· Dec 29, 2023

How to temporarily give role(s) to a user?


Our application needs to create system users from a request form.

To use Security classes, it is necessary to have rights to use the %SYS namespace, which is not the case for users who validate requests.

It is not desirable for these users to have this role permanently, so I proceeded as follows:

I created a facade class for the Security.Users, Security.Roles, Security.Resources classes which allows me to log in with an authorized user on the NS %SYS

Here is an example method:

ClassMethod Modify(name As %String, ByRef properties As %String) As %Status
    set who = $USERNAME
    do %session.Login("mysysuser","xxxxxxxxx")
    New $NameSpace
    Set $Namespace="%SYS"
    Return ##class(Security.Roles).Modify(name, .properties)

I'm wondering what the scope of this login is (when I come back from this method, am I still logged in with my user mysysuser?)

I think so (I haven't tested because until now I called these methods as part of a rest api so for any new action I reused my effective user token).

But I now have to make a method that calls a Security.Users function, but which has to perform other actions afterwards, without being connected with the mysysuser user.

In this case, how do I revert to my user actually logged in before %session.Login() was called.

I could have made another call to %session.Login, using the login I save (who), but I don't know its password.

So I'm looking for a solution to this problem.

Product version: IRIS 2023.1
$ZV: IRIS for UNIX (Ubuntu Server 22.04 LTS for x86-64) 2023.1 (Build 229U) Fri Apr 14 2023 17:29:40 EDT
Discussion (7)2
Log in or sign up to continue

You can also use the $ROLES special variable to do that. It contains both the user's assigned roles and any roles you've added during the process. You can't change the user roles, but if you set it that will add a role. So you could do:

set $ROLES = "%All"

Or whatever role you need to add, then do the stuff that requires that roles, then do:

set $ROLES = ""

That will take away the %All role you added, reverting the process to just the user's normal roles.