We have built a web application using the Stored Process Server in which the Open Metadata Interface is used to display folders (and subtrees) defined in the metadataserver.
Some users or usergroups are restricted to see certain folders, so permissions are set by access control templates.
The thing I want to do is do display only those folders from the metadata that the user is permitted to see, using the open metadata interface. I know it has something to do with the AccessControlTemplate and AccessControlEntry metadata types, but it is kinda hard to ask the proper questions to the metadataserver.
I know a Tree metadatatype is associated to 0 or more AccessControlEntry elements.
I also know a Person metadatatype is associated to 0 or more AccessControlEntry elements.
But how to get the right permission on a Tree, that is somewhat difficult.
Can anyone give me some directions to perform this "trick".
Any help is greatly appreciated.
Because the application runs in the Stored Process Server (we are using SAS 9.1.3), it is executed with a general user (in our specific case we call it a systemaccount). When using the Stored Process Server it is possible to store session data (in the SAVE library) and session variables (prefix ' save_').
I guess I need to do the following steps.
1. Get the AccessControlEntry metadata types for the user (defined in _METAUSER or _METAPERSON) for which the user has read permissions.
2. Get the AccessControlEntry metadata types associated with each folder (Tree)
3. Combine step 1 and 2
Maybe these steps are all too simple, since there is quiet some metadata to retrieve. Again: i can't figure out what the appropriate questions are to ask to the metadataserver.
We are using SAS 9.1.3. The thread you referred to shows an example of determining the IdentityGroups a user is associated with.
What I need to know is which associations are needed to determine whether a user is allowed to see a Tree or not.
Suppose I have a tree (or folder), do I need to look at the AccessControlEntry metadatatypes? What I know is that an AccessControlEntry has 0 or more Permission elements, each with attributes Name and Type, e.g. Name = 'ReadMetadata' and Type = 'GRANT'.
And let's assume there are two AccessControlEntry elements associated with this tree. The first one has a permission Name = 'ReadMetadata' and Type='GRANT', but the second one has a permission Name = 'ReadMetadata' and Type=DENY'. Does this mean that the use can or cannot see the tree?