RestrictUserDeletion: Boolean;
The RestrictUserDeletion property determines whether the application administrator is prohibited to delete users who has any access permissions on repository objects.
The property is relevant to use on separating roles between the information security administrator (ISA) and the application administrator (AA).
The property is set to False by default. If the value is True, the application administrator cannot delete the user who has any permissions on repository objects. On an attempt to delete the user a corresponding message is displayed. Deleting such a user will require to remove all access permissions.
To change the property value the user who executes the setup should have the Changing Security Label and Access Control List of Any Object privilege.
To execute the example, activate the roles separation mode between ISA and AA in the security manager.
Add a link to the Metabase system assembly.
Sub UserProc;
Var
MB: IMetabase;
MS: IMetabaseSecurity;
Policy: IMetabasePolicy;
Lic: Object;
Begin
MB := MetabaseClass.Active;
// Check out license to work with security manager
Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
MS := MB.Security;
Policy := MS.Policy;
// Prohibit application administrator to delete users
Policy.RestrictUserDeletion := True;
// Save changes
MS.Apply;
// Check in license
Lic := Null;
End Sub UserProc;
After executing the example if AA tries to delete the user who has any access permissions on repository objects, a corresponding message is displayed.
See also: