User roles and rights management

Question

Question

#Security #System Administration #HealthShare

Hello community,

I guess this one will be easy to answer, but trial and error took me too long meanwhile, so I thought it might better to ask the experts.

I would like to get rid of %all rights for routine use at our productive environment. The things, that we have to do in routine are:

- Open productions and start / stop components
- Read messages and message logs
- Search and resend messages
- Deploy new Applications
- Edit settings and default settings
- Read database tables

All in all, it is quite equal to everything but System Administration.

I tried to configure this by assigning combinations of predefined roles, but Interoperability > Manage > Deployment Changes is not accessible, no matter what combination I tried so far.

So, long story short, what role or right do I have to grant to allow a user to deploy applications? Asked the other way round, the question would be: What rights does a role need to allow everything but "System Administration"?

Thanks for your help, regards,

Martin

Product version: IRIS 2021.1

$ZV: IRIS for UNIX (SUSE Linux Enterprise Server for x86-64) 2021.1 (Build 215U) Wed Jun 9 2021 09:48:27 EDT [Health:3.3.0]

Discussion (2)2

Log in or sign up to continue

Nick Petrocelli · Jun 12

Rather than trying to assign some combination of predefined roles to accomplish what you are looking for, I would suggest defining a new role and assigning to it the privileges that you need. This documentation page has a guide on doing so: https://docs.intersystems.com/iris20241/csp/docbook/Doc.View.cls?KEY=GSA...

That being said, is there something that your users need to do that is not covered by the %EnsRole_Administrator role?

For more details on the Interoperability > Manage > Deployment Changes category, both the 'Deploy' and 'History' options are controlled by the %Ens_Deploy resource, so your users would need a role with Use on %Ens_Deploy. You can see what resources control a given item in the management portal by clicking on the whitespace next to the item and viewing the 'System Resource(s)' and 'Custom Resource' listings. For more information on resources and privileges, see this documentation: https://docs.intersystems.com/iris20241/csp/docbook/Doc.View.cls?KEY=GSA... . So, any role with %Ens_Deploy, e.g. %EnsRole_Administrator, should give you access.

I hope this helps!

1 0

score 2 · Answer 1 · 2024-06-18T04:20:37-04:00

Hello Nick,

thanks for your help. User rights configuration in Iris Healthconnect is a confusing field, I think. Nevertheless, I have configured a role that contains the functionalities I need, partly by trial and error. From my point of view, the documentation could be a bit more detailed, especially when it comes to the resource level. These days, the topic is too serious and important to simply fall back on %ALL for convenience.

Regards, Martin