Can I implement row-level security in InterSystems IRIS using class parameters and runtime filters?

Yes, you can implement row-level security in InterSystems IRIS using class parameters and runtime filters. This feature ensures a high level of database security by selectively enforcing access control at the level of individual rows. Here's how you can achieve this:

1. Enable Row-Level Security:

   • Define the ROWLEVELSECURITY parameter within the class definition. Setting ROWLEVELSECURITY to 1 activates row-level security and uses the default %READERLIST property to store the access list for rows.
   • Alternatively, specify a custom property to hold the access list by setting ROWLEVELSECURITY to the property name. In this case, you will need to define an index on the property.

   Parameter ROWLEVELSECURITY = 1;
   // or
   Parameter ROWLEVELSECURITY = "CustomPropertyName";
   Index %RLI On CustomPropertyName;
   

2. Define a Security Policy:

   • Implement the %SecurityPolicy() class method, which specifies the roles or user names allowed to access a row. This method returns a string of comma-separated user names or role names allowed to view the row.

   ClassMethod %SecurityPolicy() As %String [ SqlProc ]
   {
      QUIT "User1,RoleA"
   }
   

3. Compilation:

   • After defining the parameter and the security policy, compile the class and any dependent classes.

4. Runtime Enforcement:

   • The security policy is dynamically checked at runtime each time a SELECT query is executed. This ensures that only authorized users have access to specific rows.

By combining these configurations, you can enforce user-specific row access in both SQL queries and ObjectScript applications [1].

Sources:

Hi Jack,

Can you check the class parameter ROWLEVELSECURITY