project BLF > class BUserRole > method ValidateComponentSOD

Description

check SOD rule 2


Parameters


oiReturnStatusoutputintegerReturn status of the method.


Internal usage


BLF
method BUserRole.ValidateComponent


program code (program1/buserrole.p)

define buffer Resources1 for Resources.
define buffer Resources2 for Resources.
define buffer RoleResource1 for RoleResource.
define buffer RoleResource2 for RoleResource.
define buffer Role1 for Role.
define buffer Role2 for Role.

/* ================================================================= */
/* Validate added user - role - company entries.                     */
/* ================================================================= */
for each t_sUsrRoleCompany where
         t_sUsrRoleCompany.tc_Status = "N",
    each bsUsrRoleCompany where
         bsUsrRoleCompany.Usr_ID = t_sUsrRoleCompany.Usr_ID and
         bsUsrRoleCompany.Company_ID = t_sUsrRoleCompany.Company_ID and
         bsUsrRoleCompany.Role_ID <> t_sUsrRoleCompany.Role_ID and
         bsUsrRoleCompany.tc_Status <> "D" and
        (bsUsrRoleCompany.tc_Rowid > t_sUsrRoleCompany.tc_Rowid or
         bsUsrRoleCompany.tc_Status <> "N"),
    each Role1 fields (Role_ID RoleName RoleSODException) no-lock where
         Role1.Role_ID = t_sUsrRoleCompany.Role_ID and
         Role1.RoleSODException = no,
    each Role2 fields (Role_ID RoleName RoleSODException) no-lock where
         Role2.Role_ID = bsUsrRoleCompany.Role_ID and
         Role2.RoleSODException = no on error undo, throw:
         
    for each RoleResource1 fields (Role_ID Resource_ID) no-lock where
             RoleResource1.Role_ID = Role1.Role_ID,
        each Resources1 fields (Resource_ID ResourceURI SODcategory_ID) no-lock where
             Resources1.Resource_ID = RoleResource1.Resource_ID and
             Resources1.SODcategory_ID <> 0
             break by Resources1.SODcategory_ID on error undo, throw:
        
        /* If no violations are found for a SOD category then skip validations for all next resources in this SOD category.
         * If violations are found keep validating because violations must be reported on resource level.
         */
        if first-of (Resources1.SODcategory_ID)
        then vlConflictFound = no.
        
        if first-of (Resources1.SODcategory_ID)
        or vlConflictFound
        then for each RoleResource2 fields (Role_ID Resource_ID) no-lock where
                      RoleResource2.Role_ID = Role2.Role_ID,
                 each Resources2 fields (Resource_ID ResourceURI SODcategory_ID) no-lock where
                      Resources2.Resource_ID = RoleResource2.Resource_ID and
                      Resources2.SODcategory_ID <> 0,
                 each SODExclusion fields (SODCategory1_ID SODCategory2_ID) no-lock where
                      SODExclusion.SODCategory1_ID = Resources1.SODcategory_ID and
                      SODExclusion.SODCategory2_ID = Resources2.SODcategory_ID on error undo, throw:
        
            vlPolicyException = no.
            for each SODException fields (SODException_ID Usr_ID) no-lock where
                     SODException.Usr_ID = t_sUsrRoleCompany.Usr_ID:
                if can-find (first SODExceptionLn where
                     SODExceptionLn.SODException_ID = SODException.SODException_ID and
                     SODExceptionLn.SODCategory1_ID = Resources1.SODcategory_ID and
                     SODExceptionLn.SODCategory2_ID = Resources2.SODcategory_ID and
                    (SODExceptionLn.Company_ID = t_sUsrRoleCompany.Company_ID or SODExceptionLn.Company_ID = 0) and
                    (SODExceptionLn.Domain_ID = t_sUsrRoleCompany.Domain_ID or SODExceptionLn.Domain_ID = 0))
                or can-find (first SODExceptionLn where
                     SODExceptionLn.SODException_ID = SODException.SODException_ID and
                     SODExceptionLn.SODCategory1_ID = Resources2.SODcategory_ID and
                     SODExceptionLn.SODCategory2_ID = Resources1.SODcategory_ID and
                    (SODExceptionLn.Company_ID = t_sUsrRoleCompany.Company_ID or SODExceptionLn.Company_ID = 0) and
                    (SODExceptionLn.Domain_ID = t_sUsrRoleCompany.Domain_ID or SODExceptionLn.Domain_ID = 0))
                then do:
                    vlPolicyException = yes.
                    leave.
                end.
            end.    /* each SODException */
            if vlPolicyException = no
            then do:
                /* conflict found. */
                vcSODUserName = "".
                for each Usr fields (Usr_ID UsrName) no-lock where
                         Usr.Usr_ID = t_sUsrRoleCompany.Usr_ID:
                    vcSODUserName = Usr.UsrName.
                end.
                
                vcSODCategoryCode1 = "".
                for first SODCategory fields (SODCategory_ID SODCategoryCode) no-lock where
                          SODCategory.SODCategory_ID = Resources1.SODcategory_ID:
                    vcSODCategoryCode1 = SODCategory.SODCategoryCode.
                end.
        
                vcSODCategoryCode2 = "".
                for first SODCategory fields (SODCategory_ID SODCategoryCode) no-lock where
                          SODCategory.SODCategory_ID = Resources2.SODcategory_ID:
                    vcSODCategoryCode2 = SODCategory.SODCategoryCode.
                end.

                vcContext = #T-47'User Name':17(7033)T-47#              + " = " + vcSODUserName + chr(10)
                          + #T-15'Entity Code':24(8770)T-15#            + " = " + t_sUsrRoleCompany.tcCompanyCode + chr(10)
                          + #T-16'Role 1 Name':20(733738256)T-16#       + " = " + Role1.RoleName + chr(10)
                          + #T-17'Resource URI':30(8885)T-17#           + " = " + Resources1.ResourceURI + chr(10)
                          + #T-18'SOD category code':20(733736445)T-18# + " = " + vcSODCategoryCode1 + chr(10)
                          + #T-19'Role 2 Name':20(73458301)T-19#        + " = " + Role2.RoleName + chr(10)
                          + #T-20'Resource URI':30(8885)T-20#           + " = " + Resources2.ResourceURI + chr(10)
                          + #T-21'SOD category code':20(733736445)T-21# + " = " + vcSODCategoryCode2.
                
                oiReturnStatus = -1.
                <M-22 run SetMessage
                   (input  #T-96'Access to resource ($1) for user ($2) in entity ($3) cannot be granted because this would create a SOD conflict.':255(646673889)T-96# (icMessage), 
                    input  Resources1.ResourceURI + chr(2) + vcSODUserName + chr(2) + t_sUsrRoleCompany.tcCompanyCode (icArguments), 
                    input  'tUsrRoleCompany' (icFieldName), 
                    input  '' (icFieldValue), 
                    input  'E' (icType), 
                    input  3 (iiSeverity), 
                    input  t_sUsrRoleCompany.tc_Rowid (icRowid), 
                    input  'BLF-434':U (icFcMsgNumber), 
                    input  '' (icFcExplanation), 
                    input  '' (icFcIdentification), 
                    input  vcContext (icFcContext), 
                    output viFcReturnSuper (oiReturnStatus)) in BUserRole>
            end.
        end.
    end.
end.

for each t_sUsrRoleCompany where
         t_sUsrRoleCompany.tc_Status = "N",
    each UsrRoleCompany where
         UsrRoleCompany.Usr_ID = t_sUsrRoleCompany.Usr_ID and
         UsrRoleCompany.Company_ID = t_sUsrRoleCompany.Company_ID
         no-lock on error undo, throw:
    
    if can-find (t_sUsrRoleCompany where t_sUsrRoleCompany.tc_Rowid = string(rowid(UsrRoleCompany)))
    then next.
    
    find Role1 where
         Role1.Role_ID = t_sUsrRoleCompany.Role_ID and
         Role1.RoleSODException = no no-lock no-error.
    if not available Role1
    then next.
    
    find Role2 where
         Role2.Role_ID = UsrRoleCompany.Role_ID and
         Role2.RoleSODException = no no-lock no-error.
    if not available Role2
    then next.
         
    for each RoleResource1 fields (Role_ID Resource_ID) no-lock where
             RoleResource1.Role_ID = Role1.Role_ID,
        each Resources1 fields (Resource_ID ResourceURI SODcategory_ID) no-lock where
             Resources1.Resource_ID = RoleResource1.Resource_ID and
             Resources1.SODcategory_ID <> 0
             break by Resources1.SODcategory_ID on error undo, throw:
        
        /* If no violations are found for a SOD category then skip validations for all next resources in this SOD category.
         * If violations are found keep validating because violations must be reported on resource level.
         */
        if first-of (Resources1.SODcategory_ID)
        then vlConflictFound = no.
        
        if first-of (Resources1.SODcategory_ID)
        or vlConflictFound
        then for each RoleResource2 fields (Role_ID Resource_ID) no-lock where
                      RoleResource2.Role_ID = Role2.Role_ID,
                 each Resources2 fields (Resource_ID ResourceURI SODcategory_ID) no-lock where
                      Resources2.Resource_ID = RoleResource2.Resource_ID and
                      Resources2.SODcategory_ID <> 0,
                 each SODExclusion fields (SODCategory1_ID SODCategory2_ID) no-lock where
                      SODExclusion.SODCategory1_ID = Resources1.SODcategory_ID and
                      SODExclusion.SODCategory2_ID = Resources2.SODcategory_ID on error undo, throw:
        
            vlPolicyException = no.
            for each SODException fields (SODException_ID Usr_ID) no-lock where
                     SODException.Usr_ID = t_sUsrRoleCompany.Usr_ID:
                if can-find (first SODExceptionLn where
                     SODExceptionLn.SODException_ID = SODException.SODException_ID and
                     SODExceptionLn.SODCategory1_ID = Resources1.SODcategory_ID and
                     SODExceptionLn.SODCategory2_ID = Resources2.SODcategory_ID and
                    (SODExceptionLn.Company_ID = t_sUsrRoleCompany.Company_ID or SODExceptionLn.Company_ID = 0) and
                    (SODExceptionLn.Domain_ID = t_sUsrRoleCompany.Domain_ID or SODExceptionLn.Domain_ID = 0))
                or can-find (first SODExceptionLn where
                     SODExceptionLn.SODException_ID = SODException.SODException_ID and
                     SODExceptionLn.SODCategory1_ID = Resources2.SODcategory_ID and
                     SODExceptionLn.SODCategory2_ID = Resources1.SODcategory_ID and
                    (SODExceptionLn.Company_ID = t_sUsrRoleCompany.Company_ID or SODExceptionLn.Company_ID = 0) and
                    (SODExceptionLn.Domain_ID = t_sUsrRoleCompany.Domain_ID or SODExceptionLn.Domain_ID = 0))
                then do:
                    vlPolicyException = yes.
                    leave.
                end.
            end.    /* each SODException */
            if vlPolicyException = no
            then do:
                /* conflict found. */
                vcSODUserName = "".
                for each Usr fields (Usr_ID UsrName) no-lock where
                         Usr.Usr_ID = t_sUsrRoleCompany.Usr_ID:
                    vcSODUserName = Usr.UsrName.
                end.
                
                vcSODCategoryCode1 = "".
                for first SODCategory fields (SODCategory_ID SODCategoryCode) no-lock where
                          SODCategory.SODCategory_ID = Resources1.SODcategory_ID:
                    vcSODCategoryCode1 = SODCategory.SODCategoryCode.
                end.
        
                vcSODCategoryCode2 = "".
                for first SODCategory fields (SODCategory_ID SODCategoryCode) no-lock where
                          SODCategory.SODCategory_ID = Resources2.SODcategory_ID:
                    vcSODCategoryCode2 = SODCategory.SODCategoryCode.
                end.

                vcContext = #T-79'User Name':17(7033)T-79#              + " = " + vcSODUserName + chr(10)
                          + #T-59'Entity Code':24(8770)T-59#            + " = " + t_sUsrRoleCompany.tcCompanyCode + chr(10)
                          + #T-93'Role 1 Name':20(733738256)T-93#       + " = " + Role1.RoleName + chr(10)
                          + #T-31'Resource URI':30(8885)T-31#           + " = " + Resources1.ResourceURI + chr(10)
                          + #T-54'SOD Category Code':20(733736445)T-54# + " = " + vcSODCategoryCode1 + chr(10)
                          + #T-92'Role 2 Name':20(73458301)T-92#        + " = " + Role2.RoleName + chr(10)
                          + #T-87'Resource URI':30(8885)T-87#           + " = " + Resources2.ResourceURI + chr(10)
                          + #T-75'SOD Category Code':20(733736445)T-75# + " = " + vcSODCategoryCode2.
                
                oiReturnStatus = -1.
                <M-73 run SetMessage
                   (input  #T-26'Access to resource ($1) for user ($2) in entity ($3) cannot be granted because this would create a SOD conflict.':255(646673889)T-26# (icMessage), 
                    input  Resources1.ResourceURI + chr(2) + vcSODUserName + chr(2) + t_sUsrRoleCompany.tcCompanyCode (icArguments), 
                    input  'tUsrRoleCompany' (icFieldName), 
                    input  '' (icFieldValue), 
                    input  'E' (icType), 
                    input  3 (iiSeverity), 
                    input  t_sUsrRoleCompany.tc_Rowid (icRowid), 
                    input  'blf-434163':U (icFcMsgNumber), 
                    input  '' (icFcExplanation), 
                    input  '' (icFcIdentification), 
                    input  vcContext (icFcContext), 
                    output viFcReturnSuper (oiReturnStatus)) in BUserRole>
            end.
        end.
    end.
end.