New post
Question
· Dec 29, 2023

How to temporarily give role(s) to a user?

#Key Question #Namespace #Security #InterSystems IRIS

Hi,

Our application needs to create system users from a request form.

To use Security classes, it is necessary to have rights to use the %SYS namespace, which is not the case for users who validate requests.

It is not desirable for these users to have this role permanently, so I proceeded as follows:

I created a facade class for the Security.Users, Security.Roles, Security.Resources classes which allows me to log in with an authorized user on the NS %SYS

Here is an example method:

ClassMethod Modify(name As %String, ByRef properties As %String) As %Status
{
    set who = $USERNAME
    do %session.Login("mysysuser","xxxxxxxxx")
    New $NameSpace
    Set $Namespace="%SYS"
    Return ##class(Security.Roles).Modify(name, .properties)
}
ObjectScript
ObjectScript

I'm wondering what the scope of this login is (when I come back from this method, am I still logged in with my user mysysuser?)

I think so (I haven't tested because until now I called these methods as part of a rest api so for any new action I reused my effective user token).

But I now have to make a method that calls a Security.Users function, but which has to perform other actions afterwards, without being connected with the mysysuser user.

In this case, how do I revert to my user actually logged in before %session.Login() was called.

I could have made another call to %session.Login, using the login I save (who), but I don't know its password.

So I'm looking for a solution to this problem.

Product version: IRIS 2023.1
$ZV: IRIS for UNIX (Ubuntu Server 22.04 LTS for x86-64) 2023.1 (Build 229U) Fri Apr 14 2023 17:29:40 EDT
Discussion (7)2
Log in or sign up to continue
Ron Sweeney · Dec 29, 2023

Hi Pierre,

I use and see it resident in code bases...

$$$AddAllRoleTemporary
ObjectScript
ObjectScript

It It adds %ALL in %SYS...

compiles to:

i '($e($roles,1,$l("%All"))="%All") { n $ET,$roles s $ET="",$roles=$roles_","_"%All"}
ObjectScript
ObjectScript

Basically adds %All to the current execution role.

I asked the question of @Eduard Lebedyuk some time ago and paying his wisdom forward.

 

1 0
David Hockenbroch · Dec 29, 2023

You can also use the $ROLES special variable to do that. It contains both the user's assigned roles and any roles you've added during the process. You can't change the user roles, but if you set it that will add a role. So you could do:

set $ROLES = "%All"

Or whatever role you need to add, then do the stuff that requires that roles, then do:

set $ROLES = ""

That will take away the %All role you added, reverting the process to just the user's normal roles.

2 1