Get user permission in ACL

trinity
edited December 2, 2014 in Documentum #1

Hi All,

My requirement is to check if the user has relate and above permission in an ACL. My ACL has groups and user lies in one or more groups.

ACL Name: Sample_acl

testreadersgroup - read

testrelategroup - relate    

dm_owner - write

dm_world - read

In above case, user lies in both the groups.

So my expected result will be relate (since that is the highest permission of the user in this ACL).

Have tried using getPermit on the IdfAcl but its not giving me right results.

How can I achieve this. Pls help!

Regards !

T

Tagged:

Comments

  • Michael McCollough
    edited July 10, 2014 #2

    DFC:

    You would have to do calculations yourself from the ACL I believe, but you can chose an object that has the ACL applied and do

    sysObject.getPermitEx("usernamehere") and it will return the integer permit level of the user (see below for int to permit)

    DQL:

    Not quite the same but doable in a roundabout way, use the DQL CHECK_SECURITY function (see the DQL Reference manual for more):

    Syntax:

    execute check_security with username='username', level=x, object_list='listofobjectids'

    with groupname='groupnamehere' for groups

    Sample:

    execute check_security with username='dmadmin', level=4,object_list='xxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxx'

    Replace the xxxxxxxxxxxxxxxx with a valid object id that has the Acl you want to check.

    Level is one of:

    1 = none

    2 = browse

    3=read

    4=relate

    5=version

    6=write

    7=delete

    If you execute the check for level=4, it will let you know if they have AT LEAST relate permits, they may have more access, but not less access. In other words, it will return true if the user has delete access and you are checking for relate.

  • Michael McCollough
    edited July 10, 2014 #3

    In looking at JavaDoc, acl.getPermit("userorgrouphere") should return what you want so I appear to be wrong (sorry, do not have reason to do from acl itself much). The return value can be equated to the value in the chart conversion I gave below. Sorry for bad information but am curious if you do find it not working correctly from the acl or not.

  • DctmDvlpr
    edited December 2, 2014 #4

    The below query will return the result if the specified user has Relate and Above access on the specified ACL. This works irrespective of whether the user is directly assigned to the ACL or through multiple group access.


    select * from dm_user where
    (
         user_name in
         (
              select distinct(i_all_users_names) from dm_group where group_name in
              (
                   select r_accessor_name from dm_acl where object_name = '<ACL_NAME>' and r_accessor_permit >= 4
              )
         )
         OR
         user_name in
         (
              select r_accessor_name from dm_acl where object_name = '<ACL_NAME>' and r_accessor_permit >= 4
         )
    )
    and user_name = '<USER_NAME>'
    enable(row_based);