Use the below job to get list of duties and privileges under one or more roles
static void SNP_getAllDutiesAndPrivilidgesUnderRole(Args _args)
{
str fileName = @"C:\Users\<span style="font-family:Consolas;font-size:12px;color:#8b0000;">[UserId]</span>\Desktop\allDutiesAndPrivilidgesUnderRole.csv";
CommaTextIo commaTextIo;
FileIOPermission permission;
SecurityTaskEntryPoint taskEntryPoint;
SecurityRole role;
SecurityRoleTaskGrant taskGrant;
SecuritySubTask subTask;
SecurityTask privilege;
SecurityTask securityTask;
SecurableObject securableObject;
DictEnum dictEnum;
str privAOTName;
str dutyAOTName;
str privName;
str dutyName;
str entrName;
str accessLevel;
str menuItemType;
FromTime startTime = timeNow();
#File
;
permission = new FileIOPermission(fileName,#io_write);
permission.assert();
commaTextIo = new CommaTextIo(fileName,#io_write);
//Header
commaTextIo.write(
"Role AOT name",
"Description",
"Duty AOT name",
"Description",
"Privilidge AOT name",
"Description",
"Entry point",
"Type",
"Access level");
while select taskEntryPoint
join subTask
where subTask.SecuritySubTask == taskEntryPoint.SecurityTask
join taskGrant
where taskGrant.SecurityTask == subTask.SecurityTask
join role
where role.RecId == taskGrant.SecurityRole
//&& role.AotName like 'Sales*'
//|| role.AotName like 'System*'
{
menuItemType = "";
dutyAOTName = "";
dutyName = "";
privAOTName = "";
privName = "";
if (subTask.RecId)
{
switch (taskEntryPoint.PermissionGroup)
{
case AccessRight::View:
accessLevel = "Read";
break;
case AccessRight::Edit:
accessLevel = "Update";
break;
case AccessRight::Add:
accessLevel = "Create";
break;
case AccessRight::Delete:
accessLevel = "Delete";
break;
default:
accessLevel = "";
break;
}
}
select privilege
where privilege.RecId == taskGrant.SecurityTask
&& SecurityTaskType::Duty == privilege.Type;
dutyAOTName = privilege.AotName;
dutyName = privilege.Name;
select privilege
where privilege.RecId == subTask.SecuritySubTask
&& SecurityTaskType::Privilege == privilege.Type;
privAOTName = privilege.AotName;
privName = privilege.Name;
select RecId, Type, Name from securableObject
where securableObject.RecId == taskEntryPoint.EntryPoint && (securableObject.Type == SecurableType::MenuItemDisplay
|| securableObject.Type == SecurableType::MenuItemAction || securableObject.Type == SecurableType::MenuItemOutput);
dictEnum = new DictEnum(enumNum(MenuItemType));
menuItemType = dictEnum.index2Name(securableObject.Type);
commaTextIo.write(role.AotName,
role.Name,
dutyAOTName,
dutyName,
privAOTName,
privName,
securableObject.Name,
menuItemType,
accessLevel);
}
//sometimes a role has a privielge direclty assigned instead of a duty. So this code is for those privileges.
//In this case duty will not exist.
while select SecurityTask, SecurityRole from taskGrant
join RecId, Type, AOTName from securitytask where securityTask.RecId == taskGrant.SecurityTask
&& taskGrant.SecurityRole == taskGrant.SecurityRole && securitytask.Type == SecurityTaskType::Privilege
join securityTask, EntryPoint from taskEntryPoint where taskEntryPoint.SecurityTask == securitytask.RecId
{
menuItemType = "";
dutyAOTName = "";
dutyName = "";
privAOTName = "";
privName = "";
select RecId, Type, Name from securableObject
where securableObject.RecId == taskEntryPoint.EntryPoint && (securableObject.Type == SecurableType::MenuItemDisplay
|| securableObject.Type == SecurableType::MenuItemAction || securableObject.Type == SecurableType::MenuItemOutput);
if(securableObject)
{
select privilege
where privilege.RecId == securityTask.RecId
&& SecurityTaskType::Privilege == privilege.Type;
privAOTName = privilege.AotName;
privName = privilege.Name;
dictEnum = new DictEnum(enumNum(MenuItemType));
menuItemType = dictEnum.index2Name(securableObject.Type);
commaTextIo.write(role.AotName,
role.Name,
dutyAOTName,
dutyName,
privAOTName,
privName,
securableObject.Name,
menuItemType,
accessLevel);
}
}
CodeAccessPermission::revertAssert();
info(strFmt("Total time: %1", timeConsumed(startTime, timeNow())));
}