IAccessControlEntry.AccessMask

Syntax

AccessMask: Integer;

Description

The AccessMask property determines an object access mask.

Comments

Mask value is a 4-byte binary number converted to decimal form. Depending on the type of additional parameter this property returns different values:

To form and check mask value, use a value of the MetabaseObjectPredefinedRights enumeration type. This enumeration contains basic and additional operations, on which permissions can be granted and access audit can be executed. The specific operations are available for defined classes of objects. To use specific operations depending on the object class in a mask there is a possibility to use values of the following enumerations:

Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.

To analyze a mask value, implement a custom function that enables the user to compare separate mask bits with relevant enumerations values. The example of work with access mask is displayed in the Examples: Working with Access Mask section.

Example

Executing the example requires that the repository contains a table with the TABLE identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.

Sub Main;
Var
    MB: IMetabase;
    MDesc: IMetabaseObjectDescriptor;
    SecDesc: ISecurityDescriptor;
    User: ISecuritySubject;
    Acl: IAccessControlList;
    Entry, AllowedEntry, DeniedEntry: IAccessControlEntry;
    AccessAllowed, AccessDenied: Integer;
Begin
    MB := MetabaseClass.Active;
    MDesc := MB.ItemById("TABLE");
    //Object security descriptor
    SecDesc := MDesc.SecurityDescriptor;
    //User, for which it is necessary to change access permissions
    User := MB.Security.ResolveName("TestUser");
    SecDesc.Edit;
    //Additional security parameters
    Acl := SecDesc.Acl;
    //Form allowing and prohibiting mask:
    //Basic operations that are allowed
    AccessAllowed := MetabaseObjectPredefinedRights.Read;
    //Specific operations that are allowed
    AccessAllowed := AccessAllowed Or
        TableSpecificRights.SelectRows Or
        TableSpecificRights.UpdateRows;
    //Basic operations that are prohibited
    AccessDenied := MetabaseObjectPredefinedRights.WritePars Or
        MetabaseObjectPredefinedRights.WriteDescr;
    //Specific operations that are prohibited
    AccessDenied := AccessDenied Or
        TableSpecificRights.InsertRows Or
        TableSpecificRights.DeleteRows;
    //Search additional security parameter
    //that enables the user to execute operations for specified user
    For Each Entry In Acl Do
        If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessAllowed) Then
            AllowedEntry := Entry;
        End If;
    End For;
    //If parameter exists, set in it formed mask
    //otherwise create a new additional security parameter
    If AllowedEntry <> Null Then
        AllowedEntry.AccessMask := AccessAllowed;
    Else
        Acl.AddAce(AceType.AccessAllowed, User.Sid, AccessAllowed);
    End If;
    //Search for additional security parameter
    //that prohibits operations for specified user
    For Each Entry In Acl Do
        If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessDenied) Then
            DeniedEntry := Entry;
        End If;
    End For;
    //If parameter exists, set in it formed mask
    //otherwise create a new additional security parameter
    If DeniedEntry <> Null Then
        DeniedEntry.AccessMask := AccessDenied;
    Else
        Acl.AddAce(AceType.AccessDenied, User.Sid, AccessDenied);
    End If;
    SecDesc.Apply(True);
End Sub Main;

After executing the example, access control elements of the specified object are changed. If access control elements contain parameters that determine access permissions for the TestUser user, they will be changed. If relevant parameters do not exist, they will be created. Allowing and prohibiting access masks are formed in the AccessAllowed and AccessDenied variables respectively.

See also:

IAccessControlEntry