Executing the example requires the MDM repository NSI_1 that contains an MDM dictionary with the Dict_1 identifier. Access permissions option of elements is enabled for the dictionary. Two users are included in the list of access subjects except for the basic user Admin and the Administrators group. Security labels 2 and 3 are correlated to them. These users are not included in the group of administrators.
Sub UserProc;
Var
MB: IMetabase;
MObj: IMetabaseObject;
Dict: IRdsDictionary;
Attrs: IRdsAttributes;
DictInst: IRdsDictionaryInstance;
Elements: IRdsDictionaryElements;
Element: IRdsDictionaryElement;
Data: IRdsDictionaryElementData;
SecLab: ISecurityLabels;
User, User1, User2: ISecuritySubject;
Begin
MB := MetabaseClass.Active;
//Get MDM dictionary
MObj := MB.ItemByIdNamespace("Dict_1", MB.GetObjectKeyById("NSI_1")).Bind;
Dict := MObj As IRdsDictionary;
//Get attributes' list
Attrs := Dict.Attributes;
//Open dictionary
DictInst := Dict.Open(Null);
Elements := DictInst.Elements;
//Get the first element for which the permissions are given
Element := Elements.Item(1);
Data := Element.Data;
SecLab := MObj.SecurityDescriptor.LabelSecurity;
User := SecLab.Mapping(0); //Admin
User1 := SecLab.Mapping(2); //The first additional user
User2 := SecLab.Mapping(3); //The second additional user
//Grant permissions
Data.AccessAttribute(Attrs.AccessAccess.Key) := SecLab.ValueStr(User);
Data.AccessAttribute(Attrs.DeleteAccess.Key) := SecLab.ValueStr(User1);
Data.AccessAttribute(Attrs.ReadAccess.Key) := (SecLab.Value(User) + SecLab.Value(User1) + SecLab.Value(User2)).ToString;
Data.AccessAttribute(Attrs.WriteAccess.Key) := (SecLab.Value(User1) + SecLab.Value(User2)).ToString;
//Update element information
Element.Update(Data);
End Sub UserProc;
After executing the example access permissions for the first element of the MDM dictionary are changed. All users have permission to view the element. The first additional user has permission to remove. Two additional users have permission to edit. The Admin user has permission to change permissions.
To check the access permissions, it is necessary to cast the mask to binary mode and check, with whom the bits having the value 1 are associated. The bits having the value 0 correspond to security objects, which are forbidden to act, or the bits are not associated with any security objects. To cast the mask to binary mode, run the DecToBin procedure, which code is given in the Working with Access Mask example.
Sub CheckMask;
Var
MB: IMetabase;
MObj: IMetabaseObject;
DictInst: IRdsDictionaryInstance;
Elements: IRdsDictionaryElements;
Element: IRdsDictionaryElement;
SecLab: ISecurityLabels;
AccessMask: Integer;
BinMask: String;
c: Char;
i: Integer;
Begin
MB := MetabaseClass.Active;
//Get MDM dictionary
MObj := MB.ItemByIdNamespace("Dict_1", MB.GetObjectKeyById("NSI_1")).Bind;
//Open dictionary
DictInst := MObj.Open(Null) As IRdsDictionaryInstance;
Elements := DictInst.Elements;
//Get the first element for which access permissions are set
Element := Elements.Item(1);
//Get parameters of security labels
SecLab := MObj.SecurityDescriptor.LabelSecurity;
//Permissions to edit data of the first element
AccessMask := Element.Access(RdsAccessAttribute.WriteAccess);
BinMask := DecToBin(AccessMask);
For i := BinMask.Length To 1 Step - 1 Do
//Get bit from character string and check its value
c := BinMask.Chars(i - 1);
//If value of the current bit is 1, get the user associated with this bit
If c = '1' Then
//Bits are numerated from right to left. To get the bit number, subtract
//the current position from general length.
Debug.WriteLine(SecLab.Mapping(BinMask.Length - i).Name);
End If;
End For;
End Sub CheckMask;
On executing the example the console window displays names of the security objects, which have permissions to edit data of the first element of the MDM dictionary.
See also: