Discretionary Access Control Method

This method work is given in the Setting Up Discretionary Access Control Method subsection.

Discretionary access control method is used in default repositories. To enable or disable discretionary access control, use the IMetabasePolicy.DiscretionaryAccessControl checkbox.

Sub EnableDiscrAccessControl;
Var
    Mb: IMetabase;
    MbSec: IMetabaseSecurity;
    Lic: Object;
Begin
    Mb := MetabaseClass.Active;
    // Get license to be able to work with the security manager
    Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
    // Security manager
    MbSec := Mb.Security;
    // Use discretionary access control method
    MbSec.Policy.DiscretionaryAccessControl := True;
    // Apply changes
    MbSec.Apply;
    // Check in license
    Lic := Null;
End Sub EnableDiscrAccessControl;

To set up object access permissions, execute the following operations:

  1. Using properties and methods of the IMetabaseSecurity interface, get the security subject, for which object access permissions will be set up.

  2. Using the IMetabaseObjectDescriptor.SecurityDescriptor property, get access control parameters for repository object. Use the Edit method to open parameters for edit.

  3. Get the list of additional security parameters using the ISecurityDescriptor.Acl property.

  4. Using the IAccessControlList.AddAce method add security elements. which will allow or deny the user to execute specific operations with object. The list of basic operations is available in the MetabaseObjectPredefinedRights enumeration. If specific operations can be executed with object, for example, work with formulas, dictionary elements, and so on, these operations can be obtained using additional enumerations. The enumerations are given in description of the IAccessControlList.AddAce method.

  5. Apply changes using the ISecurityDescriptor.Apply or ISecurityDescriptor.ApplyO method.

Set permissions/prohibitions become active right after repository contents update using the IMetabase.Refresh method.

Sub DiscretionaryAccessControl;
Var
    Mb: IMetabase;
    ObjDesc: IMetabaseObjectDescriptor;
    SecDesc: ISecurityDescriptor;
    AcessCL: IAccessControlList;
    Subject: ISecuritySubject;
    Lic: Object;
Begin
    Mb := MetabaseClass.Active;
    // Get license to be able to work with the security manager
    Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
    // Get the user, for whom permissions will be set up
    Subject := Mb.Security.ResolveName("USER");
    // Get the object, for which access permissions are set up
    ObjDesc := Mb.IteMbyId("REPORT");
    SecDesc := ObjDesc.SecurityDescriptor;
    SecDesc.Edit;
    // Additional security parameters
    AcessCL := SecDesc.Acl;
    // Set permissions
    AcessCL.AddAce(AceType.AccessAllowed, Subject.Sid, MetabaseObjectPredefinedRights.Read Or MetabaseObjectPredefinedRights.Write);
    // Set prohibitions
    AcessCL.AddAce(AceType.AccessDenied, Subject.Sid, MetabaseObjectPredefinedRights.Delete Or MetabaseObjectPredefinedRights.Access);
    SecDesc.Apply(True);
    // Check in license
    Lic := Null;
End Sub DiscretionaryAccessControl;

After executing the example the USER user is allowed to read and change the REPORT repository object but the use is denied changing permissions and deleting this object.

See also:

Access Control Methods