Access Permissions for MDM Dictionary Elements

Attribute-based access control method allows for setting access permissions for specific elements of MDM dictionary. Access permissions for MDM dictionary elements are separated on:

The attribute element is set as OBJECT.ELEMENT.<attribute identifier>. Attribute identifiers are contained on the Attributes tab on opening dictionary for edit.

NOTE. An element attribute is set only in additional condition of the rule. On creating an additional condition, take into account features of attribute use.

Operations with MDM dictionary elements are contained in the DictionarySpecificRights enumeration.

For details about separating access permissions for MDM dictionary elements, see the Access Permissions for MDM Dictionary Objects section.

Consider an example of denying user access to read the MDM dictionary element with the 1 key on simultaneous use of attribute-based access control method and discretionary access control method.

Example

Executing the example requires the following conditions to be satisfied:

Discretionary access control permissions are set up for each object on the Discretionary Access Control tab in the Access Control Settings dialog box.

Add links to the ABAC, Metabase, and Rds system assemblies.

Sub UserProc;
Var
    PolicyObject: IABACRootPolicyObject;
    PolicySet: IABACPolicySet;
    Policy: IABACPolicy;
    Rules: IABACRules;
    Rule: IABACRule;
    MB: IMetabase;
    MS: IMetabaseSecurity;
    Lic: Object;
    DimObj: IMetabaseObject;
    Dim: IRdsDictionary;
Begin
    MB := MetabaseClass.Active;
    //Get license to work with the security manager
    Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
    MS := MB.Security;
    // Set the Elements Have Attribute Access Permissions attribute for MDM dictionary
    DimObj := MB.ItemById("DICTIONARY").Edit;
    Dim := DimObj As IRdsDictionary;
    Dim.AbacSecured := True;
    DimObj.Save;
    // Get attribute-based access control
    PolicyObject := MB.Security.Policy.ABACRules;
    // Clear attribute-based access control structure and set new one
    PolicyObject.Policies.Clear;        
    // Set algorithm of root attribute-based access policy - Allow overriding
    PolicyObject.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    // Add a policies set
    PolicySet := PolicyObject.Policies.Add;
    PolicySet.Name(MB.CurrentLocale) := "Policies set for the USER user";
    PolicySet.Target.AttributeId := "SUBJECT.NAME";
    PolicySet.Target.Operation := ABACTargetOperation.Equal;
    PolicySet.Target.AttributeValue := "USER";
    PolicySet.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    // Add a policy to access an MDM dictionary with the DICTIONARY identifier
    Policy := PolicySet.Policies.Add;
    Policy.Name(MB.CurrentLocale) := "Allow access to MDM dictionary";
    Policy.Target.AttributeId := "OBJECT.ID";
    Policy.Target.Operation := ABACTargetOperation.Equal;
    Policy.Target.AttributeValue := "DICTIONARY";
    Policy.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    // Add a rule to deny access to MDM dictionary element with the 1 key
    Rules := Policy.Rules;
    Rule := Rules.Add;
    Rule.Name(LocaleCodeID.Russian) := "Deny access to MDM dictionary element";
    Rule.Target.AttributeId := "OPERATION";
    Rule.Target.Operation := ABACTargetOperation.Equal;
    Rule.Target.AttributeValue := 1048576;
    Rule.Condition.AsString := "OBJECT.ELEMENT.KEY = 1";
    Rule.Effect := ABACRuleEffect.Deny;
    // Apply changes in security manager
    MS.Apply;
    // Check in license
    Lic := Null;
End Sub UserProc;

After executing the example:

When the attribute-based access control is implemented in the object navigator, the MDM dictionary element with the 1 key is not displayed for the USER user.

See also:

Examples | Access Permissions for MDM Repository Objects | Basic Dictionary Settings