AccessMask: Integer;
The AccessMask property determines a mask of access permission to an object.
Mask value is 4-byte binary number converted to decimal form. Depending on the type of additional parameter this property returns different values:
Allowing parameter - property returns a value that corresponds with a list of explicit assigned allowances on operations.
Prohibiting parameter - property returns a value that corresponds with a list of explicit assigned prohibitions on operations.
Operation audit on an object -property returns value that corresponds with a list of operations for which access audit is performed.
To form and check mask value it is necessary to use a value of the enumeration type MetabaseObjectPredefinedRights. This enumeration contains basic and additional operations on which permissions can be given and access audit can be led. The specific operations are available for defined classes of objects. To use specific operations depending on the object class in a mask there is a possibility to use values of the following enumerations:
CalculatedCubeSpecificRights are specific operations available for calculated cubes.
CubeLoaderSpecificRights are specific operations available for loading data in a cube.
CubeSpecificRights are specific operations available for different types of cubes.
CustomObjectSpecificRights are specific operations available for objects of custom classes.
DataBaseSpecificRights are specific operations available for repository object - Database.
DictionarySpecificRights are specific operations available for repository objects - MDM Dictionary and Composite MDM dictionary.
MDCalcSpecificRights are specific operations available for repository object - Multidimensional calculation on DB server.
ProblemSpecificRights are specific operations available for an object of modeling container - Modeling task.
ProcedureSpecificRights are specific operations available for repository object - Procedure.
ScenarioDimensionSpecificRights are specific operations available for the repository object - Modeling Scenario.
TableSpecificRights are specific operations available for the following repository objects - Table, View, Log, External table.
ValidationSpecificRights are specific operations available for repository object - Validation rule and Validation group.
Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.
To analyze a mask value it is necessary to implement a custom function that enables the comparison of separate mask bits with relevant enumerations values. The example of work with access mask is shown in the Examples: Working with access mask section.
Executing the example requires that the repository contains a table with the Table_1 identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.
Sub Main;
Var
MB: IMetabase;
MDesc: IMetabaseObjectDescriptor;
SecDesc: ISecurityDescriptor;
User: ISecuritySubject;
Acl: IAccessControlList;
Entry, AllowedEntry, DeniedEntry: IAccessControlEntry;
AccessAllowed, AccessDenied: Integer;
Begin
MB := MetabaseClass.Active;
MDesc := MB.ItemById("Table_1");
//Object security descriptor
SecDesc := MDesc.SecurityDescriptor;
//User for which it is necessary to change access permissions
User := MB.Security.ResolveName("TestUser");
SecDesc.Edit;
//Additional security parameters
Acl := SecDesc.Acl;
//From allowing and prohibiting mask:
//Basic operations that are allowed
AccessAllowed := MetabaseObjectPredefinedRights.Read;
//Specific operations that are allowed
AccessAllowed := AccessAllowed Or
TableSpecificRights.SelectRows Or
TableSpecificRights.UpdateRows;
//Basic operations that are prohibited
AccessDenied := MetabaseObjectPredefinedRights.WritePars Or
MetabaseObjectPredefinedRights.WriteDescr;
//Specific operations that are Prohibited
AccessDenied := AccessDenied Or
TableSpecificRights.InsertRows Or
TableSpecificRights.DeleteRows;
//Search additional security parameter
//that enables the execution of operations for specified user
For Each Entry In Acl Do
If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessAllowed) Then
AllowedEntry := Entry;
End If;
End For;
//If parameter exists set in it formed mask
// Otherwise create new additional security parameter
If AllowedEntry <> Null Then
AllowedEntry.AccessMask := AccessAllowed;
Else
Acl.AddAce(AceType.AccessAllowed, User.Sid, AccessAllowed);
End If;
//Search additional security parameter
//that prohibits operations for specified user
For Each Entry In Acl Do
If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessDenied) Then
DeniedEntry := Entry;
End If;
End For;
//If parameter exists set in it formed mask
// Otherwise create new additional security parameter
If DeniedEntry <> Null Then
DeniedEntry.AccessMask := AccessDenied;
Else
Acl.AddAce(AceType.AccessDenied, User.Sid, AccessDenied);
End If;
SecDesc.Apply(True);
End Sub Main;
After executing this example additional security parameters are changed for a specified object. If in additional security parameters of the object there are parameters that determine access permissions for the TestUser user they will be changed. If relevant parameters do not exist they will be created. Allowing and prohibiting access mask is formed in the AccessAllowed and AccessDenied variables respectively.
See also: