ISecurityDescriptor.GetEffectiveRightsAuditLabel

Syntax

GetEffectiveRightsAuditLabel(

Subject: ISecuritySubject;

DesiredAccess: Integer;

Var Access: Integer;

Var Audit: Integer;

Var Label: ISecurityDocumentLabel);

Parameters

Subject. Security subject, for which effective access permissions should be calculated.

DesiredAccess. Desired access permissions, relative to which effective access permissions are calculated.

Access. Integer variable, to which the value, corresponding to effective access permissions of the user to object, will be placed.

Audit. Integer variable, to which the value corresponding to access auditing of the user to object will be placed.

Label. Variable, to which security label parameters will be placed. Security label is calculated if the mandatory access control to objects is enabled.

Description

The GetEffectiveRightsAuditLabel method calculates effective access permissions and access auditing of the user and also parameters of the security label that is used when printing and exporting the repository objects.

Comments

On calculating effective permissions the selected access control methods are taken into account. If the discretionary access control is used, permissions by classes are calculated additionally for the specific object type.

Access mask is used to specify necessary access permissions. After calculation the access mask is also contained in the variables specified in the Access and Audit parameters. Mask value is a 4-byte binary number converted to decimal form. It is necessary to use the values of the MetabaseObjectPredefinedRights enumeration type to form a mask of the necessary access permissions and to check the received values. This enumeration contains main and additional operations, to which it is possible to give permissions. The specific operations are available for defined object classes. Values of the following enumerations can be used to check specific operations depending on the object class:

CalculatedCubeSpecificRights - specific operations available for calculated cubes.
CubeLoaderSpecificRights - specific operations available for cube data loader.
CubeSpecificRights - specific operations available for various types of cubes.
CustomObjectSpecificRights - specific operations available for custom class objects.
DataBaseSpecificRights - specific operations available for the Database repository object.
DictionarySpecificRights - specific operations available for the MDM Dictionary and Composite MDM Dictionary repository objects.
MDCalcSpecificRights - specific operations available for the Multidimensional Calculation on DB Server repository object.
ProblemSpecificRights - specific operations available for the Modeling Problem modeling container object.
ProcedureSpecificRights - specific operations available for the Procedure repository object.
ScenarioDimensionSpecificRights - specific operations available for the the Modeling Scenario repository object.
TableSpecificRights - specific operations available for the following repository objects: Table, View, Log, External Table.
ValidationSpecificRights - specific operations available for the Validation Rule and Validation Group repository object.

Basic, additional and specific operations available for specified objects types are shown in the Types of Events section.

To analyze a mask value, implement a custom function that enables the user to compare separate mask bits with relevant enumerations values. The example of work with access mask is given the Examples: Working with Access Mask section.

Effective permissions returned in the variable specified in the Access parameter are formed on the basis of the necessary access permissions. If there are any operations that depend on the main and additional operations, they will also be included in the effective permissions.

At first, it is necessary to calculate the maximum value of the auditing that is available to the objects of this class to receive a value that corresponds to the access auditing of the user to the object. Then it is necessary to add a value of the variable specified in the Audit parameter to the received value. If the output value is not zero, it means that the auditing of operations specified in the necessary permissions is implemented for the current user.

Example

Executing the example requires that the repository contains an object with the Obj_1 identifier. There is the TestUser user among the security subjects that were created in the security manager of the current repository.

Sub UserProc;
Var
    MB: IMetabase;
    MDesc: IMetabaseObjectDescriptor;
    SecDesc: ISecurityDescriptor;
    Subj: ISecuritySubject;
    Access, Audit: Integer;
    Lab: ISecurityDocumentLabel;
Begin
    MB := MetabaseClass.Active;
    Subj := MB.Security.ResolveName("TestUser");
    MDesc := MB.ItemById("Obj_1");
    SecDesc := MDesc.SecurityDescriptor;
    SecDesc.GetEffectiveRightsAuditLabel(Subj,
        MetabaseObjectPredefinedRights.Delete Or
        MetabaseObjectPredefinedRights.Access,
        Access, Audit, Lab);
    If Lab.IsON Then
        Debug.WriteLine(Lab.Label);
        Debug.WriteLine(Lab.LabelDescription);
        Debug.WriteLine(Lab.TreatSectionAsDocument);
        Debug.WriteLine(Lab.User.Name);
    End If;
End Sub UserProc;

After executing the example the Access and Audit variables contain values that correspond to the effective access permissions and access auditing of the specified user. The effective permissions and auditing are calculated relative to the Remove and Change Permissions operations. If the mandatory access control was enabled in the repository and the level, for which the marking of objects is provided when exporting and printing, was specified to the object, the Lab variable would contain parameters of the security label used for marking. These parameters are displayed in the development environment console.