Setting Up Permissions to Access Dictionary Elements

On using table or calculated dictionaries in cubes, or other repository objects, it is possible to limit read or write data access by particular elements. Safety labels and attributes of access permissions should be set for this dictionary, the values of which determine possibility to read and change data by a particular repository user. Consider each stage of setting separately.

Setting up Safety Labels

The interface that works with safety labels is  ISecurityLabels. Parameters of safety labels may be obtained using the property  ISecurityDescriptor.LabelSecurity. Safety labels organize security bit mask, according to which access to read or change data by selected elements is granted or denied. Every bit matches selected security subject in the bit mask. By default, the first two bits in the mask match repository administrator and group of administrators respectively. If required, bit data comparison can be changed.

Var
    MB: IMetabase;
    MDesc: IMetabaseObjectDescriptor;
    SecDesc: ISecurityDescriptor;
    SecLab: ISecurityLabels;
    Bit: Integer;
Begin
    MB := MetabaseClass.Active;
    MDesc := MB.ItemById("Dim_1");
    //Descriptor of dictionary Security
    SecDesc := MDesc.SecurityDescriptor;
    SecDesc.Edit;
    //Security marks of dictionary
    SecLab := SecDesc.LabelSecurity;
    //Identification of bit of security mask, not matched
    //with none of any of security subjects
    //Supposed that all next bits are also matched
    //with none of any of security subjects
    For Bit := 0 To SecLab.BitCount - 1 Do
        If SecLab.Mapping(Bit) = Null Then
            Break;
        End If;
    End For;
    Debug.WriteLine(Bit);
    //Matching security subjects by free bits of access mask
    SecLab.Mapping(Bit) := MB.Security.ResolveName("TESTUSER1");
    SecLab.Mapping(Bit + 1) := MB.Security.ResolveName("TESTUSER2");
    SecDesc.Apply(False);

Parameters of dictionary safety labels are obtained in this example. The first free bit of mask is determined. This bit and the next bit are matched with two security subjects TESTUSER1 and TESTUSER2. These subjects should be created in security manager.

Setting up Attributes of Access Permissions

After setting up safety labels dictionary attributes can be set. The Read Access and Write Access attributes are used to control access permissions in the dictionary. If permissions are separated for no more than 32 security subjects, data attributes are attributes with the type of data or attributes with string data type. To determine these attributes in the dictionary, the following properties are used: In the table dictionary: the IStandardDimAttributes.ReadAccess and IStandardDimAttributes.WriteAccess properties; In the calculated dictionary: the IUserDimAttributes.ReadAccess and IUserDimAttributes.WriteAccess properties. These attributes should be linked to corresponding fields of data source.

Var
    MB: IMetabase;
    StdDim: IStandardDimension;
    StdAttrs: IStandardDimAttributes;
    StdAttr: IStandardDimAttribute;
    DimBlock: IStandardDimBlock;
    DataSet: IDatasetModel;
    DataSetId: String;
Begin
    MB := MetabaseClass.Active;
    StdDim := MB.ItemById("Dim_1").Edit As IStandardDimension;
    StdAttrs := StdDim.Attributes;
    //Create an attribute, limiting read permissions
    StdAttr := StdAttrs.Add;
    StdAttr.DataType := DbDataType.Integer;
    StdAttr.Id := "READ_ACCESS";
    StdAttr.Name := "Read permissions";
    StdAttrs.ReadAccess := StdAttr;
    //Create an attribute, limiting write permissions
    StdAttr := StdAttrs.Add;
    StdAttr.DataType := DbDataType.Integer;
    StdAttr.Id := "WRITE_ACCESS";
    StdAttr.Name := "Write permissions";
    StdAttrs.WriteAccess := StdAttr;
    //Bind attributes to fields of data source in the first block of dictionary
    //Receive block parameters
    DimBlock := StdDim.Blocks.Item(0);
    //Receive data source parameters
    //Data source is supposed to contain fields with identifiers
    //READ_ACCESS and WRITE_ACCESS
    DataSet := DimBlock.Dataset;
    DataSetId := (DataSet As IMetabaseObject).Id;
    //Bind dictionary attributes to data source fields
    DimBlock.Binding(StdAttrs.ReadAccess).AsString := DataSetId + ".READ_ACCESS";
    DimBlock.Binding(StdAttrs.WriteAccess).AsString := DataSetId + ".WRITE_ACCESS";
    (StdDim As IMetabaseObject).Save;

To enable permissions separation, specify the value of access mask in the corresponding data source fields. Mask value can be obtained using the  ISecurityLabels.Value  property (if permissions are separated for no more than 32 security subjects) or the property  ISecurityLabels.ValueStr.

Var
    MB: IMetabase;
    MDesc: IMetabaseObjectDescriptor;
    Sec: IMetabaseSecurity;
    SecDesc: ISecurityDescriptor;
    SecLab: ISecurityLabels;
Begin
    MB := MetabaseClass.Active;
    MDesc := MB.ItemById("Dim_1");
    Sec := MB.Security;
    SecDesc := MDesc.SecurityDescriptor;
    SecLab := SecDesc.LabelSecurity;
    Debug.WriteLine(SecLab.Value(Sec.ResolveName("TESTUSER1")));
    Debug.WriteLine(SecLab.Value(Sec.ResolveName("TESTUSER2")));

If several users are required to have permissions, the value is the sum of property values for every user. The IDimElements.ReadAccess and IDimElements.WriteAccess properties check permissions in the elements collection.

See also:

Introduction