AllowCreateUserGrant: Boolean;
The AllowCreateUserGrant property allows for creating two roles while maintaining the security policy:
The first role includes the Create User and Drop User system privileges.
The second role includes the Alter User system privilege.
The property is not set by default. It becomes available when roles of the application administrator and the ISA are separated.
The information security administrator will be included into the created roles. Only the administrator can change the property value. When AllowCreateUserGrant is set to False, roles will differ.
During the user update depending on the privileges, the user is either added to the role, or removed from the role.
The property is available only for repositories created on the basis of Oracle DBMS.
To execute the example make sure that the repository is created on the basis of Oracle DBMS.
Add a link to the Metabase system assembly.
Sub UserProc;
Var
MB: IMetabase;
MS: IMetabaseSecurity;
Isa: IMetabaseUser;
Policy: IMetabasePolicy;
Lic: Object;
Begin
MB := MetabaseClass.Active;
// Check out license to work with security manager
Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
MS := MB.Security;
Isa := MS.ResolveName(MB.Id + "_ISA") As IMetabaseUser;
Policy := MS.Policy;
// Enable role distribution between AIS and application administrator
Policy.PromoteToIsaMode(Isa, IsaModePromoteOptions.RestrictAdminAccess Or IsaModePromoteOptions.RestrictIsaAccess);
// Create two roles
Policy.AllowCreateUserGrant := True;
// Save changes
MS.Apply;
// Check in license
Lic := Null;
End Sub UserProc;
After executing the example the mode of roles separation between the AIS and the application administrator is enabled. Two roles will be created for the ISA, which will be used on user administration.
See also: