SetAuthorizationsOnObj

Short Description

Sets permissions for identities on a resource.

Category

General authorization administration methods

Syntax

SetAuthorizationsOnObj(tCtxt,resource,flags,authorizations);

Parameters

Method Parameters
Parameter
Type
Direction
Description
tCtxt
string
in
Optional handle representing a server-side transaction context.
resource
string
in
Passed resource identifier for the object for which authorizations are defined. If TCTXT is used, do not specify a value for RESOURCE.
flags
int
in
SECAD_ACT_CONTENTS
When TCTXT or RESOURCE references an ACT, this flag specifies to apply the authorizations to the ACT's content, rather than to the authorizations that protect the ACT.
authorizations
string array
in
Passed two-dimensional string array with five columns. Each row in the array represents a permission being set for an identity. See the “Details” section for more information.
Column 0:
Specify Person, IdentityGroup, or Role, indicating the identity's type.
Column 1:
Specify the identity's Name attribute value.
Column 2:
Specify a permission directive: D for Deny, G for Grant, or R for Remove.
Column 3:
Specify a Permission name. For example, Read, Write, and so on. Caution: If you specify R in column 2 and leave column 3 empty, then all permissions will be removed for the identity that is identified in columns 0 and 1.
Column 4:
Specify a permission condition for the identity and permission, or leave empty.

Details

The SetAuthorizationsOnObj method adds or removes permissions for an identity on a resource. The TCTXT or RESOURCE parameter and the AUTHORIZATIONS parameter are required. Other parameters can have a null value.
TCTXT or RESOURCE can specify an application metadata object or an ACT. When RESOURCE is an ACT, be aware that the SECAD_ACT_CONTENTS flag changes the behavior of the method. When this flag is set, the permission changes that you specified in AUTHORIZATIONS are applied to the contents that define the ACT. As a result, the changes affect all objects with which the ACT is associated. When this flag is not set, the permission changes are applied to the authorizations that protect the ACT object.
Use the AUTHORIZATIONS string to specify which identities are affected and the permissions that should be added or removed. The method uses this input to define or modify ACT and ACE objects on the SAS Metadata Server. Any permission conditions that you specify define or modify PermissionCondition objects.
The SetAuthorizationsOnObj method fails if the requesting user does not have ReadMetadata and WriteMetadata permissions on the target resource.

Exceptions Thrown

The SAS Open Metadata Interface explicitly returns the following exceptions for the SetAuthorizationsOnObj method:
  • SECAD_INVALID_TC_HANDLE
  • SECAD_INVALID_RESOURCE_SPEC
  • SECAD_INVALID_ACTION
  • SECAD_INVALID_IDENTITY_SPEC
  • SECAD_IDENTITY_DOES_NOT_EXIST
  • SECAD_INVALID_PERMISSION_SPEC
  • SECAD_NOT_AUTHORIZED

Examples

The following code fragment shows how the SetAuthorizationsOnObj method is issued in a Java environment:
public void setAuthorizationsOnObj(String transCtxt, String resource, int options, 
String[][] auths ) throws Exception {

		try
		{
			iSecurityAdmin.SetAuthorizationsOnObj(transCtxt, 
                                                resource, 
                                                options, 
                                                auths
                                                );
		}
		catch (Exceptions e) {
			System.out.println("SetAuthorizationsOnObj:  Exceptions");
			e.printStackTrace();
			throw e;
		}
}
The following example issues the SetAuthorizationsOnObj to define authorizations in a predefined ACT identified as ACTspec.
public void defineACT() throws Exception {               
        // Authorizations to place in the ACT
        final String[][] ACTauths = 
                             {{"IdentityGroup", Public, "D", "ReadMetadata", ""},
                              {"IdentityGroup", Public, "D", "WriteMetadata", ""},
                              {"Person", testUserName, "G", "ReadMetadata", ""},
                              {"Person", testUserName, "G", "WriteMemberMetadata",""},
                              {"Person", testUserName, "G", "CheckinMetadata", ""}};
                        
        try {
         // Set the authorizations defined in ACTauths on the ACT identified by ACTspec.
         // Note that tCtxt is null, because resource has a value.          
 iSecurityAdmin. setAuthorizationsOnObj("", ACTspec, ISecurityAdmin.SECAD_ACT_CONTENTS, 
ACTauths);
         }
        catch (Exception e ){
                throw e;
        }
}