Djas88 Respected Contributor.
Respected Contributor.
807 views

How to check permissions about a record

I would like to use the .NET SDK to query the permissions (ACL) for a user to determine if they have access to view the record and also what properties they can access.

I found that even though a user may access a record, there are some properties (i.e. Container) that they may not be able to access.

0 Likes
6 Replies
Micro Focus Expert
Micro Focus Expert

Re: How to check permissions about a record

Try these for a start...

// check the ACL for a record
Record rec = new Record(database, "REC_1");
Console.WriteLine(rec.AccessControlList.GetAccessAllowed((int)RecordAccess.UpdateDocument));

// does the user have access to the poperty at all
PropertyDef pdef = new PropertyDef(PropertyIds.RecordContainer, database);
Console.WriteLine(pdef.CanView);

// What commands can the user use
CommandDef def = new CommandDef(CommandIds.RecContainer, database);
Console.WriteLine(def.IsEnabled(rec));

Blog | Samples | HPE CM 9.3 SDK Docs
**Any opinions expressed in this forum are my own personal opinion and should not be interpreted as an official statement on behalf of MicroFocus**
0 Likes
Matt Bayliss Super Contributor.
Super Contributor.

Re: How to check permissions about a record

[EDIT: David is quick! Also, didn't think of the PropertyDef check, so David has the better answer]

Hi there!

In general you need to use the Record.AccessControlList and the GetAccessAllowedForUser method. Unfortunately, you can't check container access directly, you need to get the container record, and see if the user can access that.

Here's a code sample to illustrate.

Record record;
Location location; // the location to check
            
// populate record and location

var hasAccess = false;
var acl = record.AccessControlList;

// RecordAccess.ViewRecord is the ability to see record metadata. Always needs to be cast as int
var hasAccess = acl.GetAccessAllowedForUser((int)RecordAccess.ViewRecord, location);
// other access enums: GeneralAcccess, LocationAccess, WorkflowAccess, FieldAccess, MeetingAccess

// checking container
var hasContainerAccess = false;

// new C# shortcut syntax for if a record has a container, get it's AccessControlList, otherwise it's null
var containerAcl = record.Container?.AccessControlList;
if(containerAcl != null)
{
    hasContainerAccess = containerAcl.GetAccessAllowedForUser((int)RecordAccess.ViewRecord, location)
}

Matt.

0 Likes
Djas88 Respected Contributor.
Respected Contributor.

Re: How to check permissions about a record

I tried both your examples and it is not working for me.

I have a record that I cannot edit. When I attempt to save the record (update) it gives me a TrimException, which is good.

What I want to do is check whether the user can edit the record, and deny the edit option for the user. However when I try the code you listed the boolean values are true.

Example:

Record record = new Record(db, id); //id = uri of record
var acl = record.AccessControlList;
bool hasUpdateMetadata = acl.GetAccessAllowedForUser((int)RecordAccess.UpdateMetadata, location);

hasUpdateMetadata is true, I would think this would be false

What property can I check to determine whether a user can update a record?

Also, if a user doesn't have access to view/edit/update a container, then does that user have not access to any record contained in the container?

0 Likes
Highlighted
Matt Bayliss Super Contributor.
Super Contributor.

Re: How to check permissions about a record

Does the TrimException have any further details? You can also test the user's global TRIM permissions, as well as the security on the record, see if that helps?

bool canEdit = false;

Record record = new Record(db, id); //id = uri of record
if (location.SecurityProfile.CanAccess(record.SecurityProfile))
{
   if (location.HasPermission(UserPermissions.RecordModify)
   {
      var acl = record.AccessControlList;
      canEdit = acl.GetAccessAllowedForUser((int)RecordAccess.UpdateMetadata, location);
   }
}

RecordType settings mean that the security on the container can be less than the contents, or vice versa -there's no gaurantees there. See "Behaviour for handling more secure contents" and "Behaviour for handling less secure contents" on the Container record type's "General" property screen.

 

0 Likes
Djas88 Respected Contributor.
Respected Contributor.

Re: How to check permissions about a record

The Trim exception states:

"Access denied. You need to have the Modify Record Additional Field values permission to execute this task."

So this works since the user does not have edit capabilities in TRIM. We get this when doing record.Save() on an update.

The question I had was about the results I got back on the methods. I would think that this call would return false, but it returns true.


var acl = record.AccessControlList;
hasModifyAccess = acl.GetAccessAllowedForUser((int)RecordAccess.ModifyAccess, location);


I would like to check if the user can edit this particular record, and if not, then not give them the option to edit.
Maybe I am reading this the wrong way. I assumed this was telling me whether the current user can edit this record, basically checking the user permissions against the record. But that doesn't seem to be the case.

Another question I had is whether it was possible to create a rule in TRIM (HP RM 8.3) to allow users to only have edit (modify) on records they create/own? Ultimately that is what we want to do. We do not want any user to edit any record in TRIM, only records they create.

Right now we either give users modify or not, but that means they can edit any record at this point.

0 Likes
Matt Bayliss Super Contributor.
Super Contributor.

Re: How to check permissions about a record

Ahh, it sounds like you're trying to set an additional field value that the user doesn't have permission to set. Another feature added that Record Managers probably like, but adds another layer of difficulty in integrations 🙂

Try something like:

bool canEdit = false;

Record record = new Record(db, id); //id = uri of record
if (location.SecurityProfile.CanAccess(record.SecurityProfile))
{
    if (location.HasPermission(UserPermissions.RecordModify)
    {
        var acl = record.AccessControlList;
        if(acl.GetAccessAllowedForUser((int)RecordAccess.UpdateMetadata, location))
        {
            var propertyDef = new FieldDefinition(db, "Restricted Custom Field");
            canEdit = propertyDef.AccessControlList.GetAccessAllowedForUser((int)FieldAccess.ModifyValue, location);
        }
    }
}

Hopefully,  maybe, that works?

Matt

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.