New post
Question
· Feb 21, 2016

How to Properly setting up CSP-Application (Security)?

#Frontend #Caché

Hi,

posted some weeks ago in the "old" ZEN Google Group, maybe someone here can help to understand how to properly setting up a csp applications and contributing from the build-in caché security mechanism.

I´ve created a webapplication and wan´t to add further security to it using the smp. But... first things first.

I have two Databases let´s say DB1-LOGIN and DB2-Application. Each of this DBs has a resource assigned. DB1-LOGIN has a resource %DB1-LOGIN which has a public permission of 'read'. DB2 has a resource as well %DB2-Application with no public access.

I have defined two roles webapp-admin and webapp-user. Only webapp-admin and webapp-user are allowed to access DB2-Application. I´ve created to test users. test-admin (which has the webapp-admin assigned) and webapp-user (no special roles assigned). The CSP-Application in the smp has application role webapp-user. So test-user is automatically a webapp-user. So far so good.

Q1 - Must the defined ressources are also need to be added to the csp-application roles tab?
Q2 - How to set the required resource to run the csp-application (general tab - but listbox does not show any of my defined resources)?
Q3 - How to assign the resource to the roles webapp-admin and webapp-user?
Q4 - Securing Access to pages - ZEN-Page Class Parameter RESOURCE how to define under the given circumstances. I have pages which shall only be accessed by a webapp-admin. So I guess the parameter look like RESOURCE = "webapp-admin:U". But how to define this "use" - flag?

Best regards,

Sebastian

Discussion (7)2
Log in or sign up to continue
Eduard Lebedyuk · Feb 21, 2016

1. They must be granted to either application or user

2. Only resources of Service, Application and User type could be used there. %DB are database resources

3. SMP -> Menu -> View Roles -> Choose the role "webapp-admin" -> General Tab -> Priveleges -> Add -> choose the resoure -> OK -> Save

Repeat for webapp-user

4. Like this:

Parameter RESOURCE = "ResourceName1:Permission,ResourceName2,ResourceName3:Permission";

Where Permission is one of: READ, WRITE, USE

If Permission is skipped (see ResourceName2) then USE permission is checked.

2 0
Sebastian Thiele · Mar 14, 2016

Hi,

 

sry for the late response. I´ve managed to setup the application, roles and priveliges as suggested. My application does use a set of (currently) 20 stored procedures to fetch data from the server. The problem now is that the webapp-admin and webapp-user have no permission to run this stored procedures. I thought it would be sufficient to add the db ressource to the roles to access this stored procedures. Does this mean, that I need to add every single stored procedure to the sql procedure tab in the role definition?

best regards,

sebastian

0 0
John Murray · Mar 15, 2016

What Caché version are you working with?

The use of SCHEMA in this way is documented at

http://docs.intersystems.com/cache201513/csp/docbook/DocBook.UI.Page.cls... but not at http://docs.intersystems.com/cache20141/csp/docbook/DocBook.UI.Page.cls?... so it appears to have been introduced with 2015.1. I didn't find any mention of it in the 2015.1 release notes though.

0 0