IAccessControlList.AddAce

Syntax

AddAce(Type: AceType; Sid: ISid; AccessMask: Integer): IAccessControlEntry;

Parameters

Type. Type of a created parameter.

Sid. Identifier of a security subject.

AccessMask. Access mask that will be set.

Description

The AddAce method adds an access control element.

Comment

Mask value is a 4-byte binary number converted to decimal form. It is necessary to use values of the MetabaseObjectPredefinedRights enumeration type to form mask value. This enumeration contains basic and additional operations, on which permissions can be granted and access audit can be executed. The specific operations are available for defined classes of objects. To use specific operations, depending on the object class, one can use values of the following enumerations in the mask:

Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.

Example

Executing the example requires that the repository contains a table with the TABLE identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.

Add a link to the Metabase system assembly.

Sub UserProc;
Var
    MB: IMetabase;
    MDesc: IMetabaseObjectDescriptor;
    SecDesc: ISecurityDescriptor;
    User: ISecuritySubject;
    Acl: IAccessControlList;
    Entry, AllowedEntry, DeniedEntry: IAccessControlEntry;
    AccessAllowed, AccessDenied: Integer;
Begin
    MB := MetabaseClass.Active;
    MDesc := MB.ItemById("Table_1");
    //Object security descriptor
    SecDesc := MDesc.SecurityDescriptor;
    //User, for which it is necessary to change access permissions
    User := MB.Security.ResolveName("TestUser");
    SecDesc.Edit;
    //Additional security parameters
    Acl := SecDesc.Acl;
    //Form allowing and prohibiting mask:
    //Basic operations that are allowed
    AccessAllowed := MetabaseObjectPredefinedRights.Read;
    //Specific operations that are allowed
    AccessAllowed := AccessAllowed Or
        TableSpecificRights.SelectRows Or
        TableSpecificRights.UpdateRows;
    //Basic operations that are prohibited
    AccessDenied := MetabaseObjectPredefinedRights.WritePars Or
        MetabaseObjectPredefinedRights.WriteDescr;
    //Specific operations that are prohibited
    AccessDenied := AccessDenied Or
        TableSpecificRights.InsertRows Or
        TableSpecificRights.DeleteRows;
    //Search additional security parameter
    //that enables the user to execute operations for the specified user
    For Each Entry In Acl Do
        If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessAllowed) Then
            AllowedEntry := Entry;
        End If;
    End For;
    //If parameter exists, set in it formed mask
    //otherwise create a new additional security parameter
    If AllowedEntry <> Null Then
        AllowedEntry.AccessMask := AccessAllowed;
    Else
        Acl.AddAce(AceType.AccessAllowed, User.Sid, AccessAllowed);
    End If;
    //Search for additional security parameter
    //that prohibits operations for the specified user
    For Each Entry In Acl Do
        If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessDenied) Then
            DeniedEntry := Entry;
        End If;
    End For;
    //If parameter exists, set in it formed mask
    //otherwise create a new additional security parameter
    If DeniedEntry <> Null Then
        DeniedEntry.AccessMask := AccessDenied;
    Else
        Acl.AddAce(AceType.AccessDenied, User.Sid, AccessDenied);
    End If;
    SecDesc.Apply(True);
End Sub UserProc;

After executing the example, access control elements of the specified object are changed. If object access control elements have parameters that determine access permissions for the TestUser user, they will be changed. If relevant parameters do not exist, they will be created. Allowing and prohibiting access masks are formed in the AccessAllowed and AccessDenied variables respectively.

See also:

IAccessControlList