AddAce(Type: AceType; Sid: ISid; AccessMask: Integer): IAccessControlEntry;
Type. Type of a created parameter.
Sid. Identifier of a security subject.
AccessMask. Access mask that will be set.
The AddAce method adds an access control element.
Mask value is a 4-byte binary number converted to decimal form. It is necessary to use values of the MetabaseObjectPredefinedRights enumeration type to form mask value. This enumeration contains basic and additional operations, on which permissions can be granted and access audit can be executed. The specific operations are available for defined classes of objects. To use specific operations, depending on the object class, one can use values of the following enumerations in the mask:
CalculatedCubeSpecificRights - specific operations available for calculated cubes.
CubeLoaderSpecificRights - specific operations available for cube data loader.
CubeSpecificRights - specific operations available for various types of cubes.
CustomObjectSpecificRights - specific operations available for custom class objects.
DataBaseSpecificRights - specific operations available for the Database repository object.
DictionarySpecificRights - specific operations available for the MDM Dictionary and Composite MDM Dictionary repository objects.
MDCalcSpecificRights - specific operations available for the Multidimensional Calculation on DB Server repository object.
ProblemSpecificRights - specific operations available for the Modeling Problem modeling container object.
ProcedureSpecificRights - specific operations available for the Procedure repository object.
ScenarioDimensionSpecificRights - specific operations available for the Modeling Scenario repository object.
TableSpecificRights - specific operations available for the following repository objects - Table, View, Log, External Table.
ValidationSpecificRights - specific operations available for the Validation Rule and Validation Group repository object.
Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.
Executing the example requires that the repository contains a table with the TABLE identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.
Add a link to the Metabase system assembly.
Sub UserProc;
Var
MB: IMetabase;
MDesc: IMetabaseObjectDescriptor;
SecDesc: ISecurityDescriptor;
User: ISecuritySubject;
Acl: IAccessControlList;
Entry, AllowedEntry, DeniedEntry: IAccessControlEntry;
AccessAllowed, AccessDenied: Integer;
Begin
MB := MetabaseClass.Active;
MDesc := MB.ItemById("Table_1");
//Object security descriptor
SecDesc := MDesc.SecurityDescriptor;
//User, for which it is necessary to change access permissions
User := MB.Security.ResolveName("TestUser");
SecDesc.Edit;
//Additional security parameters
Acl := SecDesc.Acl;
//Form allowing and prohibiting mask:
//Basic operations that are allowed
AccessAllowed := MetabaseObjectPredefinedRights.Read;
//Specific operations that are allowed
AccessAllowed := AccessAllowed Or
TableSpecificRights.SelectRows Or
TableSpecificRights.UpdateRows;
//Basic operations that are prohibited
AccessDenied := MetabaseObjectPredefinedRights.WritePars Or
MetabaseObjectPredefinedRights.WriteDescr;
//Specific operations that are prohibited
AccessDenied := AccessDenied Or
TableSpecificRights.InsertRows Or
TableSpecificRights.DeleteRows;
//Search additional security parameter
//that enables the user to execute operations for the specified user
For Each Entry In Acl Do
If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessAllowed) Then
AllowedEntry := Entry;
End If;
End For;
//If parameter exists, set in it formed mask
//otherwise create a new additional security parameter
If AllowedEntry <> Null Then
AllowedEntry.AccessMask := AccessAllowed;
Else
Acl.AddAce(AceType.AccessAllowed, User.Sid, AccessAllowed);
End If;
//Search for additional security parameter
//that prohibits operations for the specified user
For Each Entry In Acl Do
If (Entry.Sid.AsString = User.Sid.AsString) And (Entry.Type = AceType.AccessDenied) Then
DeniedEntry := Entry;
End If;
End For;
//If parameter exists, set in it formed mask
//otherwise create a new additional security parameter
If DeniedEntry <> Null Then
DeniedEntry.AccessMask := AccessDenied;
Else
Acl.AddAce(AceType.AccessDenied, User.Sid, AccessDenied);
End If;
SecDesc.Apply(True);
End Sub UserProc;
After executing the example, access control elements of the specified object are changed. If object access control elements have parameters that determine access permissions for the TestUser user, they will be changed. If relevant parameters do not exist, they will be created. Allowing and prohibiting access masks are formed in the AccessAllowed and AccessDenied variables respectively.
See also: