AllowCreateUserGrant: Boolean;
AllowCreateUserGrant: System.Boolean;
The AllowCreateUserGrant property enables creating two roles while maintaining the security policy:
The first role includes the "Create user" and "Drop user" system privileges.
The second role includes the "Alter user" system privilege.
By default this property is deselected. It becomes available when roles of application administrator and ISA are separated.
The information security administrator will be included into the created roles. Only the administrator can change the property value. If AllowCreateUserGrant is set to False, roles are deleted.
During the user update depending on the privileges, the user is either added to the role, or removed from the role.
The property is available only for repositories created on the basis of Oracle DBMS.
To execute the example make sure that the repository is created basing on Oracle DBMS.
Add links to the Metabase, ForeSystem (for the Fore.NET example) system assemblies.
Sub UserProc;
Var
MB: IMetabase;
MS: IMetabaseSecurity;
Isa: IMetabaseUser;
Policy: IMetabasePolicy;
Lic: Object;
Begin
MB := MetabaseClass.Active;
// Get license to work with security manager
Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
MS := MB.Security;
Isa := MS.ResolveName(MB.Id + "_ISA") As IMetabaseUser;
Policy := MS.Policy;
// Enable role distribution between AIS and application administrator
Policy.PromoteToIsaMode(Isa, IsaModePromoteOptions.RestrictAdminAccess Or IsaModePromoteOptions.RestrictIsaAccess);
// Create two roles
Policy.AllowCreateUserGrant := True;
// Save changes
MS.Apply;
// Check in license
Lic := Null;
End Sub UserProc;
Imports Prognoz.Platform.Interop.Metabase;
Imports Prognoz.Platform.Interop.ForeSystem;
…
Public Shared Sub Main(Params : StartParams);
Var
MB: IMetabase;
MS: IMetabaseSecurity;
Isa: IMetabaseUser;
Policy: IMetabasePolicy;
Lic: Object;
Begin
MB := Params.Metabase;
// Get license to work with security manager
Lic := MB.RequestLicense(UiLicenseFeatureType.lftAdm);
MS := MB.Security;
Isa := MS.ResolveName(MB.Id + "_ISA") As IMetabaseUser;
Policy := MS.Policy;
// Enable role distribution between AIS and application administrator
Policy.PromoteToIsaMode(Isa, IsaModePromoteOptions.ismopropRestrictAdminAccess Or IsaModePromoteOptions.ismopropRestrictIsaAccess);
// Create two roles
Policy.AllowCreateUserGrant := True;
// Save changes
MS.Apply();
// Check in license
Lic := Null;
End Sub;
After executing the example activates mode of role distribution between AIS and application administrator. Two roles will be created for AIS which will be used on user administration.
See also: