Which DB Resource to provide to a web application related role for a deployed app?

Question

Question

#CSP #Deployment #InterSystems Package Manager (IPM) #REST API #Web Gateway #InterSystems IRIS

Hi developers!

While developing web apps the security practice I consider safe and convenient is to create a special Role (e.g. equal application name) which contains security resources which application will need (SQL tables, priviledges, database access, etc) and assign it to the Web Application.
So the user gets this role once it loggs in to the application (via password, no password or delegated).

Convenient, right?

So, the question is, when I deploy the app as an IPM module what should I put as a database access?

For example I develop the app in the USER namespace so I list the access to %DB_USER in Role's resources and the export(D ##class(Security.Roles).Export("/home/irisowner/dev/roles.xml",,"lovable",,1) looks like:

<?xml version="1.0" encoding="UTF-8"?>

<RolesExport>

<Roles>

<Name>lovable</Name>

<Version>4</Version>

</Roles>

<Roles>

<GrantedRoles>

<GrantedRolesItem>%DB_USER</GrantedRolesItem>

</GrantedRoles>

<Name>lovable</Name>

<Version>4</Version>

</Roles>

<SQLPrivileges>

<Namespace>USER</Namespace>

<SQLObject>1,dc_Sample.Person</SQLObject>

<Privilege>s</Privilege>

<Grantee>lovable</Grantee>

<Grantor>SuperUser</Grantor>

<Grantable>0</Grantable>

</SQLPrivileges>

<SQLRoleGrantOption>

<UserOrRole>lovable</UserOrRole>

<RoleGranted>%DB_USER</RoleGranted>

<Grantable>0</Grantable>

</SQLRoleGrantOption>

</RolesExport>

But the app could be installed in any database, right? Which resource should I provide? Maybe %DB_DEFAULT (What does it mean BTW)? Any ideas?

Product version: IRIS 2025.1

Discussion (1)2

Log in or sign up to continue

score 0 · Answer 1 · 2025-04-26T09:55:58-04:00

"But the app could be installed in any database, right?"
I believe it's wrong, the app could be installed in any NAMESPACE.

Now the question is, what role have access to the databases associated with the namespace?

Leaving mappings aside, a namespace uses two databases, "Default Database for Globals" and "Default Database for Routines" (code), usually the two databases coincide but you cannot assume it's so.
When I configure two databases for a namespace I use a single resource for both, I consider this a good practice but, again, this cannot be assumed.

A generalized solution should find the resources used by the installation destination namespace.

This is how you can get the databases used by the namespace "MYAPP":

%SYS>Set sc=##Class(Config.Namespaces).Get("MYAPP",.NsProperties)
 
%SYS>Write NsProperties("Routines")
MYAPP-R
%SYS>Write NsProperties("Globals")
MYAPP-G

Now, for each database you can get the associated resource with:

%SYS>Set dbr=##class(SYS.Database).%OpenId(##class(Config.Databases).GetDirectory(NsProperties("Routines")))
 
%SYS>Write dbr.ResourceName
%DB_MYAPP
%SYS>
 
%SYS>Set dbg=##class(SYS.Database).%OpenId(##class(Config.Databases).GetDirectory(NsProperties("Globals")))
 
%SYS>Write dbg.ResourceName
%DB_MYAPP

In this case for the MYAPP namespace you only need permission to the %DB_MYAPP resource.

If the two databases use different resources, then you need permission to both the associated resources.