To report a found bug,
please select the text with the bug and click Report a Bug
or CTRL+ENTER.
Help
system 10.9 of 26/11/2025,
©
FORESIGHT
This method work is given in the Setting Up Mandatory Access Control Method subsection.
To enable or disable mandatory access control, use the IMetabasePolicy.MandatoryAccessControl checkbox.
Sub EnableMandatoryAccessControl;
Var
Mb: IMetabase;
MbSec: IMetabaseSecurity;
Lic: Object;
Begin
Mb := MetabaseClass.Active;
// Get license to be able to work with the security manager
Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
// Security manager
MbSec := Mb.Security;
// Use mandatory access control method
MbSec.Policy.MandatoryAccessControl := True;
// Apply changes
MbSec.Apply;
// Check in license
Lic := Null;
End Sub EnableMandatoryAccessControl;
Further work can be divided in three stages.
To work with security categories of mandatory access control, use the IMetabaseMandatoryAccess interface accessed using the IMetabasePolicy.MandatoryAccess property. Each category is described by the ISecurityCategory interface, each category level is described by the ISecurityLevel interface.
To create categories, use the IMetabaseMandatoryAccess.AddCategory method, to create levels inside the category, use the ISecurityCategory.AddLevel method.
When a new category is created, one level with the 0 criticality level and No Access name is created in the collection of category levels. The attempt to create a level with such name will result in the error because level names should be unique. This level can be renamed or a new level can be created with the 0 criticality label but with another name.
Sub CreateCategoryAndLevel;
Var
Mb: IMetabase;
MbSec: IMetabaseSecurity;
MandatoryAccess: IMetabaseMandatoryAccess;
Category: ISecurityCategory;
Lic: Object;
Begin
Mb := MetabaseClass.Active;
// Get license to be able to work with the security manager
Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
// Security manager
MbSec := Mb.Security;
MandatoryAccess := MbSec.Policy.MandatoryAccess;
// Create a category and levels
Category := MandatoryAccess.AddCategory("Data access");
Category.Hierarchical := True;
Category.Level(0).Name := "No data access";
Category.AddLevel(1, "Executor");
Category.AddLevel(2, "Manager");
Category.AddLevel(3, "Owner");
// Apply changes
MbSec.Apply;
// Check in license
Lic := Null;
End Sub CreateCategoryAndLevel;
When mandatory access control is used, access levels are set up only for the users and cannot be applied to a group of users. Mandatory access control parameters for the user are returned by the IMetabaseUser.Token property. Use the IAccessToken.ClassificationLabel property to map a specific access level to a specific category for the user.
Assume that the repository already contains three users created by means of the code given in the Security Subjects subsection. To map levels and users, execute the following code:
Sub SetUsersMandatoryLevel;
Var
Mb: IMetabase;
MbSec: IMetabaseSecurity;
Executor, Manager, Owner: IMetabaseUser;
MandatoryAccess: IMetabaseMandatoryAccess;
Category: ISecurityCategory;
Lic: Object;
Begin
Mb := MetabaseClass.Active;
// Get license to be able to work with the security manager
Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
// Security manager
MbSec := Mb.Security;
// Users, for whom mandatory access level is set up
Executor := MbSec.ResolveName("Executor") As IMetabaseUser;
Manager := MbSec.ResolveName("Manager") As IMetabaseUser;
Owner := MbSec.ResolveName("Owner") As IMetabaseUser;
// Mandatory access control category
MandatoryAccess := MbSec.Policy.MandatoryAccess;
Category := MandatoryAccess.Category(0);
// Map users and mandatory access levels
Executor.Token.ClassificationLabel(Category) := Category.FindLevelByLabel(1);
Manager.Token.ClassificationLabel(Category) := Category.FindLevelByLabel(2);
Owner.Token.ClassificationLabel(Category) := Category.FindLevelByLabel(3);
// Apply changes
MbSec.Apply;
// Check in license
Lic := Null;
End Sub SetUsersMandatoryLevel;
To set up access level for repository object:
Use the IMetabaseObjectDescriptor.SecurityDescriptor property to get access control parameters. Use the Edit method to open parameters for edit.
In the access parameters, use the ISecurityDescriptor.AccessToken property to get mandatory access control parameters.
Use the IAccessToken.ClassificationLabel property to map a specific access level with a specific category of object.
Apply changes using the ISecurityDescriptor.Apply or ISecurityDescriptor.ApplyO method.
Assume that the repository contains a folder with a cube and all objects, on which it depends. A regular report is created based on the cube. To map levels and repository objects, execute the following code:
Sub SetObjectsMandatoryLevel;
Var
Mb: IMetabase;
MbSec: IMetabaseSecurity;
MandatoryAccess: IMetabaseMandatoryAccess;
Category: ISecurityCategory;
CubeDesc: IMetabaseObjectDescriptor;
Folder, Cube, Report: ISecurityDescriptor;
Lic: Object;
Begin
Mb := MetabaseClass.Active;
// Get license to be able to work with the security manager
Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
// Security manager
MbSec := Mb.Security;
// Mandatory access control category
MandatoryAccess := MbSec.Policy.MandatoryAccess;
Category := MandatoryAccess.Category(0);
// Map objects and mandatory access control levels
//---Regular report---
Report := Mb.ItemById("REPORT").SecurityDescriptor;
Report.Edit;
Report.AccessToken.ClassificationLabel(Category) := Category.FindLevelByLabel(1);
Report.Apply(False);
//---Cube and all objects, on which it depends---
CubeDesc := Mb.ItemById("STD_CUBE");
Cube := CubeDesc.SecurityDescriptor;
Cube.Edit;
Cube.AccessToken.ClassificationLabel(Category) := Category.FindLevelByLabel(2);
Cube.Apply(False);
ApplyAccessToDependence(CubeDesc.Dependencies(False), Category, Cube.AccessToken.ClassificationLabel(Category));
//---Folder---
Folder := Mb.ItemById("FOLDER").SecurityDescriptor;
Folder.Edit;
Folder.AccessToken.ClassificationLabel(Category) := Category.FindLevelByLabel(3);
// Do not apply setting of mandatory access control level for entire folder hierarchy,
// not to reset object access levels that were set before inside the folder
Folder.Apply(False);
// Check in license
Lic := Null;
End Sub SetObjectsMandatoryLevel;
Sub ApplyAccessToDependence(MDescs: IMetabaseObjectDescriptors; Category: ISecurityCategory; Level: ISecurityLevel);
Var
MDesc: IMetabaseObjectDescriptor;
SecDesc: ISecurityDescriptor;
Begin
For Each MDesc In MDescs Do
SecDesc := MDesc.SecurityDescriptor;
SecDesc.Edit;
SecDesc.AccessToken.ClassificationLabel(Category) := Level;
SecDesc.Apply(False);
// Recursive checking of all objects, on which the current object may depend
If MDesc.Dependencies(False).Count > 0 Then
ApplyAccessToDependence(MDesc.Dependencies(False), Category, Level);
End If;
End For;
End Sub ApplyAccessToDependence;
After executing example, different mandatory access control levels are set for specified repository objects. For the objects, on which the cube depends, one sets the same level recursively, which is set for the cube.
See also: