Controlling Access Permissions to Elements

Executing the example requires an MDM dictionary with the RDS_DICT identifier. Access permissions option of elements is enabled for the dictionary. Two users are included in the list of access subjects except for the basic user Admin and the Administrators group. Security labels 2 and 3 are correlated to them. These users are not included in the group of administrators.

Example

Add links to the Metabase, Rds system assemblies.

Sub UserProc;
Var
    MB: IMetabase;
    MObj: IMetabaseObject;
    Dict: IRdsDictionary;
    Attrs: IRdsAttributes;
    DictInst: IRdsDictionaryInstance;
    Elements: IRdsDictionaryElements;
    Element: IRdsDictionaryElement;
    Data: IRdsDictionaryElementData;
    SecLab: ISecurityLabels;
    User, User1, User2: ISecuritySubject;
Begin
    MB := MetabaseClass.Active;
    // Get MDM dictionary
    MObj := MB.ItemById("RDS_DICT").Bind;
    Dict := MObj As IRdsDictionary;
    // Get list of attributes
    Attrs := Dict.Attributes;
    // Open dictionary
    DictInst := Dict.Open(Null);
    Elements := DictInst.Elements;
    // Get the first element, for which permissions will be granted
    Element := Elements.Item(1);
    Data := Element.Data;
    // Security subjects
    SecLab := MObj.SecurityDescriptor.LabelSecurity;
    User := SecLab.Mapping(0); // Admin
    User1 := SecLab.Mapping(2); // The first additional user
    User2 := SecLab.Mapping(3); // The second additional user
    // Grant permissions
    Data.AccessAttribute(Attrs.AccessAccess.Key) := SecLab.ValueStr(User);
    Data.AccessAttribute(Attrs.DeleteAccess.Key) := (SecLab.Value(User) + SecLab.Value(User1)).ToString;
    Data.AccessAttribute(Attrs.ReadAccess.Key) := (SecLab.Value(User) + SecLab.Value(User1) + SecLab.Value(User2)).ToString;
    Data.AccessAttribute(Attrs.WriteAccess.Key) := (SecLab.Value(User) + SecLab.Value(User2)).ToString;
    // Update information about element
    Element.Update(Data);
End Sub UserProc;

After executing the example access permissions for the first element of the MDM dictionary are changed. All users have permission to view the element. The first additional user will have the permission to delete, the second additional user will have the permissions to edit. The Admin user will have full permissions.

To check the access permissions, it is necessary to cast the mask to binary mode and check, with whom the bits having the value 1 are associated. The bits having the value 0 correspond to security objects, which are forbidden to act, or the bits are not associated with any security objects. To cast the mask to binary mode, run the DecToBin procedure, which code is given in the Working with Access Mask example.

Sub CheckMask;
Var
    MB: IMetabase;
    MObj: IMetabaseObject;
    DictInst: IRdsDictionaryInstance;
    Elements: IRdsDictionaryElements;
    Element: IRdsDictionaryElement;
    SecLab: ISecurityLabels;
    AccessMask: Integer;
    BinMask: String;
    c: Char;
    i: Integer;
Begin
    MB := MetabaseClass.Active;
    // Get MDM dictionary
    MObj := MB.ItemById("RDS_DICT").Bind;
    // Open dictionary
    DictInst := MObj.Open(NullAs IRdsDictionaryInstance;
    Elements := DictInst.Elements;
    // Get the first element, for which access permissions are determined
    Element := Elements.Item(1);
    // Get security label parameters
    SecLab := MObj.SecurityDescriptor.LabelSecurity;
    // Permissions to change data of the first element
    AccessMask := Element.Access(RdsAccessAttribute.WriteAccess);
    BinMask := DecToBin(AccessMask);
    For i := BinMask.Length To 1 Step - 1 Do
        // Get bit from character string and check its value
        c := BinMask.Chars(i - 1);
        // If value of the current bit is 1, then get the user matched with this bit
        If c = '1' Then
            // Bit numbering is executed from right to left. To get bit number, contract
            // the current position from general length.
            Debug.WriteLine(SecLab.Mapping(BinMask.Length - i).Name);
        End If;
    End For;
End Sub CheckMask;

On executing the example the console window displays names of the security objects, which have permissions to edit data of the first element of the MDM dictionary.

See also:

Examples