To report a found bug,
please select the text with the bug and click Report a Bug
or CTRL+ENTER.
Help
system 10.9 of 26/11/2025,
©
FORESIGHT
Work of this method is given in the Setting Up Level-Based Access Control Method subsection.
Level-based access control uses the save levels, which are used on mandatory access control. Categories are not used. To access levels, use the IMetabaseMandatoryAccess.Category property and specify the 0 index.
To enable or disable the use of level-based access control, use the IMetabaseMandatoryAccess.IsSimple checkbox. When security levels are used, four levels are created with criticality labels 0-3. If required, the list of levels can be extended.
Assume that the repository already contains three users created by means of the code given in the Security Subjects subsection. To enable level-based access control for users, execute the following code:
Sub EnableLevelsAccessControl;
Var
Mb: IMetabase;
MbSec: IMetabaseSecurity;
Executor, Manager, Owner: IMetabaseUser;
Mandatory: IMetabaseMandatoryAccess;
Category: ISecurityCategory;
Lic: Object;
Begin
Mb := MetabaseClass.Active;
// Get license to be able to work with the security manager
Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
// Security manager
MbSec := Mb.Security;
// Use level-based access control method
Mandatory := MbSec.Policy.MandatoryAccess;
Mandatory.IsSimple := True;
// Users, for which access levels are set up
Executor := MbSec.ResolveName("Executor") As IMetabaseUser;
Manager := MbSec.ResolveName("Manager") As IMetabaseUser;
Owner := MbSec.ResolveName("Owner") As IMetabaseUser;
// Mandatory access control category
Category := Mandatory.Category(0);
// Map users and access levels
Executor.Token.ClassificationLabel(Category) := Category.FindLevelByLabel(3);
Manager.Token.ClassificationLabel(Category) := Category.FindLevelByLabel(2);
Owner.Token.ClassificationLabel(Category) := Category.FindLevelByLabel(1);
// Apply changes
MbSec.Apply;
// Check in license
Lic := Null;
End Sub EnableLevelsAccessControl;
Assume that the repository contains a folder with a cube and all objects, on which it depends. A regular report is created based on the cube. To map levels and repository objects, execute the following code:
Sub SetObjectsLevel;
Var
Mb: IMetabase;
MbSec: IMetabaseSecurity;
MandatoryAccess: IMetabaseMandatoryAccess;
Category: ISecurityCategory;
CubeDesc: IMetabaseObjectDescriptor;
Folder, Cube, Report: ISecurityDescriptor;
Lic: Object;
Begin
Mb := MetabaseClass.Active;
// Get license to be able to work with the security manager
Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
// Security manager
MbSec := Mb.Security;
// Mandatory access control category
MandatoryAccess := MbSec.Policy.MandatoryAccess;
Category := MandatoryAccess.Category(0);
// Map objects and mandatory access control levels
//---Regular report---
Report := Mb.ItemById("REPORT").SecurityDescriptor;
Report.Edit;
Report.AccessToken.ClassificationLabel(Category) := Category.FindLevelByLabel(3);
Report.Apply(False);
//---Cube and all objects, on which it depends---
CubeDesc := Mb.ItemById("STD_CUBE");
Cube := CubeDesc.SecurityDescriptor;
Cube.Edit;
Cube.AccessToken.ClassificationLabel(Category) := Category.FindLevelByLabel(2);
Cube.Apply(False);
ApplyAccessToDependence(CubeDesc.Dependencies(False), Category, Cube.AccessToken.ClassificationLabel(Category));
//---Folder---
Folder := Mb.ItemById("FOLDER").SecurityDescriptor;
Folder.Edit;
Folder.AccessToken.ClassificationLabel(Category) := Category.FindLevelByLabel(1);
// Do not apply setting access level by entire folder hierarchy,
// to not reset previously set access levels of objects inside folder
Folder.Apply(False);
// Check in license
Lic := Null;
End Sub SetObjectsLevel;
Sub ApplyAccessToDependence(MDescs: IMetabaseObjectDescriptors; Category: ISecurityCategory; Level: ISecurityLevel);
Var
MDesc: IMetabaseObjectDescriptor;
SecDesc: ISecurityDescriptor;
Begin
For Each MDesc In MDescs Do
SecDesc := MDesc.SecurityDescriptor;
SecDesc.Edit;
SecDesc.AccessToken.ClassificationLabel(Category) := Level;
SecDesc.Apply(False);
// Recursive checking of all objects, on which the current object may depend
If MDesc.Dependencies(False).Count > 0 Then
ApplyAccessToDependence(MDesc.Dependencies(False), Category, Level);
End If;
End For;
End Sub ApplyAccessToDependence;
See also: