Metabase: Object;
The Metabase property returns repository data.
This property is relevant on determining a separate attribute-based access control structure.
To execute the example, add links to the ABAC and Metabase system assemblies.
Sub UserProc;
Var
Engine: IABACEngine;
PolicyObject: IABACRootPolicyObject;
PolicySet: IABACPolicySet;
Policy: IABACPolicy;
Res: ABACEvaluateResult;
MB: IMetabase;
User, ObjDescr, Env: IABACAttributeInstances;
Begin
MB := MetabaseClass.Active;
// Create a separate attribute-based access control structure
PolicyObject := New ABACRootPolicyObject.Create;
PolicyObject.Metabase := MB;
PolicyObject.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Create a policies set
PolicySet := PolicyObject.Policies.Add;
PolicySet.Name(LocaleCodeID.None) := "Test policies set";
PolicySet.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Create a policy
Policy := PolicySet.Policies.Add;
Policy.Name(LocaleCodeID.None) := "Test policy";
Policy.Target.AttributeId := "OPERATION";
Policy.Target.Operation := ABACTargetOperation.Equal;
Policy.Target.AttributeValue := 2;
Policy.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
// Get attributes of the first user, the second object and environment attributes
User := MB.Security.Users.Item(0).Attributes;
ObjDescr := MB.Root.Children.Item(1).Attributes;
Env := MB.Security.EnvironmentAttributes;
// Display name of obtained user or object in the console
Debug.WriteLine("User: " + MB.Security.Users.Item(0).Name);
Debug.WriteLine("Object: " + MB.Root.Children.Item(1).Name);
// Set calculator of user access to object
Engine := New ABACEngine.Create;
Engine.SetEnvironment(Env);
Engine.SetParams(User, ObjDescr);
Engine.SetPolicy(PolicyObject); // created attribute-based access control structure
// Check access to read object
Res := Engine.Evaluate(2);
Select Case Res As Integer
Case 0: Debug.WriteLine("Access is not determined");
Case 1: Debug.WriteLine("Rule cannot be applied");
Case 2: Debug.WriteLine("Access is allowed");
Case 3: Debug.WriteLine("Access denied");
End Select;
End Sub UserProc;
After executing the example the separate attribute-based access control structure is used to calculate access to read object.
The console displays the access result:
User: ADMIN
Object: System objects
Access is allowed
See also: