How to temporarily give role(s) to a user?

Question

Question

Pierre LaFay · Dec 29, 2023

#Key Question #Namespace #Security #InterSystems IRIS

Hi,

Our application needs to create system users from a request form.

To use Security classes, it is necessary to have rights to use the %SYS namespace, which is not the case for users who validate requests.

It is not desirable for these users to have this role permanently, so I proceeded as follows:

I created a facade class for the Security.Users, Security.Roles, Security.Resources classes which allows me to log in with an authorized user on the NS %SYS

Here is an example method:

ClassMethod Modify(name As %String, ByRef properties As %String) As %Status
{
    set who = $USERNAME
    do %session.Login("mysysuser","xxxxxxxxx")
    New $NameSpace
    Set $Namespace="%SYS"
    Return ##class(Security.Roles).Modify(name, .properties)
}

I'm wondering what the scope of this login is (when I come back from this method, am I still logged in with my user mysysuser?)

I think so (I haven't tested because until now I called these methods as part of a rest api so for any new action I reused my effective user token).

But I now have to make a method that calls a Security.Users function, but which has to perform other actions afterwards, without being connected with the mysysuser user.

In this case, how do I revert to my user actually logged in before %session.Login() was called.

I could have made another call to %session.Login, using the login I save (who), but I don't know its password.

So I'm looking for a solution to this problem.

Product version: IRIS 2023.1

$ZV: IRIS for UNIX (Ubuntu Server 22.04 LTS for x86-64) 2023.1 (Build 229U) Fri Apr 14 2023 17:29:40 EDT

Go to the original post written by @Pierre LaFay

Discussion (7)2

Log in or sign up to continue

Ron Sweeney · Dec 29, 2023

Hi Pierre,

I use and see it resident in code bases...

$$$AddAllRoleTemporary

It It adds %ALL in %SYS...

compiles to:

i '($e($roles,1,$l("%All"))="%All") { n $ET,$roles s $ET="",$roles=$roles_","_"%All"}

Basically adds %All to the current execution role.

I asked the question of @Eduard Lebedyuk some time ago and paying his wisdom forward.

1 0

David Hockenbroch · Dec 29, 2023

You can also use the $ROLES special variable to do that. It contains both the user's assigned roles and any roles you've added during the process. You can't change the user roles, but if you set it that will add a role. So you could do:

set $ROLES = "%All"

Or whatever role you need to add, then do the stuff that requires that roles, then do:

set $ROLES = ""

That will take away the %All role you added, reverting the process to just the user's normal roles.

2 1

Eduard Lebedyuk · Dec 29, 2023

The most secure approach is to use Privileged Routine Application.

0 0

Developer Commu... · Jan 13, 2024

💡 This question is considered a Key Question. More details here.

0 0

score 0 · Answer 1 · 2023-12-30T09:04:02-05:00

Hi Ron,

thanks for your answer, @Eduard Lebedyuk give me another way to do that which can be more secured.

You can see that in his answer to this post

score 0 · Answer 2 · 2023-12-30T05:23:24-05:00

Pierre LaFay · Dec 30, 2023

Hi @David Hockenbroch ,

Thanks for your answer

0 0

score 0 · Answer 3 · 2023-12-30T05:24:18-05:00

Pierre LaFay · Dec 30, 2023

Hi @Eduard Lebedyuk,

thanks for your answer, I will test it now :-)

0 0