How to temporarily give role(s) to a user?
Hi,
Our application needs to create system users from a request form.
To use Security classes, it is necessary to have rights to use the %SYS namespace, which is not the case for users who validate requests.
It is not desirable for these users to have this role permanently, so I proceeded as follows:
I created a facade class for the Security.Users, Security.Roles, Security.Resources classes which allows me to log in with an authorized user on the NS %SYS
Here is an example method:
ClassMethod Modify(name As %String, ByRef properties As %String) As %Status
{
set who = $USERNAME
do %session.Login("mysysuser","xxxxxxxxx")
New $NameSpace
Set $Namespace="%SYS"
Return ##class(Security.Roles).Modify(name, .properties)
}
ObjectScriptObjectScript
I'm wondering what the scope of this login is (when I come back from this method, am I still logged in with my user mysysuser?)
I think so (I haven't tested because until now I called these methods as part of a rest api so for any new action I reused my effective user token).
But I now have to make a method that calls a Security.Users function, but which has to perform other actions afterwards, without being connected with the mysysuser user.
In this case, how do I revert to my user actually logged in before %session.Login() was called.
I could have made another call to %session.Login, using the login I save (who), but I don't know its password.
So I'm looking for a solution to this problem.
Hi Pierre,
I use and see it resident in code bases...
$$$AddAllRoleTemporary
It It adds %ALL in %SYS...
compiles to:
i '($e($roles,1,$l("%All"))="%All") { n $ET,$roles s $ET="",$roles=$roles_","_"%All"}
Basically adds %All to the current execution role.
I asked the question of @Eduard Lebedyuk some time ago and paying his wisdom forward.
Hi Ron,
thanks for your answer, @Eduard Lebedyuk give me another way to do that which can be more secured.
You can see that in his answer to this post
You can also use the $ROLES special variable to do that. It contains both the user's assigned roles and any roles you've added during the process. You can't change the user roles, but if you set it that will add a role. So you could do:
set $ROLES = "%All"
Or whatever role you need to add, then do the stuff that requires that roles, then do:
set $ROLES = ""
That will take away the %All role you added, reverting the process to just the user's normal roles.
Hi @David Hockenbroch ,
Thanks for your answer
The most secure approach is to use Privileged Routine Application.
Hi @Eduard Lebedyuk,
thanks for your answer, I will test it now :-)
💡 This question is considered a Key Question. More details here.