Attribute-based access control method allows for setting access permissions for specific elements of MDM dictionary. Access permissions for MDM dictionary elements are separated on:
Simultaneous use of attribute-based access control and discretionary access control methods.
On the use of only attribute-based access control method.
The attribute element is set as OBJECT.ELEMENT.<attribute identifier>. Attribute identifiers are contained on the Attributes tab on opening dictionary for edit.
NOTE. An element attribute is set only in additional condition of the rule. On creating an additional condition, take into account features of attribute use.
Operations with MDM dictionary elements are contained in the DictionarySpecificRights enumeration.
For details about separating access permissions for MDM dictionary elements, see the Access Permissions for MDM Dictionary Objects section.
Consider an example of denying user access to read the MDM dictionary element with the 1 key on simultaneous use of attribute-based access control method and discretionary access control method.
Executing the example requires the following conditions to be satisfied:
The repository root contains an MDM dictionary with the DICTIONARY identifier. The dictionary must contain at least two elements.
The security manager contains the USER user.
The Policies Editor section of the security manager has the Use Attribute-Based Access Control and Use Discretionary Access Control checkboxes selected, and the OR access permissions combination algorithm is selected.
All operations with objects are allowed in the parameters of discretionary access control for a specific user:
Folder containing MDM dictionary. If MDM dictionary is not located in the repository root, but in the folder or folder hierarchy, each folder must not have forbidden operations.
Database that stores MDM dictionary data.
Internal MDM dictionary table.
Discretionary access control permissions are set up for each object on the Discretionary Access Control tab in the Access Control Settings dialog box.
Add links to the ABAC, Metabase, and Rds system assemblies.
Sub UserProc;
Var
PolicyObject: IABACRootPolicyObject;
PolicySet: IABACPolicySet;
Policy: IABACPolicy;
Rules: IABACRules;
Rule: IABACRule;
MB: IMetabase;
MS: IMetabaseSecurity;
Lic: Object;
DimObj: IMetabaseObject;
Dim: IRdsDictionary;
Begin
MB := MetabaseClass.Active;
//Get license to work with the security manager
Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
MS := MB.Security;
// Set the Elements Have Attribute Access Permissions attribute for MDM dictionary
DimObj := MB.ItemById("DICTIONARY").Edit;
Dim := DimObj As IRdsDictionary;
Dim.AbacSecured := True;
DimObj.Save;
// Get attribute-based access control
PolicyObject := MB.Security.Policy.ABACRules;
// Clear attribute-based access control structure and set new one
PolicyObject.Policies.Clear;
// Set algorithm of root attribute-based access policy - Allow overriding
PolicyObject.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Add a policies set
PolicySet := PolicyObject.Policies.Add;
PolicySet.Name(MB.CurrentLocale) := "Policies set for the USER user";
PolicySet.Target.AttributeId := "SUBJECT.NAME";
PolicySet.Target.Operation := ABACTargetOperation.Equal;
PolicySet.Target.AttributeValue := "USER";
PolicySet.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Add a policy to access an MDM dictionary with the DICTIONARY identifier
Policy := PolicySet.Policies.Add;
Policy.Name(MB.CurrentLocale) := "Allow access to MDM dictionary";
Policy.Target.AttributeId := "OBJECT.ID";
Policy.Target.Operation := ABACTargetOperation.Equal;
Policy.Target.AttributeValue := "DICTIONARY";
Policy.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Add a rule to deny access to MDM dictionary element with the 1 key
Rules := Policy.Rules;
Rule := Rules.Add;
Rule.Name(LocaleCodeID.Russian) := "Deny access to MDM dictionary element";
Rule.Target.AttributeId := "OPERATION";
Rule.Target.Operation := ABACTargetOperation.Equal;
Rule.Target.AttributeValue := 1048576;
Rule.Condition.AsString := "OBJECT.ELEMENT.KEY = 1";
Rule.Effect := ABACRuleEffect.Deny;
// Apply changes in security manager
MS.Apply;
// Check in license
Lic := Null;
End Sub UserProc;
After executing the example:
In basic settings of MDM dictionary the Elements have Attribute-Based Access Permissions checkbox will be selected.
In the Attribute-Based Access Control section of the security manager the specified attribute-based access control structure is added with denial of user access to read the MDM dictionary element with the 1 key:
When the attribute-based access control is implemented in the object navigator, the MDM dictionary element with the 1 key is not displayed for the USER user.
See also:
Examples | Access Permissions for MDM Repository Objects | Basic Dictionary Settings