Muhammad Waseem · Nov 29, 2021 3m read

OAuth2 and Basic Authentication, Authorization AND Auditing by code from Web Application

In this article I will explain how to Authenticate, Authorize and Audit by code by using CSP Web Application along with Enabling /Disabling and Authenticate/Unauthenticate any Web Application.

Application Layout

Let's start with Authentication

Authentication verifies the identity of any user or other entity attempting to connect to InterSystems IRIS®. As it’s often said, authentication is how you prove that you are who you say you are.

There are a number of different ways that a user can be authenticated; each is known as an authentication mechanism. InterSystems IRIS supports a number of authentication mechanisms:

  • Kerberos — The Kerberos protocol was designed to provide secure authentication to services over an unsecured network. Kerberos uses tickets to authenticate a user and avoids the exchange of passwords across the network.
  • Operating System–Based — OS-based authentication uses the operating system’s identity for each user to identify that user to InterSystems IRIS.
  • Instance Authentication — With Instance authentication, InterSystems IRIS prompts the user for a password and compares a hash of the provided password against a value it has stored.
  • Lightweight Directory Access Protocol (LDAP) — With the Lightweight Directory Access Protocol, InterSystems IRIS authenticates the user based on information in a central repository, known as the LDAP server.
  • Delegated Authentication — Delegated authentication provides a means for creating customized authentication mechanisms. The application developer entirely controls the content of delegated authentication code.

I am using Instance Authentication, for User creation we can use following objectscript command  :

  &sql(CREATE USER TestUser IDENTIFY BY demo)

We created TestUser with demo password


Upon creating user record is also adding in auditing database by using below objectscript command :

Do $SYSTEM.Security.Audit("%System","%Security","UserChange","User:TestUser | Password:demo","Audit Log inserted from Data_APP_Security")

Please Read related documentations (Auditing Guide) :


Once authentication is done we need to create roles and grant Privileges to the roles and then link roles with users (Authorization ). This we will do in three steps

Step 1 : Create Role by using following objectscript command, We are creating ReadWrite role

&sql(CREATE ROLE ReadWrite)

Step 2 : Grant SELECT,UPDATE,INSERT Privileges ON table to the Role, We are assigning scw.Patient table privileges to ReadWrite role

&sql(GRANT SELECT,UPDATE,INSERT ON scw.Patient TO ReadWrite)

Step 3 : Grant Role to the User, We are assigning ReadWrite role to TestUser user 

&sql(GRANT ReadWrite To TestUser)

Enable/Disable web application

We can enable or disable web application by using following objectscript code

New $Namespace
Set $Namespace = "%SYS"
Set App = ##class(Security.Applications).%OpenId("/terminal")
Set App.Enabled=0
Do App.%Save()

here "/terminal" is the name of our application. Application can be disable by setting "App.Enabled" to 0 and enable by setting value to 1

Authenticate/Unauthenticate Web application

We can set Authentication by using following objectscript code

New $Namespace
Set $Namespace = "%SYS"
Set App = ##class(Security.Applications).%OpenId("/terminal")
Set App.AutheEnabled=0
Do App.%Save()

here "/terminal" is the name of our application. Authentication can be set by using "App.AutheEnabled" property. Following numeric values can be set

property AutheEnabled as Security.Datatype.Authentication [ InitialExpression = 64 ];

Authentication and Session mechanisms enabled (CSP Only).
Bit 2 = AutheK5API
Bit 5 - AutheCache
Bit 6 = AutheUnauthenticated
Bit 11 = AutheLDAP
Bit 13 = AutheDelegated
Bit 14 = LoginToken
Bit 20 = TwoFactorSMS
Bit 21 = TwoFactorPW


1 0 3 224
Log in or sign up to continue