· Jul 16, 2020

Ensemble namespace permission


I am attempting to set up a security role for our support team so they can have read access to the production and messages.

I have given the role RW rights on the resource associated with the database. However, when I log into Management Portal and select "Ensemble", the "Available Ensemble namespaces" list is empty.

What permissions do i need to set to be able to navigate to the production?

Thanks in advance,




Just in case it is of any future use to anybody; adding R permission on %DB_CACHESYS and %DB_HSSYS solved the problem of not being able to navigate to the production from the portal home page. Thanks to Alex at WRC for that one :)

Discussion (8)1
Log in or sign up to continue


You have to differentiate between resources and roles. Assigning database resource to a user with RW access will do exactly as it says, were the user be able to access the database they would indeed be able to read and write data from/to the database. However what you want to do is give them access to a select set of Management Portal menu options and forms and for that you need to assign the appropriate %{roles}. There are a number of Ensemble Roles available including the following:

» %EnsRole_Administrator
Ensemble Administrator _SYSTEM
  %EnsRole_AlertAdministrator Ensemble user with administrative Alert access _SYSTEM
  %EnsRole_AlertOperator Ensemble user with Alert access _SYSTEM
  %EnsRole_Developer Ensemble Developer _SYSTEM
  %EnsRole_Monitor Ensemble Monitor _SYSTEM
  %EnsRole_Operator Ensemble Operator _SYSTEM
  %EnsRole_PubSubDeveloper Ensemble PubSub Developer _SYSTEM
  %EnsRole_RegistryManager Administrator of the Public Registry _SYSTEM
  %EnsRole_RegistrySelect Role for viewing Public Registry tables _SYSTEM
  %EnsRole_RulesDeveloper Ensemble Rules Developer _SYSTEM
  %EnsRole_WebDeveloper Ensemble Web Developer _SYSTEM

 There are other roles that give access to the general administration of your Cache/Ensemble/IRIS instance. These roles allow your user to do anything from being able to Monitor the system, perform system operator functions (Create Task Manager Tasks, manage Journals and other system related tasks). Theses roles include:

  %Manager A role for all System Managers _SYSTEM
  %Operator System Operators _SYSTEM

Then there are SQL related roles:

  %SQL Role for SQL access _SYSTEM
  %SQLTuneTable Role for use by tunetable to sample tables irrespective of row level security _SYSTEM

These roles would allow the user to run SQL queries in the Management Portal -> System Explorer -> SQL and perform other DB Administrator functions like Tuning a Table which is a process where by Cache/Ensemble/IRIS will analyse a class/table definition and the data in the table and table indices and based on this will add Selectivity information into the class definition which assists the SQL query generator to choose the least costly and most efficient use of standard indices, bitmap indices and iFind indices to retrieve the requested data.

Finally you have the %All role which gives the user access to everything and should only be granted to the very select group of Managers/Developers who need the flexibility of accessing all aspects of your Cache/Ensemble/IRIS installation. This role should be used with great caution because of the possibility of misuse in the wrong hands.

As the previous commentator wrote, check out the documentation on 'Controlling Access to the Management Portal Functions' but hopefully my response should give you a quick overview and understanding of resources and roles in general.


Hi, thanks for replying.

I was a little too vague in the initial question. I have already given the role the below permissions, in addition to the database resource:

%Ens_Alerts RU
%Ens_ConfigItemRun R
%Ens_Dashboard RU
%Ens_EventLog RU
%Ens_LookupTables RU
%Ens_MessageContent RU
%Ens_MessageHeader RU
%Ens_MessageTrace RU
%Ens_Portal RU
%Ens_ProductionConfig R
%Ens_ProductionDocumentation RU
%Ens_ProductionRun R
%Ens_Queues RU
%Ens_SystemDefaultConfig RU
MPRL_Operation RWU

If i use a direct link to the production (i.e. EnsPortal.ProductionConfig.zen) i can get in, and see the production ok. I just can't navigate to it from the Management Portal landing page.

Yes, probably WRC would be the next step.

I tested on HealthShare Health Connect so I did not have the MPRL resources, but I tried making a user with R/W database permissions and just the resources you listed and was able to navigate from the SMP home page to the production page. I did get a <PROTECT> error so there's probably something still missing, but I got further than you seem to be able to.

Hi Vic

So a <protect> error would indicate an attempt to write to a read only database. Even though we typically use the Management Portal to manage Ensemble productions running in application namespaces and theoretically we don't go anywhere near the ENSEMBLE, ENSLIB, CACHE, CACHELIB, MGR (%SYS) databases the reality is that Users and Roles are maintained in the %SYS namespace and Ensemble itself writes data to the ENSEMBLE databases.  CACHE, ENSLIB, CACHELIB are all read only databases and the Classes in those databases are mapped to all namespaces that require those classes.  So either the database resources you are trying to access only have Read (R) rights or in the case of security management you can manage Users and Roles through the Management Portal no matter which namespace you are connected to but if you attempt to programatically create users and roles from an application namespace you will hit a protect error as you have to be in the %SYS namespace in order to perform these actions programmatically. I guess what I am trying to say is that it might not be sufficient to grant access to the application database resource alone, you might need to assign access to some of the other system database resources as well though without actually attempting to do this exercise myself I can't be more specific than that.  If I get an opportunity tonight after I have completed my daily work task list I will attempt to replicate what you are trying to do and see i I can get it to work and what resources/roles are required in addition to those listed by Carl.

Yes, I am familiar with this type of <PROTECT> and I'm sure I need read access for a system database. More narrowly, I think there might be 1 or a few queries that are run by the production configuration page that require that access, so perhaps full read access might not even be necessary. I was really only setting up this user to test for Carl, as I personally rely on the standard roles that don't have these problems.