Evaluate(Operation: Integer): ABACEvaluateResult;
Operation. The value of main or specific operation with an object.
The Evaluate method returns result of subject access to object.
Lists of specific operation codes for the Operation parameter are contained in enumerations of the Metabase assembly.
NOTE. If the objective has the OPERATION environment attribute set with the IN condition, the parameter can take child operation value. For example, the 2 - Read operation is set in the attribute-based access control objective, then the method parameter can take the value 256 - Read descriptor.
If the objective has the OPERATION environment attribute set with the IN condition, to calculate the IABACEngine.Evaluate method, use the IABACEngine.SetOperations method, or set value of the Operation variable similarly to value in the attribute-base access control objective.
Executing the example requires the following conditions to be satisfied:
The security manager contains at least one user.
For users an attribute with the ATTR1 identifier and the Integer data type is set.
The repository contains an object with the 12254 key.
The attribute-based access control structure contains a rule:
Objective: OPERATION IN 2.
Condition: SUBJECT.ATTR1 = 123.
Effect: Allow.
All attribute-based access control structure is allowed by overriding. If at least one of the calculation results returns permission, the user is allowed to execute operation with object.
Add links to the ABAC and Metabase system assemblies.
Public Class Callback:Object, IABACEvaluateCallback
Public Function AttrValue(Id: String; Var Success: Boolean): Object;
Begin
Success := False;
Return Null;
End Function AttrValue;
Public Function AttrValueRaw(Id:String; Var Result:Variant):Boolean;
Var
Success: Boolean;
Begin
If Id = "ATTR1" Then
Result := 123;
Success := True;
Else
Success := False;
End If;
Return Success;
End Function AttrValueRaw;
End Class Callback;
Sub UserProc;
Var
MB: IMetabase;
MS: IMetabaseSecurity;
Calb: Callback;
Engine: IABACEngine;
Res: ABACEvaluateResult;
User, Obj, Env: IABACAttributeInstances;
Begin
MB := MetabaseClass.Active;
MS := MB.Security;
// Get environment attributes
Env := MS.EnvironmentAttributes;
// Get first user and object attributes with the key 12254
User := MS.Users.Item(0).Attributes;
Obj := MB.Root.Children.FindByKey(12254).Attributes;
// Display name of obtained user or object in the console
Debug.WriteLine("User: " + MS.Users.Item(0).Name);
Debug.WriteLine("Object: " + MB.Root.Children.FindByKey(12254).Name);
// Set methods to calculate user access to object
Engine := New ABACEngine.Create;
Engine.SetEnvironment(Env);
Engine.SetParams(User, Obj);
Engine.SetCallback(Calb);
Engine.SetOperations(2,4,1);
// Set attribute-based access control structure that is contained in security manager
Engine.SetPolicy(MB.Security.Policy.ABACRules);
// Check access to read object descriptor and display result in the console
Res := Engine.Evaluate(256);
Select Case Res As Integer
Case 0: Debug.WriteLine("Access is not determined");
Case 1: Debug.WriteLine("Rule cannot be applied");
Case 2: Debug.WriteLine("Access is allowed");
Case 3: Debug.WriteLine("Access is denied");
End Select;
End Sub UserProc;
After executing the example:
When attribute-based access control objective is checked, the ATTR1 attribute will be found without specified value.
The calculator is addressed to the AttrValue function to get value of the 123 attribute.
The condition is checked after successful objective execution. The condition is executed if the ATTR1 attribute with the 123 value is found.
The user can read object descriptor.
The console displays the access result:
User: ADMIN
Object: System objects
Access is allowed
See also: