ISecurityDescriptor.GetEffectiveRightsAudit

Syntax

GetEffectiveRightsAudit(Subject: ISecuritySubject; DesiredAccess: Integer; Var Access: Integer; Var Audit: Integer);

Parameters

Subject. Security subject, for which effective access permissions should be calculated.

DesiredAccess. Desired access permissions, relative to which effective access permissions are calculated.

Access. Variable, to which the decimal value, corresponding to effective access permissions of the user to object, will be placed.

Audit. Variable, to which the value corresponding to access audit of the user to object will be placed.

Description

The GetEffectiveRightsAudit method calculates effective access permissions and access auditing of the user to the repository object on the base of the necessary rights.

Comments

On calculating effective permissions the selected access control methods is made for it. If discretionary access control is used, then for a specific object type permissions by classes are calculated in addition.

Access mask is used to specify necessary access permissions. After calculation the access mask is also contained in the variables specified in the Access and Audit parameters. Mask value is 4-byte binary number converted to decimal form. It is necessary to use the values of the MetabaseObjectPredefinedRights enumeration to form a mask of the necessary access permissions and to check the received values. This enumeration contains main and additional operations to which it is possible to give rights. The specific operations are available for defined classes of objects. Values of the following enumerations can be used to check specific operations depending on the object class:

Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.

To analyze a mask value it is necessary to implement a custom function that enables the comparison of separate mask bits with relevant enumerations values. The example of work with access mask is shown in the Working with Access Mask section.

Effective rights that are returned in the variable specified in the Access parameter, are formed on the base of the necessary access permissions. If there are any operations that depend on the main and additional operations, they will also be included in the effective permissions.

At first it is necessary to calculate the maximal value of the auditing that is available to the objects of this class to receive a value that corresponds to the access auditing of the user to the object. Then it is necessary to add a value of the variable that is specified in the Audit parameter to the received value. If the resultant value is not zero, it means that the auditing of operations specified in the necessary rights is implemented for the current user.

Example

Executing the example requires that the repository contains an object with the Obj_1 identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.

Sub UserProc;
Var
    MB: IMetabase;
    MDesc: IMetabaseObjectDescriptor;
    SecDesc: ISecurityDescriptor;
    Subj: ISecuritySubject;
    Access, Audit: Integer;
Begin
    MB := MetabaseClass.Active;
    Subj := MB.Security.ResolveName("TestUser");
    MDesc := MB.ItemById("Obj_1");
    SecDesc := MDesc.SecurityDescriptor;
    SecDesc.GetEffectiveRightsAudit(Subj,
        MetabaseObjectPredefinedRights.Delete Or
        MetabaseObjectPredefinedRights.Access,
        Access, Audit);
End Sub UserProc;

After executing this example the Access and Audit variables contain values that correspond to the effective access permissions and access auditing of the specified user. Calculation of the effective rights and of the auditing is performed relative to the Removal and Rights change operations.

See also:

ISecurityDescriptor