ISecurityDescriptor.GetEffectiveRightsAudit

Syntax

GetEffectiveRightsAudit(Subject: ISecuritySubject; DesiredAccess: Integer; Var Access: Integer; Var Audit: Integer);

Parameters

Subject. Security subject, for which effective access permissions should be calculated.

DesiredAccess. Desired access permissions, relative to which effective access permissions are calculated.

Access. Variable, to which the decimal value, corresponding to effective access permissions of the user to object, will be placed.

Audit. Variable, to which the value corresponding to access audit of the user to object will be placed.

Description

The GetEffectiveRightsAudit method calculates effective access permissions and access auditing of the user to the repository object on the basis of the necessary permissions.

Comments

On calculating effective permissions the selected access control methods are taken into account. If the discretionary access control is used, permissions by classes are calculated additionally for the specific object type.

Access mask is used to specify necessary access permissions. After calculation the access mask is also contained in the variables specified in the Access and Audit parameters. Mask value is a 4-byte binary number converted to decimal form. It is necessary to use the values of the MetabaseObjectPredefinedRights enumeration to form a mask of the necessary access permissions and to check the received values. This enumeration contains main and additional operations, to which it is possible to give permissions. The specific operations are available for defined object classes. Values of the following enumerations can be used to check specific operations depending on the object class:

Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.

To analyze a mask value, implement a custom function that enables the user to compare separate mask bits with relevant enumerations values. The example of work with access mask is given in the Working with Access Mask section.

Effective permissions returned in the variable specified in the Access parameter are formed on the basis of the necessary access permissions. If there are any operations that depend on the main and additional operations, they will also be included in the effective permissions.

At first, it is necessary to calculate the maximum value of the auditing that is available to the objects of this class to receive a value that corresponds to the access auditing of the user to the object. Then it is necessary to add a value of the variable specified in the Audit parameter to the received value. If the output value is not zero, it means that the auditing of operations specified in the necessary permissions is implemented for the current user.

Example

Executing the example requires that the repository contains an object with the Obj_1 identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.

Sub UserProc;
Var
    MB: IMetabase;
    MDesc: IMetabaseObjectDescriptor;
    SecDesc: ISecurityDescriptor;
    Subj: ISecuritySubject;
    Access, Audit: Integer;
Begin
    MB := MetabaseClass.Active;
    Subj := MB.Security.ResolveName("TestUser");
    MDesc := MB.ItemById("Obj_1");
    SecDesc := MDesc.SecurityDescriptor;
    SecDesc.GetEffectiveRightsAudit(Subj,
        MetabaseObjectPredefinedRights.Delete Or
        MetabaseObjectPredefinedRights.Access,
        Access, Audit);
End Sub UserProc;

After executing the example the Access and Audit variables contain values that correspond to the effective access permissions and access auditing of the specified user. The effective permissions and auditing are calculated relative to the Remove and Change Permissions operations.

See also:

ISecurityDescriptor