AccessMask: Integer;
The AccessMask property determines an object access mask.
Mask value is a 4-byte binary number converted to decimal form. Depending on the type of additional parameter this property returns different values:
Allowing parameter - property returns a value that corresponds with a list of explicit assigned allowances on operations.
Prohibiting parameter - property returns a value that corresponds with a list of explicit assigned prohibitions on operations.
Operation audit on an object - property returns value that corresponds with a list of operations, for which access audit is executed.
To form and check mask value, use a value of the MetabaseObjectPredefinedRights enumeration type. This enumeration contains basic and additional operations, on which permissions can be granted and access audit can be executed. The specific operations are available for defined classes of objects. To use specific operations depending on the object class in a mask there is a possibility to use values of the following enumerations:
CalculatedCubeSpecificRights - specific operations available for calculated cubes.
CubeLoaderSpecificRights - specific operations available for cube data loader.
CubeSpecificRights - specific operations available for various types of cubes.
CustomObjectSpecificRights - specific operations available for custom class objects.
DataBaseSpecificRights - specific operations available for the Database repository object.
DictionarySpecificRights - specific operations available for the MDM Dictionary and Composite MDM Dictionary repository objects.
MDCalcSpecificRights - specific operations available for the Multidimensional Calculation on DB Server repository object.
ProblemSpecificRights - specific operations available for the Modeling Problem modeling container object.
ProcedureSpecificRights - specific operations available for the Procedure repository object.
ScenarioDimensionSpecificRights - specific operations available for the Modeling Scenario repository object.
TableSpecificRights - specific operations available for the following repository objects - Table, View, Log, External Table.
ValidationSpecificRights - specific operations available for the Validation Rule and Validation Group repository objects.
Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.
To analyze a mask value, implement a custom function that enables the user to compare separate mask bits with relevant enumerations values. The example of work with access mask is displayed in the Examples: Working with Access Mask section.
Executing the example requires that the repository contains a table with the TABLE identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.
Sub Main;
Var
MB: IMetabase;
MDesc: IMetabaseObjectDescriptor;
SecDesc: ISecurityDescriptor;
User: ISecuritySubject;
Acl: IAccessControlList;
Entry, AllowedEntry, DeniedEntry: IAccessControlEntry;
AccessAllowed, AccessDenied: Integer;
Begin
MB := MetabaseClass.Active;
MDesc := MB.ItemById("TABLE");
//Object security descriptor
SecDesc := MDesc.SecurityDescriptor;
//User, for which it is necessary to change access permissions
User := MB.Security.ResolveName("TestUser");
SecDesc.Edit;
//Additional security parameters
Acl := SecDesc.Acl;
//Form allowing and prohibiting mask:
//Basic operations that are allowed
AccessAllowed := MetabaseObjectPredefinedRights.Read;
//Specific operations that are allowed
AccessAllowed := AccessAllowed Or
TableSpecificRights.SelectRows Or
TableSpecificRights.UpdateRows;
//Basic operations that are prohibited
AccessDenied := MetabaseObjectPredefinedRights.WritePars Or
MetabaseObjectPredefinedRights.WriteDescr;
//Specific operations that are prohibited
AccessDenied := AccessDenied Or
TableSpecificRights.InsertRows Or
TableSpecificRights.DeleteRows;
//Search additional security parameter
//that enables the user to execute operations for specified user
For Each Entry In Acl Do
If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessAllowed) Then
AllowedEntry := Entry;
End If;
End For;
//If parameter exists, set in it formed mask
//otherwise create a new additional security parameter
If AllowedEntry <> Null Then
AllowedEntry.AccessMask := AccessAllowed;
Else
Acl.AddAce(AceType.AccessAllowed, User.Sid, AccessAllowed);
End If;
//Search for additional security parameter
//that prohibits operations for specified user
For Each Entry In Acl Do
If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessDenied) Then
DeniedEntry := Entry;
End If;
End For;
//If parameter exists, set in it formed mask
//otherwise create a new additional security parameter
If DeniedEntry <> Null Then
DeniedEntry.AccessMask := AccessDenied;
Else
Acl.AddAce(AceType.AccessDenied, User.Sid, AccessDenied);
End If;
SecDesc.Apply(True);
End Sub Main;
After executing the example, access control elements of the specified object are changed. If access control elements contain parameters that determine access permissions for the TestUser user, they will be changed. If relevant parameters do not exist, they will be created. Allowing and prohibiting access masks are formed in the AccessAllowed and AccessDenied variables respectively.
See also: