New post

#Access control

0

This tag unites all posts related to roles (container that holds one or more privileges for access to SQL Tables), users (identity of the login when it is connected to a database) and authorization (function of specifying access rights/privileges to resources). Read more about roles, users and authorization in Documentation.

Hi I've created a word macro in order to convert doc to txt via the command line, this works fine via the command line by myself or another user but when I try as an the intersystems user which runs under LocalSystem it doesn't work.

So can I change the user, or set the $ZF to run as a different user?

Or do I have to try another way to convert doc to txt - it's looking like libreOffice?

I just wanted to stick with word because I could be guaranteed on the result being accurate.

Thanks

Regards

Richard

0 11
0 1.1K

I am working on an ZAUTHENTICATE.mac to move us from local cache users to Delegated Authentication against LDAP.

I have created a user role within my instance of Ensemble that matches the AD Group that I will be assigning everyone in my group to. Is there a way to query the list of available Roles within Ensemble, and if one of my AD groups matches that role, set the role for that user?

How would I compare the AD Group against the Role listing?

Thanks

Scott

0 10
0 599

Hello; we have users on the system with cache logins. They have access to a specific namespace, and no access to %SYS of course. I'd like to give each user the ability to change his own password from within our application, using Security.User.PasswordExternal. This only exists in the %SYS namespace, and the average user can't get to it.

Should I give the users access to this column in this table (column Password, table Security.Users)? What about access to the namespace? Is this possible? Has anyone done this before?

Thanks,

Laura

0 10
0 1.1K

Hi,

We have Mirroring established between NODE 1 & Node 2 . We have set the "cachesys" database enabled for Journalling. But we dont see the User Accounts , Roles, Resources created on Node 1 ( favoured Primary) reflected on Node 2 . Is creating them manually again is the only option for this ? . Is there any way to sync them or would adding %SYS to MIRROR a possible solution. Would it be great if anyone has faced this as we have an issue that during failovers Team is locked out .

Best Regards,

Arun Madhan

1 10
1 757
Question
· Apr 11, 2017
Authentication with REST

We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).

Two questions:

1. The initial authentication seems only work if credentials are placed in the url parameters. Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-Origin. How can I resolve this?

2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?

2 7
0 2.6K

My original ZAUTHENTICATE.mac to use Delegated sign on did not include GetCredentials(), however I am being told it probably should have it so I am eliminate an error I am seeing when trying to troubleshoot the ZAUTHENTICATION. I am trying to add the GetCredentials() from the documentation to the existing ZAUTHENTICATE.mac but I am getting an error

0 7
0 264

Hi!

I have a qeustion if it possible to let Ensemble manage user rights from AD-user group?

What i want is to let external user have access to certain CPS-pages to read information. But not let them have access to Ensemble it self. And instead to set up individual accounts in Ensemble for each one of them i rather want to have dem in an AD-securitygroup.

Is that possible and also limit them only to choosen CSP-pages?

0 6
0 351

Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?

For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?

These are not applications that were developed using CacheDirect.

0 6
0 291

Hello,

I have a problem with an Ensemble instance on Windows to access to a network shared directory. Ensemble service (services.msc) is executed with a user which has access to this network shared directory :

- When I try to copy or access files from a terminal ==> this is OK : the command w ##class(%SYS.ProcessQuery).%OpenId($Job).OSUserName returns the user defined in Ensemble service logon screen.

0 6
0 923

Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification:
Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?

0 5
0 248

Hi dev community,

I am currently working on a project to send documents to a RESTful based API that supports bearer
Token Authorization.

When we try to fire a JSON request from our EnsLib.Rest.Operation towards the 3rd party API with a
valid Token we keep receiving Authorization Error codes HTTP 401 back.

If we use the same request and same Token from a test utility such as Postman the request is
successful and we are able to move past the authorization stage.

0 4
2 3.5K

I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].

I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’

It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?

0 4
0 1.2K

When I tried to migrate one of ZEN applications to IRIS from 2018.1 I'm faced with the issue with Login Page, in this case used some ZEN page, completely customized. But when a user tries to get access, he gets the error like below.

The requested URL /csp/user/User.Login.cls was not found on this server.

I tried to test it with a fresh just created login page class

Class User.Login Extends %CSP.Page
{ 

ClassMethod OnPage() As %Status
{
  &html<<h1>Hello</1>>
  Quit $$$OK
} 

}

Set it to /csp/user application as Login page, and

0 4
1 770

Unless I'm mistaken, 2017.1 doesn't appear to support RFC 7523 (JSON Web Token Profile for OAuth 2.0 Client Authentication and Authorization Grants). Is that coming in 2017.2?

In order to support it in 2017.1, I'd have to override the OAuth 2.0 token endpoint to cater for the additional grant types - what's the best way to do this?

Thanks.

0 3
0 662

I've seen a few password change posts, but I wasn't 100% sure it was the same process, so I am asking here. We periodically have to change the passwords for a few Cache user accounts across several servers. Is there a process/script to change these passwords without having to go into the web portal on each server? Thanks so much, and I apologize if this was covered in some of the other articles that I've run across. Just looking for the best method.

0 3
0 346

Hi, folks!

When you deploy DeepSee solutions you often do not want grant a User %All Role to work with a particular Dashboard.

Consider a Dashboard 'Dash' with a few widgets where listings are being used.

If you manage a Role to get access to the Dash you need to grant access to %DB_DBNAME resource to have a database access, grant access to a Dashboard resource (if any) and ... grant SELECT accesses to all the tables involved in SQL queries being used in all the listings of widgets.

1 3
0 420

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:

1 3
1 770