manager
    MS.Apply();
    
// Check in license
    Lic := Null;
End Sub;

After executing the example the security manager activates the use of attribute-based access control, the specified attribute-based access control structure with specific rules is added, and the rules for access to read object in the USERS group are added:

The console displays the key of the new rule:

Rule key: 36

See also:

IABACRootPolicyObject