Auditing and Operation History

User operation auditing in repository is a native part of platform security tools. Information about executed operations is saved in access protocol. All operations are audited by default, except for object descriptor reading. Descriptors are read during repository navigation that is why enabling auditing for this operation may result in excessive size of access protocol.

Auditing can also be set up for object classes or for specific repository objects. Operation history is set up for object classes. The IMetabaseAuditPolicy interface is used to set up auditing for object classes and operation history, access in which is returned by the IMetabasePolicy.AuditPolicy property. Auditing for specific repository objects is set up in object access parameters returned by the IMetabaseObjectDescriptor.SecurityDescriptor property. Operation auditing result will be available in access protocol. Change history for specified objects can be obtained using the IMetabaseObjectDescriptor.GetHistory method.

Auditing and operation history settings for object class:

Sub ChangeAuditAndHistoryForClass;
Var
    Mb: IMetabase;
    MbSec: IMetabaseSecurity;
    AuditPolicy: IMetabaseAuditPolicy;
    Lic: Object;
Begin
    MB := MetabaseClass.Active;
    // Get license to be able to work with the security manager
    Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
    MbSec := Mb.Security;
    // Change auditing and operation history for objects of the Regular Report class
    AuditPolicy := MbSec.Policy.AuditPolicy;
    AuditPolicy.FilterClass(MetabaseObjectClass.KE_CLASS_PROCEDURALREPORT) := MetabaseObjectPredefinedRights.Write Or
        MetabaseObjectPredefinedRights.Access Or MetabaseObjectPredefinedRights.Delete;
    AuditPolicy.TrackClassHistory(MetabaseObjectClass.KE_CLASS_PROCEDURALREPORT) := MetabaseObjectPredefinedRights.Write Or
        MetabaseObjectPredefinedRights.Access;
    // Save changes
    MbSec.Apply;
    // Check in license
    Lic := Null;
End Sub ChangeAuditAndHistoryForClass;

Setting up auditing for specified repository object:

Sub ChangeAuditForObject;
Var
    Mb: IMetabase;
    ObjDesc: IMetabaseObjectDescriptor;
    SecDesc: ISecurityDescriptor;
    AcessCL: IAccessControlList;
    Subject: ISecuritySubject;
    Lic: Object;
Begin
    Mb := MetabaseClass.Active;
    // Get license to be able to work with the security manager
    Lic := Mb.RequestLicense(UiLicenseFeatureType.Adm);
    // Get the user, for whom access auditing will be set up
    Subject := Mb.Security.ResolveName("OWNER");
    // Get the object, for which access auditing is set up
    ObjDesc := Mb.IteMbyId("STD_CUBE");
    SecDesc := ObjDesc.SecurityDescriptor;
    SecDesc.Edit;
    // Additional security parameters
    AcessCL := SecDesc.Acl;
    // Set operation auditing
    AcessCL.AddAce(
        AceType.Audit,
        Subject.Sid,
        MetabaseObjectPredefinedRights.Write Or
        MetabaseObjectPredefinedRights.Access Or MetabaseObjectPredefinedRights.Delete);
    // Save changes
    SecDesc.Apply(True);
    // Check in license
    Lic := Null;
End Sub ChangeAuditForObject;

View object change history:

Sub GetObjectHistory;
Var
    MB: IMetabase;
    Desc: IMetabaseObjectDescriptor;
    History: IMetabaseObjectHistory;
    Item: IMetabaseObjectHistoryItem;
Begin
    MB := MetabaseClass.Active;
    Desc := Mb.ItemById("STD_CUBE");
    History := Desc.GetHistory;
    // View object history
    For Each Item In History Do
        Debug.WriteLine(Item.Id + " | " +
            Item.Name + " | " +
            DateTime.FromDouble(Item.Stamp).ToString + " | " +
            Item.Comment + " | " +
            Item.Description + " | " +
            Item.UserName);
    End For;
End Sub GetObjectHistory;

See also:

Working with Security Manager