Get user permission in ACL

Hi All,

My requirement is to check if the user has relate and above permission in an ACL. My ACL has groups and user lies in one or more groups.

ACL Name: Sample_acl

testreadersgroup - read

testrelategroup - relate

dm_owner - write

dm_world - read

In above case, user lies in both the groups.

So my expected result will be relate (since that is the highest permission of the user in this ACL).

Have tried using getPermit on the IdfAcl but its not giving me right results.

How can I achieve this. Pls help!

Regards !

Find more posts tagged with

Documentum

Comments

Michael McCollough

DFC:

You would have to do calculations yourself from the ACL I believe, but you can chose an object that has the ACL applied and do

sysObject.getPermitEx("usernamehere") and it will return the integer permit level of the user (see below for int to permit)

DQL:

Not quite the same but doable in a roundabout way, use the DQL CHECK_SECURITY function (see the DQL Reference manual for more):

Syntax:

execute check_security with username='username', level=x, object_list='listofobjectids'

with groupname='groupnamehere' for groups

Sample:

execute check_security with username='dmadmin', level=4,object_list='xxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxx'

Replace the xxxxxxxxxxxxxxxx with a valid object id that has the Acl you want to check.

Level is one of:

1 = none

2 = browse

3=read

4=relate

5=version

6=write

7=delete

If you execute the check for level=4, it will let you know if they have AT LEAST relate permits, they may have more access, but not less access. In other words, it will return true if the user has delete access and you are checking for relate.

Michael McCollough

In looking at JavaDoc, acl.getPermit("userorgrouphere") should return what you want so I appear to be wrong (sorry, do not have reason to do from acl itself much). The return value can be equated to the value in the chart conversion I gave below. Sorry for bad information but am curious if you do find it not working correctly from the acl or not.

DctmDvlpr

The below query will return the result if the specified user has Relate and Above access on the specified ACL. This works irrespective of whether the user is directly assigned to the ACL or through multiple group access.


select * from dm_user where 
( 
     user_name in 
     (
          select distinct(i_all_users_names) from dm_group where group_name in 
          (
               select r_accessor_name from dm_acl where object_name = '<ACL_NAME>' and r_accessor_permit >= 4
          ) 
     )
     OR
     user_name in
     (
          select r_accessor_name from dm_acl where object_name = '<ACL_NAME>' and r_accessor_permit >= 4
     )
)
and user_name = '<USER_NAME>'
enable(row_based);