Unwrap roles recursively
Recently I got into a situation where a user had some roles, which granted additional roles, and so on.
As I did not understand where a particular permission came from, I wrote this code which gets an initial set of roles and unwraps them recursively, accounting for any repeats.
/// Recursively unwraps roleset./// Accounts for circular dependencies and repeats.Class Utils.Roles
{
/// roles: comma-separated string of roles/// showResources: show resources in addition to roles./// do ##class(Utils.Roles).DisplayClassMethod Display(roles As%String, showResources As%Boolean = {$$$NO})
{
new$namespaceset$namespace = "%SYS"set roles = $lfs(roles)
set i=0while i<$ll(roles) {
do$i(i)
set role = $lg(roles, i)
continue:$d(processed(role))=1write"Current role: ", role,!
write"Grants roles: "set sc = ##class(Security.Roles).Get(role, .p)
forj=1:1:$l($g(p("GrantedRoles")),",") {
set grantedrole = $p(p("GrantedRoles"),",", j)
continue:grantedrole=""continue:$lf(roles, grantedrole)
write grantedrole, ", "set roles = roles _ $lb(grantedrole)
}
write:showResources !, "Grants resources: ", p("Resources")
write !
}
}
}
Spoiler
Not that it helped me, because the offending role was granted by a web app ¯\_(ツ)_/¯
But maybe it'll help someone else.
Code.
Discussion (0)0
Comments
Great story, @Eduard Lebedyuk ! Could you please release your app on OEX so that IPM users could benefit from this addon as well?
Done