project BLF > class BUserRole > method ValidateComponentSOD
Description
check SOD rule 2
Parameters
oiReturnStatus | output | integer | Return status of the method. |
Internal usage
BLF
program code (program1/buserrole.p)
define buffer Resources1 for Resources.
define buffer Resources2 for Resources.
define buffer RoleResource1 for RoleResource.
define buffer RoleResource2 for RoleResource.
define buffer Role1 for Role.
define buffer Role2 for Role.
/* ================================================================= */
/* Validate added user - role - company entries. */
/* ================================================================= */
for each t_sUsrRoleCompany where
t_sUsrRoleCompany.tc_Status = "N",
each bsUsrRoleCompany where
bsUsrRoleCompany.Usr_ID = t_sUsrRoleCompany.Usr_ID and
bsUsrRoleCompany.Company_ID = t_sUsrRoleCompany.Company_ID and
bsUsrRoleCompany.Role_ID <> t_sUsrRoleCompany.Role_ID and
bsUsrRoleCompany.tc_Status <> "D" and
(bsUsrRoleCompany.tc_Rowid > t_sUsrRoleCompany.tc_Rowid or
bsUsrRoleCompany.tc_Status <> "N"),
each Role1 fields (Role_ID RoleName RoleSODException) no-lock where
Role1.Role_ID = t_sUsrRoleCompany.Role_ID and
Role1.RoleSODException = no,
each Role2 fields (Role_ID RoleName RoleSODException) no-lock where
Role2.Role_ID = bsUsrRoleCompany.Role_ID and
Role2.RoleSODException = no on error undo, throw:
for each RoleResource1 fields (Role_ID Resource_ID) no-lock where
RoleResource1.Role_ID = Role1.Role_ID,
each Resources1 fields (Resource_ID ResourceURI SODcategory_ID) no-lock where
Resources1.Resource_ID = RoleResource1.Resource_ID and
Resources1.SODcategory_ID <> 0
break by Resources1.SODcategory_ID on error undo, throw:
/* If no violations are found for a SOD category then skip validations for all next resources in this SOD category.
* If violations are found keep validating because violations must be reported on resource level.
*/
if first-of (Resources1.SODcategory_ID)
then vlConflictFound = no.
if first-of (Resources1.SODcategory_ID)
or vlConflictFound
then for each RoleResource2 fields (Role_ID Resource_ID) no-lock where
RoleResource2.Role_ID = Role2.Role_ID,
each Resources2 fields (Resource_ID ResourceURI SODcategory_ID) no-lock where
Resources2.Resource_ID = RoleResource2.Resource_ID and
Resources2.SODcategory_ID <> 0,
each SODExclusion fields (SODCategory1_ID SODCategory2_ID) no-lock where
SODExclusion.SODCategory1_ID = Resources1.SODcategory_ID and
SODExclusion.SODCategory2_ID = Resources2.SODcategory_ID on error undo, throw:
vlPolicyException = no.
for each SODException fields (SODException_ID Usr_ID) no-lock where
SODException.Usr_ID = t_sUsrRoleCompany.Usr_ID:
if can-find (first SODExceptionLn where
SODExceptionLn.SODException_ID = SODException.SODException_ID and
SODExceptionLn.SODCategory1_ID = Resources1.SODcategory_ID and
SODExceptionLn.SODCategory2_ID = Resources2.SODcategory_ID and
(SODExceptionLn.Company_ID = t_sUsrRoleCompany.Company_ID or SODExceptionLn.Company_ID = 0) and
(SODExceptionLn.Domain_ID = t_sUsrRoleCompany.Domain_ID or SODExceptionLn.Domain_ID = 0))
or can-find (first SODExceptionLn where
SODExceptionLn.SODException_ID = SODException.SODException_ID and
SODExceptionLn.SODCategory1_ID = Resources2.SODcategory_ID and
SODExceptionLn.SODCategory2_ID = Resources1.SODcategory_ID and
(SODExceptionLn.Company_ID = t_sUsrRoleCompany.Company_ID or SODExceptionLn.Company_ID = 0) and
(SODExceptionLn.Domain_ID = t_sUsrRoleCompany.Domain_ID or SODExceptionLn.Domain_ID = 0))
then do:
vlPolicyException = yes.
leave.
end.
end. /* each SODException */
if vlPolicyException = no
then do:
/* conflict found. */
vcSODUserName = "".
for each Usr fields (Usr_ID UsrName) no-lock where
Usr.Usr_ID = t_sUsrRoleCompany.Usr_ID:
vcSODUserName = Usr.UsrName.
end.
vcSODCategoryCode1 = "".
for first SODCategory fields (SODCategory_ID SODCategoryCode) no-lock where
SODCategory.SODCategory_ID = Resources1.SODcategory_ID:
vcSODCategoryCode1 = SODCategory.SODCategoryCode.
end.
vcSODCategoryCode2 = "".
for first SODCategory fields (SODCategory_ID SODCategoryCode) no-lock where
SODCategory.SODCategory_ID = Resources2.SODcategory_ID:
vcSODCategoryCode2 = SODCategory.SODCategoryCode.
end.
vcContext = #T-47'User Name':17(7033)T-47# + " = " + vcSODUserName + chr(10)
+ #T-15'Entity Code':24(8770)T-15# + " = " + t_sUsrRoleCompany.tcCompanyCode + chr(10)
+ #T-16'Role 1 Name':20(733738256)T-16# + " = " + Role1.RoleName + chr(10)
+ #T-17'Resource URI':30(8885)T-17# + " = " + Resources1.ResourceURI + chr(10)
+ #T-18'SOD category code':20(733736445)T-18# + " = " + vcSODCategoryCode1 + chr(10)
+ #T-19'Role 2 Name':20(73458301)T-19# + " = " + Role2.RoleName + chr(10)
+ #T-20'Resource URI':30(8885)T-20# + " = " + Resources2.ResourceURI + chr(10)
+ #T-21'SOD category code':20(733736445)T-21# + " = " + vcSODCategoryCode2.
oiReturnStatus = -1.
<M-22 run SetMessage
(input #T-96'Access to resource ($1) for user ($2) in entity ($3) cannot be granted because this would create a SOD conflict.':255(646673889)T-96# (icMessage),
input Resources1.ResourceURI + chr(2) + vcSODUserName + chr(2) + t_sUsrRoleCompany.tcCompanyCode (icArguments),
input 'tUsrRoleCompany' (icFieldName),
input '' (icFieldValue),
input 'E' (icType),
input 3 (iiSeverity),
input t_sUsrRoleCompany.tc_Rowid (icRowid),
input 'BLF-434':U (icFcMsgNumber),
input '' (icFcExplanation),
input '' (icFcIdentification),
input vcContext (icFcContext),
output viFcReturnSuper (oiReturnStatus)) in BUserRole>
end.
end.
end.
end.
for each t_sUsrRoleCompany where
t_sUsrRoleCompany.tc_Status = "N",
each UsrRoleCompany where
UsrRoleCompany.Usr_ID = t_sUsrRoleCompany.Usr_ID and
UsrRoleCompany.Company_ID = t_sUsrRoleCompany.Company_ID
no-lock on error undo, throw:
if can-find (t_sUsrRoleCompany where t_sUsrRoleCompany.tc_Rowid = string(rowid(UsrRoleCompany)))
then next.
find Role1 where
Role1.Role_ID = t_sUsrRoleCompany.Role_ID and
Role1.RoleSODException = no no-lock no-error.
if not available Role1
then next.
find Role2 where
Role2.Role_ID = UsrRoleCompany.Role_ID and
Role2.RoleSODException = no no-lock no-error.
if not available Role2
then next.
for each RoleResource1 fields (Role_ID Resource_ID) no-lock where
RoleResource1.Role_ID = Role1.Role_ID,
each Resources1 fields (Resource_ID ResourceURI SODcategory_ID) no-lock where
Resources1.Resource_ID = RoleResource1.Resource_ID and
Resources1.SODcategory_ID <> 0
break by Resources1.SODcategory_ID on error undo, throw:
/* If no violations are found for a SOD category then skip validations for all next resources in this SOD category.
* If violations are found keep validating because violations must be reported on resource level.
*/
if first-of (Resources1.SODcategory_ID)
then vlConflictFound = no.
if first-of (Resources1.SODcategory_ID)
or vlConflictFound
then for each RoleResource2 fields (Role_ID Resource_ID) no-lock where
RoleResource2.Role_ID = Role2.Role_ID,
each Resources2 fields (Resource_ID ResourceURI SODcategory_ID) no-lock where
Resources2.Resource_ID = RoleResource2.Resource_ID and
Resources2.SODcategory_ID <> 0,
each SODExclusion fields (SODCategory1_ID SODCategory2_ID) no-lock where
SODExclusion.SODCategory1_ID = Resources1.SODcategory_ID and
SODExclusion.SODCategory2_ID = Resources2.SODcategory_ID on error undo, throw:
vlPolicyException = no.
for each SODException fields (SODException_ID Usr_ID) no-lock where
SODException.Usr_ID = t_sUsrRoleCompany.Usr_ID:
if can-find (first SODExceptionLn where
SODExceptionLn.SODException_ID = SODException.SODException_ID and
SODExceptionLn.SODCategory1_ID = Resources1.SODcategory_ID and
SODExceptionLn.SODCategory2_ID = Resources2.SODcategory_ID and
(SODExceptionLn.Company_ID = t_sUsrRoleCompany.Company_ID or SODExceptionLn.Company_ID = 0) and
(SODExceptionLn.Domain_ID = t_sUsrRoleCompany.Domain_ID or SODExceptionLn.Domain_ID = 0))
or can-find (first SODExceptionLn where
SODExceptionLn.SODException_ID = SODException.SODException_ID and
SODExceptionLn.SODCategory1_ID = Resources2.SODcategory_ID and
SODExceptionLn.SODCategory2_ID = Resources1.SODcategory_ID and
(SODExceptionLn.Company_ID = t_sUsrRoleCompany.Company_ID or SODExceptionLn.Company_ID = 0) and
(SODExceptionLn.Domain_ID = t_sUsrRoleCompany.Domain_ID or SODExceptionLn.Domain_ID = 0))
then do:
vlPolicyException = yes.
leave.
end.
end. /* each SODException */
if vlPolicyException = no
then do:
/* conflict found. */
vcSODUserName = "".
for each Usr fields (Usr_ID UsrName) no-lock where
Usr.Usr_ID = t_sUsrRoleCompany.Usr_ID:
vcSODUserName = Usr.UsrName.
end.
vcSODCategoryCode1 = "".
for first SODCategory fields (SODCategory_ID SODCategoryCode) no-lock where
SODCategory.SODCategory_ID = Resources1.SODcategory_ID:
vcSODCategoryCode1 = SODCategory.SODCategoryCode.
end.
vcSODCategoryCode2 = "".
for first SODCategory fields (SODCategory_ID SODCategoryCode) no-lock where
SODCategory.SODCategory_ID = Resources2.SODcategory_ID:
vcSODCategoryCode2 = SODCategory.SODCategoryCode.
end.
vcContext = #T-79'User Name':17(7033)T-79# + " = " + vcSODUserName + chr(10)
+ #T-59'Entity Code':24(8770)T-59# + " = " + t_sUsrRoleCompany.tcCompanyCode + chr(10)
+ #T-93'Role 1 Name':20(733738256)T-93# + " = " + Role1.RoleName + chr(10)
+ #T-31'Resource URI':30(8885)T-31# + " = " + Resources1.ResourceURI + chr(10)
+ #T-54'SOD Category Code':20(733736445)T-54# + " = " + vcSODCategoryCode1 + chr(10)
+ #T-92'Role 2 Name':20(73458301)T-92# + " = " + Role2.RoleName + chr(10)
+ #T-87'Resource URI':30(8885)T-87# + " = " + Resources2.ResourceURI + chr(10)
+ #T-75'SOD Category Code':20(733736445)T-75# + " = " + vcSODCategoryCode2.
oiReturnStatus = -1.
<M-73 run SetMessage
(input #T-26'Access to resource ($1) for user ($2) in entity ($3) cannot be granted because this would create a SOD conflict.':255(646673889)T-26# (icMessage),
input Resources1.ResourceURI + chr(2) + vcSODUserName + chr(2) + t_sUsrRoleCompany.tcCompanyCode (icArguments),
input 'tUsrRoleCompany' (icFieldName),
input '' (icFieldValue),
input 'E' (icType),
input 3 (iiSeverity),
input t_sUsrRoleCompany.tc_Rowid (icRowid),
input 'blf-434163':U (icFcMsgNumber),
input '' (icFcExplanation),
input '' (icFcIdentification),
input vcContext (icFcContext),
output viFcReturnSuper (oiReturnStatus)) in BUserRole>
end.
end.
end.
end.