GetEffectiveRightsAuditLabel(
Subject: ISecuritySubject;
DesiredAccess: Integer;
Var Access: Integer;
Var Audit: Integer;
Var Label: ISecurityDocumentLabel);
Subject. Security subject, for which effective access permissions should be calculated.
DesiredAccess. Desired access permissions, relative to which effective access permissions are calculated.
Access. Integer variable, to which the value, corresponding to effective access permissions of the user to object, will be placed.
Audit. Integer variable, to which the value corresponding to access audit of the user to object will be placed.
Label. Variable, to which security label parameters will be placed. Security label is calculated if the mandatory access control to objects is active.
The GetEffectiveRightsAuditLabel method calculates effective access permissions and access auditing of the user and also parameters of the security label that is used when printing and exporting the repository objects.
On calculating effective permissions the selected access control methods is made for it. If discretionary access control is used, then for a specific object type permissions by classes are calculated in addition.
Access mask is used to specify necessary access permissions. After calculation the access mask is also contained in the variables specified in the Access and Audit parameters. Mask value is 4-byte binary number converted to decimal form. It is necessary to use the values of the MetabaseObjectPredefinedRights enumeration type to form a mask of the necessary access permissions and to check the received values. This enumeration contains main and additional operations to which it is possible to give rights. The specific operations are available for defined classes of objects. Values of the following enumerations can be used to check specific operations depending on the object class:
CalculatedCubeSpecificRights are specific operations available for calculated cubes.
CubeLoaderSpecificRights are specific operations available for loading data in a cube.
CubeSpecificRights are specific operations available for different types of cubes.
CustomObjectSpecificRights are specific operations available for objects of custom classes.
DataBaseSpecificRights are specific operations available for repository object - Database.
DictionarySpecificRights are specific operations available for repository objects - MDM Dictionary and Composite MDM dictionary.
MDCalcSpecificRights are specific operations available for repository object - Multidimensional calculation on DB server.
ProblemSpecificRights are specific operations available for an object of modeling container - Modeling task.
ProcedureSpecificRights are specific operations available for repository object - Procedure.
ScenarioDimensionSpecificRights are specific operations available for the repository object - Modeling Scenario.
TableSpecificRights are specific operations available for the following repository objects - Table, View, Log, External table.
ValidationSpecificRights are specific operations available for repository object - Validation rule and Validation group.
Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.
To analyze a mask value it is necessary to implement a custom function that enables the comparison of separate mask bits with relevant enumerations values. The example of work with access mask is shown in the Examples: Working with Access Mask section.
Effective rights that are returned in the variable specified in the Access parameter, are formed on the base of the necessary access permissions. If there are any operations that depend on the main and additional operations, they will also be included in the effective permissions.
At first it is necessary to calculate the maximal value of the auditing that is available to the objects of this class to receive a value that corresponds to the access auditing of the user to the object. Then it is necessary to add a value of the variable that is specified in the Audit parameter to the received value. If the resultant value is not zero, it means that the auditing of operations specified in the necessary rights is implemented for the current user.
Executing the example requires that the repository contains an object with the Obj_1 identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.
Sub UserProc;
Var
MB: IMetabase;
MDesc: IMetabaseObjectDescriptor;
SecDesc: ISecurityDescriptor;
Subj: ISecuritySubject;
Access, Audit: Integer;
Lab: ISecurityDocumentLabel;
Begin
MB := MetabaseClass.Active;
Subj := MB.Security.ResolveName("TestUser");
MDesc := MB.ItemById("Obj_1");
SecDesc := MDesc.SecurityDescriptor;
SecDesc.GetEffectiveRightsAuditLabel(Subj,
MetabaseObjectPredefinedRights.Delete Or
MetabaseObjectPredefinedRights.Access,
Access, Audit, Lab);
If Lab.IsON Then
Debug.WriteLine(Lab.Label);
Debug.WriteLine(Lab.LabelDescription);
Debug.WriteLine(Lab.TreatSectionAsDocument);
Debug.WriteLine(Lab.User.Name);
End If;
End Sub UserProc;
After executing this example the Access and Audit variables contain values that correspond to the effective access permissions and access auditing of the specified user. Calculation of the effective rights and of the auditing is performed relative to the Removal and Rights change operations. If the mandatory access control was activated in the repository and the level, for which the marking of objects is provided when exporting and printing, was specified to the object, the Lab variable would contain parameters of the security label that is used for marking. These parameters are displayed in the development environment console.
See also: