· Nov 24, 2020

Managing Security Strategy in InterSystems: Users or Applications?

Hi Developers!

Want to raise security discussion today!

Let's discuss how InterSystems security for applications works. In general, the concept is clear: we have Resources (what to protect), Roles which combine a set of privileges and accesses to Resources and Users which can have this or that Role.

But there is also a concept of Application which also could have a Role.

So you either provide a Role for a User or for an Application.

What do you use in production? What is your strategy and why? Pros, cons?

What is your strategy for assigning Security Roles: Users or Applications?
Discussion (4)2
Log in or sign up to continue

The applications you mentioned, it's not exactly applications, it's just kind of entrypoint to the application.

Security in Caché and in IRIS now, was not so good in my opinion, for many reasons.

An application developer, if he would like to use role-based security is too limited to use the Security model from InterSystems.

And no matter how many different applications customers would like to use on their own Instance of IRIS, security will be global.

Issues with mirroring, with ECP, any instance of IRIS use own tables, and have to be synchronized in some ways. Such big clusters should have the ability to use the same security settings on any instance, out of the box.

Application, real, not virtual, should have the ability to re-use Security and store it close to Application's data.