IMetabasePolicy.AllowCreateUserGrant

Syntax

AllowCreateUserGrant: Boolean;

Description

The AllowCreateUserGrant property allows for creating two roles while maintaining the security policy:

Comments

The property is not set by default. It becomes available when roles of the application administrator and the ISA are separated.

The information security administrator will be included into the created roles. Only the administrator can change the property value. When AllowCreateUserGrant is set to False, roles will differ.

During the user update depending on the privileges, the user is either added to the role, or removed from the role.

The property is available only for repositories created on the basis of Oracle DBMS.

Example

To execute the example make sure that the repository is created on the basis of Oracle DBMS.

Add a link to the Metabase system assembly.

Sub UserProc;
Var
    MB: IMetabase;
    MS: IMetabaseSecurity;
    Isa: IMetabaseUser;
    Policy: IMetabasePolicy;
    Lic: Object;     
Begin
    MB := MetabaseClass.Active;
    
// Check out license to work with security manager
    Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
    MS := MB.Security;
    Isa := MS.ResolveName(MB.Id + 
"_ISA"As IMetabaseUser;
    Policy := MS.Policy;
    
// Enable role distribution between AIS and application administrator
    Policy.PromoteToIsaMode(Isa, IsaModePromoteOptions.RestrictAdminAccess Or IsaModePromoteOptions.RestrictIsaAccess);
    
// Create two roles
    Policy.AllowCreateUserGrant := True;
    
// Save changes
    MS.Apply;
    
// Check in license
    Lic := Null;
End Sub UserProc;

After executing the example the mode of roles separation between the AIS and the application administrator is enabled. Two roles will be created for the ISA, which will be used on user administration.

See also:

IMetabasePolicy