Changing Access Permissions to Object

Below is the example of using the SetMbSec operation to change object access permissions. The request contains the list of security subjects and their access permissions to the object. Update flag is set for security description. The response contains the updated description of security of the object.

The example uses the FindObjectById function, which code is given in the Getting Object Description by Its Identifier example, and the GetObjectSecurityDescriptor function, which code is given in the Getting Description of Object Security example.

SOAP request:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetMbSec xmlns="http://www.prognoz.ru/PP.SOM.Som">
<tMbSec xmlns=" ">
  <id>S1!M</id>
  </tMbSec>
<tArg xmlns=" ">
<pattern>
  <objects>true</objects>
  </pattern>
<meta>
<objects>
<ods>
<its>
<d isShortcut="false" isLink="false" hf="false">
  <i>OBJ2</i>
  <n>obj2</n>
  <k>535</k>
  <c>1537</c>
  <p>533</p>
  <h>false</h>
  <sdKey>544</sdKey>
  <hasPrv>false</hasPrv>
  <ic>false</ic>
  </d>
  </its>
  </ods>
<sds>
<its>
<it>
  <k>544</k>
  <isInherited>false</isInherited>
  <isSealed>false</isSealed>
<discrete>
<aces>
<it>
<subject>
  <k>2147483649</k>
  <id>ADMINISTRATORS</id>
  <n>ADMINISTRATORS</n>
  <vis>true</vis>
  <type>Group</type>
<sid>
  <sid>PS-2-1</sid>
  <type>Group</type>
  </sid>
  </subject>
  <allow>1</allow>
  </it>
<it>
<subject>
  <k>2147483649</k>
  <id>ADMIN</id>
  <vis>true</vis>
  <type>User</type>
<sid>
  <sid>PS-1-1</sid>
  <type>User</type>
  </sid>
  </subject>
  <allow>1</allow>
  </it>
<it>
<subject>
  <k>545</k>
  <id>NEWADMIN</id>
  <n>NewAdmin</n>
  <vis>true</vis>
  <type>User</type>
<sid>
  <sid>PS-1-545</sid>
  <type>User</type>
  </sid>
  </subject>
  <allow>98312</allow>
  <deny>16</deny>
  <audit>98312</audit>
  </it>
  </aces>
  </discrete>
<mandatory>
<accessToken>
  <its />
  </accessToken>
  </mandatory>
  <applyFlags>0</applyFlags>
  </it>
  </its>
  </sds>
  </objects>
  </meta>
<metaGet>
<pattern>
  <objects>true</objects>
<objectsFilter>
<keys>
  <i>535</i>
  </keys>
  </objectsFilter>
  </pattern>
  </metaGet>
  </tArg>
  </SetMbSec>
  </s:Body>
  </s:Envelope>

SOAP response:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<SetMbSecResult xmlns="http://www.prognoz.ru/PP.SOM.Som" xmlns:q1="http://www.prognoz.ru/PP.SOM.Som" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<id xmlns=" ">
  <id>S1!M</id>
  </id>
<metaGet xmlns=" ">
<id>
  <id>S1!M</id>
  </id>
<meta>
<objects>
<ods>
<its>
<d isShortcut="0" isLink="0" hf="0">
  <i>OBJ2</i>
  <n>obj2</n>
  <k>535</k>
  <c>1537</c>
  <p>533</p>
  <h>0</h>
  <sdKey>546</sdKey>
  <hasPrv>0</hasPrv>
  <ic>0</ic>
  </d>
  </its>
  </ods>
<sds>
<its>
<it>
  <k>546</k>
  <isInherited>0</isInherited>
  <isSealed>0</isSealed>
<discrete>
<aces>
<it>
<subject>
  <k>2147483649</k>
  <id>ADMINISTRATORS</id>
  <n>ADMINISTRATORS</n>
  <vis>1</vis>
  <type>Group</type>
<sid>
  <sid>PS-2-1</sid>
  <type>Group</type>
  </sid>
  </subject>
  <allow>1</allow>
  </it>
<it>
<subject>
  <k>2147483649</k>
  <id>ADMIN</id>
  <vis>1</vis>
  <type>User</type>
<sid>
  <sid>PS-1-1</sid>
  <type>User</type>
  </sid>
  </subject>
  <allow>1</allow>
  </it>
<it>
<subject>
  <k>545</k>
  <id>NEWADMIN</id>
  <n>NewAdmin</n>
  <vis>1</vis>
  <type>User</type>
<sid>
  <sid>PS-1-545</sid>
  <type>User</type>
  </sid>
  </subject>
  <allow>98312</allow>
  <deny>16</deny>
  <audit>98312</audit>
  </it>
  </aces>
  </discrete>
<mandatory>
<accessToken>
  <its />
  </accessToken>
  </mandatory>
  </it>
  </its>
  </sds>
  </objects>
  <bisearchEnable>Disable</bisearchEnable>
  </meta>
  </metaGet>
  </SetMbSecResult>
  </soapenv:Body>
  </soapenv:Envelope>

JSON request:

{
"SetMbSec" :
{
"tMbSec" :
{
"id" : "S1!M"
},
"tArg" :
{
"pattern" :
{
"objects" : "true"
},
"meta" :
{
"objects" :
{
"ods" :
{
"its" :
{
"d" :
{
"@isShortcut" : "false",
"@isLink" : "false",
"@hf" : "false",
"i" : "OBJ2",
"n" : "obj2",
"k" : "535",
"c" : "1537",
"p" : "533",
"h" : "false",
"sdKey" : "544",
"hasPrv" : "false",
"ic" : "false"
}
}
},
"sds" :
{
"its" :
{
"it" :
[
{
"k" : "544",
"isInherited" : "false",
"isSealed" : "false",
"discrete" :
{
"aces" :
{
"it" :
[
{
"subject" :
{
"k" : "2147483649",
"id" : "ADMINISTRATORS",
"n" : "ADMINISTRATORS",
"vis" : "true",
"type" : "Group",
"sid" :
{
"sid" : "PS-2-1",
"type" : "Group"
}
},
"allow" : "1"
},
{
"subject" :
{
"k" : "2147483649",
"id" : "ADMIN",
"vis" : "true",
"type" : "User",
"sid" :
{
"sid" : "PS-1-1",
"type" : "User"
}
},
"allow" : "1"
},
{
"subject" :
{
"k" : "545",
"id" : "NEWADMIN",
"n" : "NewAdmin",
"vis" : "true",
"type" : "User",
"sid" :
{
"sid" : "PS-1-545",
"type" : "User"
}
},
"allow" : "98312",
"deny" : "16",
"audit" : "98312"
}
]
}
},
"mandatory" :
{
"accessToken" :
{
"its" : ""
}
},
"applyFlags" : "0"
}
]
}
}
}
},
"metaGet" :
{
"pattern" :
{
"objects" : "true",
"objectsFilter" :
{
"keys" :
{
"i" : "535"
}
}
}
}
}
}
}

JSON response:

{
"SetMbSecResult" :
{
"id" :
{
"id" : "S1!M"
},
"metaGet" :
{
"id" :
{
"id" : "S1!M"
},
"meta" :
{
"objects" :
{
"ods" :
{
"its" :
{
"d" :
{
"@isShortcut" : "0",
"@isLink" : "0",
"@hf" : "0",
"i" : "OBJ2",
"n" : "obj2",
"k" : "535",
"c" : "1537",
"p" : "533",
"h" : "0",
"sdKey" : "546",
"hasPrv" : "0",
"ic" : "0"
}
}
},
"sds" :
{
"its" :
{
"it" :
[
{
"k" : "546",
"isInherited" : "0",
"isSealed" : "0",
"discrete" :
{
"aces" :
{
"it" :
[
{
"subject" :
{
"k" : "2147483649",
"id" : "ADMINISTRATORS",
"n" : "ADMINISTRATORS",
"vis" : "1",
"type" : "Group",
"sid" :
{
"sid" : "PS-2-1",
"type" : "Group"
}
},
"allow" : "1"
},
{
"subject" :
{
"k" : "2147483649",
"id" : "ADMIN",
"vis" : "1",
"type" : "User",
"sid" :
{
"sid" : "PS-1-1",
"type" : "User"
}
},
"allow" : "1"
},
{
"subject" :
{
"k" : "545",
"id" : "NEWADMIN",
"n" : "NewAdmin",
"vis" : "1",
"type" : "User",
"sid" :
{
"sid" : "PS-1-545",
"type" : "User"
}
},
"allow" : "98312",
"deny" : "16",
"audit" : "98312"
}
]
}
},
"mandatory" :
{
"accessToken" :
{
"its" : ""
}
}
}
]
}
}
},
"bisearchEnable" : "Disable"
}
}
}
}
public static SetMbSecResult ChangeSecurityDescriptor(MbId metabase, MbSubject subject, string objectId)
{
var somClient = new SomPortTypeClient(); //Proxy object for operation execution
//Source description of object security
var objSecDesc = GetObjectSecurityDescriptor(metabase.id, new int[1] {(int)FindObjectById(metabase, objectId).k });
var objects = objSecDesc.meta.objects;
//Object description
var od = objects.ods.its[0];
//Security description
var sd = objects.sds.its[0];
//Source permissions
var aces = new List();
aces.AddRange(sd.discrete.aces);
//New security element that will be added to description
var tAce = new SdAce()
{
//Permissions to change permissions, import, and export.
//Corresponds with MetabaseObjectPredefinedRights.Access + MetabaseObjectPredefinedRights.ExportData + MetabaseObjectPredefinedRights.ImportData
allow = 98312,
//Allowed actions auditing
audit = 98312,
//Delete denial. Corresponds with MetabaseObjectPredefinedRights.Delete
deny = 16,
subject = subject // Security subject, to which element corresponds
};
aces.Add(tAce);
//Update security elements list in description
sd.discrete.aces = aces.ToArray();
//Access permissions update flag
sd.applyFlags = 0;
sd.isInherited = false;
//Operation execution parameters
var setMbSec = new SetMbSec()
{
tArg = new SetMbSecArg()
{
//Operation execution pattern
pattern = new MbSecMdPattern()
{
objects = true,
},
//Metadata that contain description of changed object security description
meta = new MbSecMd()
{
objects = new MbObjects()
{
ods = new Ods()
{
its = new Od[1] { od }
},
sds = new Sds()
{
its = new Sd[1] { sd }
}
}
},
//Parameters for updating users list after operation execution
metaGet = new GetMbSecArg()
{
pattern = new MbSecMdPattern()
{
objects = true,
objectsFilter = new MbSecOdFilter()
{
keys = new int[1] { (int)od.k }
}
}
}
},
//Repository moniker
tMbSec = new MbId() { id = metabase.id}
};
//Change object access permissions
var result = somClient.SetMbSec(setMbSec);
return result;
}

See also:

SetMbSec: Operation