IABACRootPolicyObject.Metabase

Syntax

Metabase: Object;

Description

The Metabase property returns repository data.

Comments

This property is relevant on determining a separate attribute-based access control structure.

Example

To execute the example, add links to the ABAC and Metabase system assemblies.

Sub UserProc;
Var
    Engine: IABACEngine;
    PolicyObject: IABACRootPolicyObject;
    PolicySet: IABACPolicySet;
    Policy: IABACPolicy;
    Res: ABACEvaluateResult;
    MB: IMetabase;
    User, ObjDescr, Env: IABACAttributeInstances;
Begin
    MB := MetabaseClass.Active;
    // Create a separate attribute-based access control structure         
    PolicyObject := New ABACRootPolicyObject.Create;
    PolicyObject.Metabase := MB;
    PolicyObject.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    // Create a policies set
    PolicySet := PolicyObject.Policies.Add;
    PolicySet.Name(LocaleCodeID.None) := "Test policies set";
    PolicySet.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    // Create a policy
    Policy := PolicySet.Policies.Add;
    Policy.Name(LocaleCodeID.None) := "Test policy";
    Policy.Target.AttributeId := "OPERATION";
    Policy.Target.Operation := ABACTargetOperation.Equal;
    Policy.Target.AttributeValue := 2;
    Policy.CombineAlgorithm := ABACCombineAlgorithm.PermitOverride;
    // Get attributes of the first user, the second object and environment attributes
    User := MB.Security.Users.Item(0).Attributes;
    ObjDescr := MB.Root.Children.Item(1).Attributes;
    Env := MB.Security.EnvironmentAttributes;
    // Display name of obtained user or object in the console
    Debug.WriteLine("User: " + MB.Security.Users.Item(0).Name);
    Debug.WriteLine("Object: " + MB.Root.Children.Item(1).Name);
    // Set calculator of user access to object
    Engine := New ABACEngine.Create;
    Engine.SetEnvironment(Env);
    Engine.SetParams(User, ObjDescr);
    Engine.SetPolicy(PolicyObject); // created attribute-based access control structure
    // Check access to read object
    Res := Engine.Evaluate(2);
    Select Case Res As Integer
        Case 0: Debug.WriteLine("Access is not determined");
        Case 1: Debug.WriteLine("Rule cannot be applied");
        Case 2: Debug.WriteLine("Access is allowed");
        Case 3: Debug.WriteLine("Access denied");
    End Select;
End Sub UserProc;

After executing the example the separate attribute-based access control structure is used to calculate access to read object.

The console displays the access result:

User: ADMIN

Object: System objects

Access is allowed

See also:

IABACRootPolicyObject