IABACEngine.Evaluate

Syntax

Evaluate(Operation: Integer): ABACEvaluateResult;

Parameters

Operation. The value of main or specific operation with an object.

Description

The Evaluate method returns result of subject access to object.

Comments

Lists of specific operation codes for the Operation parameter are contained in enumerations of the Metabase assembly.

NOTE. If the objective has the OPERATION environment attribute set with the IN condition, the parameter can take child operation value. For example, the 2 - Read operation is set in the attribute-based access control objective, then the method parameter can take the value 256 - Read descriptor.

If the objective has the OPERATION environment attribute set with the IN condition, to calculate the IABACEngine.Evaluate method, use the IABACEngine.SetOperations method, or set value of the Operation variable similarly to value in the attribute-base access control objective.

Example

Executing the example requires the following conditions to be satisfied:

Add links to the ABAC and Metabase system assemblies.

Public Class Callback:Object, IABACEvaluateCallback
    
Public Function AttrValue(Id: String; Var Success: Boolean): Object;
    
Begin
        Success := 
False;
    
Return Null;
    
End Function AttrValue; 
    
    
Public Function AttrValueRaw(Id:String; Var Result:Variant):Boolean;
    
Var 
        Success: Boolean;
    
Begin
        
If Id = "ATTR1" Then
            Result := 
123;
            Success := 
True;
        
Else
            Success := 
False;   
        
End If;
        Return Success;
    
End Function AttrValueRaw;
End Class Callback;

Sub UserProc;
Var
    MB: IMetabase;
    MS: IMetabaseSecurity;
    Calb: Callback;
    Engine: IABACEngine;
    Res: ABACEvaluateResult;
    User, Obj, Env: IABACAttributeInstances;
Begin
    MB := MetabaseClass.Active;
    MS := MB.Security;
    
// Get environment attributes
    Env := MS.EnvironmentAttributes;
    
// Get first user and object attributes with the key 12254
    User := MS.Users.Item(0).Attributes;
    Obj := MB.Root.Children.FindByKey(
12254).Attributes;
    
// Display name of obtained user or object in the console
    Debug.WriteLine("User: " + MS.Users.Item(0).Name);
    Debug.WriteLine(
"Object: " + MB.Root.Children.FindByKey(12254).Name);
    
// Set methods to calculate user access to object
    Engine := New ABACEngine.Create;
    Engine.SetEnvironment(Env);
    Engine.SetParams(User, Obj);
    Engine.SetCallback(Calb);
    Engine.SetOperations(
2,4,1);
    
// Set attribute-based access control structure that is contained in security manager
    Engine.SetPolicy(MB.Security.Policy.ABACRules);
    
// Check access to read object descriptor and display result in the console
    Res := Engine.Evaluate(256);
    
Select Case Res As Integer
        
Case 0: Debug.WriteLine("Access is not determined");
        
Case 1: Debug.WriteLine("Rule cannot be applied");
        
Case 2: Debug.WriteLine("Access is allowed");
        
Case 3: Debug.WriteLine("Access is denied");
    
End Select;
End Sub UserProc;

After executing the example:

  1. When attribute-based access control objective is checked, the ATTR1 attribute will be found without specified value.

  2. The calculator is addressed to the AttrValue function to get value of the 123 attribute.

  3. The condition is checked after successful objective execution. The condition is executed if the ATTR1 attribute with the 123 value is found.

  4. The user can read object descriptor.

The console displays the access result:

User: ADMIN

Object: System objects

Access is allowed

See also:

IABACEngine