Announcement
· 8 hr ago

IRISSECURITY

#Security #InterSystems IRIS

IRISSECURITY 

InterSystems IRIS 2025.2 introduces the IRISSECURITY database, the new home for security data. Unlike IRISSYS, the previous home for security data, IRISSECURITY can be encrypted, which secures your sensitive data at rest. IRISSECURITY cannot be mirrored. 

This version also introduces the %SecurityAdministrator role for general security administration tasks. 

When you upgrade to InterSystems IRIS 2025.2, all security data is automatically moved from IRISSYS to the new IRISSECURITY database. 

Before You Upgrade 

IRISSECURITY makes several potentially breaking changes to how users interact with security data: 

  • Users can no longer directly access security globals and must instead use the APIs provided by the various security classes. 
  • Users can no longer arbitrarily query security tables, even when SQL security is disabled. 
  • System databases now use predefined resources that cannot be changed. If you created and assigned a new resource to a system database in a previous version, it will be replaced by the predefined resource when you upgrade. 

The following sections go into detail about these changes and what you should do instead if you depended on the original behavior, but in general, before you upgrade, you should verify and test that your applications and macros: 

  • Use the provided security APIs to administer security (as opposed to direct global access). 
  • Have the necessary permissions (%DB_IRISSYS:R and Admin_Secure:U) for using those APIs. 

Global Access 

Previously, when security globals were stored in the IRISSYS database, users could access security data with the following privileges: 

  • %DB_IRISSYS:R: Read security globals both directly and through security APIs. 
  • %DB_IRISSYS:RW: Read and write security globals. 
  • %DB_IRISSYS:RW and Admin_Secure:U: Administer security through security APIs. 

In InterSystems IRIS 2025.2: 

  • Users can no longer access security globals directly.  
  • Both %DB_IRISSYS:R and %Admin_Secure:U are the minimum privileges needed to both access security data (through the provided security APIs) and administer security through the various security classes. 
  • For general security administration, you can use the new %SecurityAdministrator role. 
  • Read-only access to security data (previously available through %DB_IRISSYS:R) has been removed. 

SQL Security 

Previously, SQL security was controlled by the CPF parameter DBMSSecurity. When DBMSSecurity was disabled, users with SQL privileges could arbitrarily query all tables in the database. 

In InterSystems IRIS 2025.2: 

  • The DBMSSecurity CPF parameter has been replaced with the system-wide SQL security property (accessible from System Administration > Security > System Security > System-wide Security Parameters > Enable SQL security). 
  • Security tables can now only be queried through the Detail and List APIs, which require both %DB_IRISSYS:R and %Admin_Secure:U even when SQL security is disabled. 

For example, to get a list of roles, you can no longer directly query the Security.Roles table. Instead, you should use the Security.Roles_List() query:  

Encrypting IRISSECURITY 

To encrypt IRISSECURITY, use the following procedure: 

  1. Create a new encryption key. Go to System Administration > Encryption > Create New Encryption Key File and specifying the following: 
  • Key File – The name of the encryption key. 
  • Administrator Name – The name of the administrator. 
  • Password – The password for the key file. 
  1. Activate the encryption key. Go to System Administration > Encryption > Database Encryption and select Activate Key, specifying the Key File, Administrator Name, and Password from step 1. 
  1. Go to System Administration > Encryption > Database Encryption and select Configure Startup Settings. 
  1. From the Key Activation at Startup dropdown menu, select a key activation method. InterSystems highly recommends Interactive key activation. 
  1. From the Encrypt IRISSECURITY Database dropdown, select Yes. 
  1. Restart your system to encrypt IRISSECURITY. 

Percent-class Access Rules 

In previous versions of InterSystems IRIS, the procedure for managing a web application’s access to additional percent classes involved writing to security globals. You can accomplish this in InterSystems IRIS 2025.2 through the Management Portal or the ^SECURITY routine. 

Management Portal 

To create a percent-class access rule with the Management Portal: 

  1. Go to System Administration > Security > Web Applications. 
  1. Select your web application. 
  1. In the Percent Class Access tab, set the following options: 
  • Type: Controls whether the rule applies to the application’s access to just the specified percent class (Allow Class) or all classes that contain the specified prefix (AllowPrefix). 
  • Class name: The percent class or prefix to give the application access to. 
  • Allow access: Whether to give the application access to the specified percent class or package. 
  • Add this same access to ALL applications: Whether to apply the rule for all applications. 

^SECURITY 

To create a class access rule with the ^SECURITY routine: 

  1. From the %SYS namespace, run the ^SECURITY routine:    
  1. Choose options 5, 1, 8, and 1 to enter the class access rule prompt. 
  1. Follow the prompts, specifying the following: 
  • Application? – The name of the application. 
  • Allow type? – Whether the rule applies to the application's ability to access a particular class (AllowClass) or all classes that contain the specified prefix (AllowPrefix). 
  • Class or package name? – The class or prefix to give the application access to. 
  • Allow access? – Whether to give the application access to the specified class or package. 
Discussion (1)1
Log in or sign up to continue