On using table or calculated dictionaries in cubes, or other repository objects, it is possible to limit read or write data access by particular elements. Safety labels and attributes of access permissions should be set for this dictionary, the values of which determine possibility to read and change data by a particular repository user. Consider each stage of setting separately.
The interface that works with safety labels is ISecurityLabels. Parameters of safety labels may be obtained using the property ISecurityDescriptor.LabelSecurity. Safety labels organize security bit mask, according to which access to read or change data by selected elements is granted or denied. Every bit matches selected security subject in the bit mask. By default, the first two bits in the mask match repository administrator and group of administrators respectively. If required, bit data comparison can be changed.
Var
MB: IMetabase;
MDesc: IMetabaseObjectDescriptor;
SecDesc: ISecurityDescriptor;
SecLab: ISecurityLabels;
Bit: Integer;
Begin
MB := MetabaseClass.Active;
MDesc := MB.ItemById("Dim_1");
//Descriptor of dictionary Security
SecDesc := MDesc.SecurityDescriptor;
SecDesc.Edit;
//Security marks of dictionary
SecLab := SecDesc.LabelSecurity;
//Identification of bit of security mask, not matched
//with none of any of security subjects
//Supposed that all next bits are also matched
//with none of any of security subjects
For Bit := 0 To SecLab.BitCount - 1 Do
If SecLab.Mapping(Bit) = Null Then
Break;
End If;
End For;
Debug.WriteLine(Bit);
//Matching security subjects by free bits of access mask
SecLab.Mapping(Bit) := MB.Security.ResolveName("TESTUSER1");
SecLab.Mapping(Bit + 1) := MB.Security.ResolveName("TESTUSER2");
SecDesc.Apply(False);
Parameters of dictionary safety labels are obtained in this example. The first free bit of mask is determined. This bit and the next bit are matched with two security subjects TESTUSER1 and TESTUSER2. These subjects should be created in security manager.
After setting up safety labels dictionary attributes can be set. The Read Access and Write Access attributes are used to control access permissions in the dictionary. If permissions are separated for no more than 32 security subjects, data attributes are attributes with the type of data or attributes with string data type. To determine these attributes in the dictionary, the following properties are used: In the table dictionary: the IStandardDimAttributes.ReadAccess and IStandardDimAttributes.WriteAccess properties; In the calculated dictionary: the IUserDimAttributes.ReadAccess and IUserDimAttributes.WriteAccess properties. These attributes should be linked to corresponding fields of data source.
Var
MB: IMetabase;
StdDim: IStandardDimension;
StdAttrs: IStandardDimAttributes;
StdAttr: IStandardDimAttribute;
DimBlock: IStandardDimBlock;
DataSet: IDatasetModel;
DataSetId: String;
Begin
MB := MetabaseClass.Active;
StdDim := MB.ItemById("Dim_1").Edit As IStandardDimension;
StdAttrs := StdDim.Attributes;
//Create an attribute, limiting read permissions
StdAttr := StdAttrs.Add;
StdAttr.DataType := DbDataType.Integer;
StdAttr.Id := "READ_ACCESS";
StdAttr.Name := "Read permissions";
StdAttrs.ReadAccess := StdAttr;
//Create an attribute, limiting write permissions
StdAttr := StdAttrs.Add;
StdAttr.DataType := DbDataType.Integer;
StdAttr.Id := "WRITE_ACCESS";
StdAttr.Name := "Write permissions";
StdAttrs.WriteAccess := StdAttr;
//Bind attributes to fields of data source in the first block of dictionary
//Receive block parameters
DimBlock := StdDim.Blocks.Item(0);
//Receive data source parameters
//Data source is supposed to contain fields with identifiers
//READ_ACCESS and WRITE_ACCESS
DataSet := DimBlock.Dataset;
DataSetId := (DataSet As IMetabaseObject).Id;
//Bind dictionary attributes to data source fields
DimBlock.Binding(StdAttrs.ReadAccess).AsString := DataSetId + ".READ_ACCESS";
DimBlock.Binding(StdAttrs.WriteAccess).AsString := DataSetId + ".WRITE_ACCESS";
(StdDim As IMetabaseObject).Save;
To enable permissions separation, specify the value of access mask in the corresponding data source fields. Mask value can be obtained using the ISecurityLabels.Value property (if permissions are separated for no more than 32 security subjects) or the property ISecurityLabels.ValueStr.
Var
MB: IMetabase;
MDesc: IMetabaseObjectDescriptor;
Sec: IMetabaseSecurity;
SecDesc: ISecurityDescriptor;
SecLab: ISecurityLabels;
Begin
MB := MetabaseClass.Active;
MDesc := MB.ItemById("Dim_1");
Sec := MB.Security;
SecDesc := MDesc.SecurityDescriptor;
SecLab := SecDesc.LabelSecurity;
Debug.WriteLine(SecLab.Value(Sec.ResolveName("TESTUSER1")));
Debug.WriteLine(SecLab.Value(Sec.ResolveName("TESTUSER2")));
If several users are required to have permissions, the value is the sum of property values for every user. The IDimElements.ReadAccess and IDimElements.WriteAccess properties check permissions in the elements collection.
See also: