Controlling Access Permissions to Elements

Executing the example requires the MDM repository NSI_1 that contains an MDM dictionary with the Dict_1 identifier.Access permissions option of elements is enabled for the dictionary. Two users are included in the list of access subjects except for the basic user Admin and the Administrators group. Security labels 2 and 3 are correlated to them. These users are not included in the group of administrators.

Sub UserProc;
Var
    MB: IMetabase;
    MObj: IMetabaseObject;
    Dict: IRdsDictionary;
    Attrs: IRdsAttributes;
    DictInst: IRdsDictionaryInstance;
    Elements: IRdsDictionaryElements;
    Element: IRdsDictionaryElement;
    Data: IRdsDictionaryElementData;
    SecLab: ISecurityLabels;
    User, User1, User2: ISecuritySubject;
Begin
    MB := MetabaseClass.Active;
    //Get MDM dictionary
    MObj := MB.ItemByIdNamespace("Dict_1", MB.GetObjectKeyById("NSI_1")).Bind;
    Dict := MObj As IRdsDictionary;
    //Get attributes' list
    Attrs := Dict.Attributes;
    //Open dictionary
    DictInst := Dict.Open(Null);
    Elements := DictInst.Elements;
    //Get the first element for which the permissions are given
    Element := Elements.Item(1);
    Data := Element.Data;
    SecLab := MObj.SecurityDescriptor.LabelSecurity;
    User := SecLab.Mapping(0); //Admin
    User1 := SecLab.Mapping(2); //The first additional user
    User2 := SecLab.Mapping(3); //The second additional user
    //Grant permissions
    Data.AccessAttribute(Attrs.AccessAccess.Key) := SecLab.ValueStr(User);
    Data.AccessAttribute(Attrs.DeleteAccess.Key) := SecLab.ValueStr(User1);
    Data.AccessAttribute(Attrs.ReadAccess.Key) := (SecLab.Value(User) + SecLab.Value(User1) + SecLab.Value(User2)).ToString;
    Data.AccessAttribute(Attrs.WriteAccess.Key) := (SecLab.Value(User1) + SecLab.Value(User2)).ToString;
    //Update element information
    Element.Update(Data);
End Sub UserProc;

After executing the example access permissions for the first element of the MDM dictionary are changed. All users have permission to view the element. The first additional user has permission to remove. Two additional users have permission to edit. The Admin user has permission to change permissions.

To check the access permissions, it is necessary to cast the mask to binary mode and check, with whom the bits having the value 1 are associated. The bits having the value 0 correspond to security objects, which are forbidden to act, or the bits are not associated with any security objects. To cast the mask to binary mode, run the DecToBin procedure, which code is given in the Working with Access Mask example.

Sub CheckMask;
Var
    MB: IMetabase;
    MObj: IMetabaseObject;
    DictInst: IRdsDictionaryInstance;
    Elements: IRdsDictionaryElements;
    Element: IRdsDictionaryElement;
    SecLab: ISecurityLabels;
    AccessMask: Integer;
    BinMask: String;
    c: Char;
    i: Integer;
Begin
    MB := MetabaseClass.Active;
    //Get MDM dictionary
    MObj := MB.ItemByIdNamespace("Dict_1", MB.GetObjectKeyById("NSI_1")).Bind;
    //Open dictionary
    DictInst := MObj.Open(NullAs IRdsDictionaryInstance;
    Elements := DictInst.Elements;
    //Get the first element for which access permissions are set
    Element := Elements.Item(1);
    //Get parameters of security labels
    SecLab := MObj.SecurityDescriptor.LabelSecurity;
    //Permissions to edit data of the first element
    AccessMask := Element.Access(RdsAccessAttribute.WriteAccess);
    BinMask := DecToBin(AccessMask);
    For i := BinMask.Length To 1 Step - 1 Do
        //Get bit from character string and check its value
        c := BinMask.Chars(i - 1);
        //If value of the current bit is 1, get the user associated with this bit
        If c = '1' Then
            //Bits are numerated from right to left. To get the bit number, subtract
            //the current position from general length.
            Debug.WriteLine(SecLab.Mapping(BinMask.Length - i).Name);
        End If;
    End For;
End Sub CheckMask;

On executing the example the console window displays names of the security objects, which have permissions to edit data of the first element of the MDM dictionary.

See also:

Examples