Question
· Oct 2

Login Failure for a single person (not user!) in IRIS for Health

#Authentication #CSP #Management Portal #InterSystems IRIS for Health #InterSystems IRIS

Hi community,

A colleague gets ERROR #822: Access denied every time he tries to log in via Management portal. It is NOT the case of wrong credentials: I reset his password password to a temporary one so it would prompt him to create a new one upon first login. He did get the prompt, changed his password and his next attempt at logging in displayed the same error.

The audit log record displays this:
Error message: ERROR #862: User is restricted from running application /csp/sys/op, %Admin_Operate:U required -- cannot execute.
Web Application: /csp/sys/op
$I: |TCP|1972|1533396
$P: |TCP|1972|1533396

Other information:

  • he can get access with the same credentials via R, so it is absolutely not the problem with credentials
  • the login works just fine on my device. He provided me with his old password, which I tested before setting a new one, and I created a test user with the same permissions. Both worked for me but not for him
  • no one else encounters this error. I asked a different colleague (also a Mac user like the first colleague) to try it (test user with the same permissions) just to be sure. It works for the second colleague but the first one still cannot log into Management portal
  • changing browsers (Chrome, Safari) or devices doesn't help. The first colleague encounters the same error (Access denied) in Chrome and Safari, both on his work laptop and an old one he's tried at my request
  • we cannot tell when it started because this colleague usually connects programmatically, not via Management portal. This was the first time he's tried it in about a month

In short, one person encounters the error that no one else trying the same thing does. IRIS Audit log reports a LoginFailure event and claims that "%Admin_Operate:U required" - but it shouldn't require that to just log in! The issue seems to be localized to him specifically  (somehow!) but Audit log claims it's a permissions error. I am deeply confused.

Has anyone else encountered anything like this?

Product version: IRIS 2025.1
$ZV: IRIS for UNIX (Ubuntu Server 22.04 LTS for x86-64) 2025.1.1 (Build 308U) Thu Jul 10 2025 15:59:06 EDT [Health:8.2.3]
Discussion (3)2
Log in or sign up to continue
Nick Petrocelli · Oct 2

My guess is that there is a permissions deficiency in his account that is not obvious. It is possible for a lack of %Admin_Operate:U can deny access to certain pages in the Management Portal; see the following documentation https://docs.intersystems.com/iris20252/csp/docbook/DocBook.UI.Page.cls?...

"It controls access to various pages in the Management Portal, including the System Operation page."

Are you certain that there are no permissions differences between his account and others'? You mentioned using a test account with the same permissions - was this test account cloned from your colleague's?

Another possibility is that he is attempting to access a different page in the management portal than you are. Not all pages in the Management Portal are created equal - I would try sending him a "clean" link to the Management Portal landing page to make sure he isn't trying to access a page he doesn't have permissions on.

If neither of these avenues of investigation bear fruit (and no one else here comes up with another answer), I would contact Support - they have the most experience dealing with permissions minutiae. 

I hope this helps and that you can get this resolved soon - permissions issues can be very frustrating, speaking from personal experience.

2 0
Darima Budazhapova · Oct 2

It shouldn't be a permissions problem because I managed log into his account (in incognito mode) in Management portal with the password he provided! Then I made a test user with the same permissions and logged in with it.

But he couldn't log in with either and the Audit log entry is the same for both, no matter which user he tries to log in as: "Error message: ERROR #862: User is restricted from running application /csp/sys/op, %Admin_Operate:U required -- cannot execute." Somehow we do the same thing and get different results.

(edit) I will try the second avenue you wrote about, thank you. If that doesn't bear fruit, we'll see.

(UPDATE) Solved, thank you Nick! After some further digging, it turned out that indeed it was a different colleague sent him the link to check out one of the systems monitoring pages for some reason. He indeed doesn't have permissions to access it! He just panicked and assumed nothing was working when that particular page wouldn't admit him.

2 0