Security Subjects

Work in the repository is always executed under the particular user. The user can be created in the security manager, one can connect the existing DBMS user or domain user. Several users can be grouped. Grouping facilitates administration due to granting privileges only for a group instead of each user included in the group. Users inherit group privileges but can also have individual privileges that are absent in the group.

When a new repository is created, the following objects are created by default: the ADMIN user, the ADMINISTRATORS and USERS groups. The ADMIN user is included in the ADMINISTRATORS group and has all privileges.

To create new users and groups of users, use various Add* methods of the IMetabaseSecurity interface. When a security subject is created in the security manager, it is also created on DBMS level. If the required use already exists in DBMS, set the IMetabaseUser.External property to True to create a user connected from the server. It may also be relevant to cancel granting permissions on DBMS level by setting the IMetabaseUser.ManageDBGrants property to False. When domain security subjects are added, similar settings are determined in the IMetabaseSecurity.CurrentDomainSubjectAddState property.

To work with collections of security subjects added in the security manager, use the IMetabaseSecurity.Users and IMetabaseSecurity.Groups properties.

To make sure the security subject can execute any operations in the repository, one should grant privileges to it. To do this, use the IMetabasePolicy.Privilege property.

The example of creating a group of users:

Sub CreateGroup;
Var
    MB: IMetabase;
    MbSec: IMetabaseSecurity;
    Group: IMetabaseGroup;
    Lic: Object;
Begin
    MB := MetabaseClass.Active;
    // Get license to be able to work with the security manager
    Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
    MbSec := MB.Security;
    // Add a group of users
    Group := MbSec.AddGroup("WORKING_GROUP");
    Group.Description := "Group for working with reports";
    // Grant privileges to group
    MbSec.Policy.Privilege("LOGIN").Grant(Group);
    MbSec.Policy.Privilege("READ").Grant(Group);
    MbSec.Policy.Privilege("LOGIN TO OBJECT NAVIGATOR").Grant(Group);
    // Save changes
    MbSec.Apply;
    // Check in license
    Lic := Null;
End Sub CreateGroup;

The example of creating users:

Sub CreateUsers;
Var
    MB: IMetabase;
    MS: IMetabaseSecurity;
    AdmGroup, Group: IMetabaseGroup;
    User: IMetabaseUser;
    Data: ISecurityPackageUserData;
    Package: ISecurityPackage;
    PswCreds: IPasswordCredentials;
    Lic: Object;
Begin
    MB := MetabaseClass.Active;
    // Get license to be able to work with the security manager
    Lic := MB.RequestLicense(UiLicenseFeatureType.Adm);
    MS := MB.Security;
    // Get groups, in which users will be included
    AdmGroup := MS.ResolveName("ADMINISTRATORS"As IMetabaseGroup;
    Group := MS.ResolveName("WORKING_GROUP"As IMetabaseGroup;
    // Create users
    Package := New StandardSecurityPackage.Create;
    PswCreds := Package.CreateCredentials(AuthenticationMode.Password) As IPasswordCredentials;
    //---Owner---
    User := MS.AddUser("OWNER");
    User.FullName := "Repository owner";
    Data := User.PackageData;
    PswCreds.Password := "Owner";
    Data.Credentials := PswCreds;
    AdmGroup.AddMember(User); // Add a user to group of administrators
    //---Manager---
    User := MS.AddUser("MANAGER");
    User.FullName := "Manager";
    Data := User.PackageData;
    PswCreds.Password := "Manager";
    Data.Credentials := PswCreds;
    AdmGroup.AddMember(User); // Add a user to group of administrators
    //---Executor---
    User := MS.AddUser("EXECUTOR");
    User.FullName := "Executor";
    Data := User.PackageData;
    PswCreds.Password := "Executor";
    Data.Credentials := PswCreds;
    Group.AddMember(User); // Add a user to the WORKING_GROUP group
    // Save changes
    MS.Apply;
    // Check in license
    Lic := Null;
End Sub CreateUsers;

See also:

Working with Security Manager