#Access control

Hi all,

I’m working on a data transformation in IRIS where I need to calculate the difference in hours between two timestamps stored as %TimeStamp.

Example:

Set startTime = "2024-07-12 08:30:00"
Set endTime = "2024-07-12 15:15:00"

I’d like to calculate the number of hours (with decimals, like 6.75) between them. What's the recommended way to do this in ObjectScript? I’ve seen examples using $ZDATETIME, but I’m not sure if that’s the cleanest approach.

Any suggestions or best practices would be appreciated!

Thanks,
Jhonn Marie

Hi,

I will try to explain my problem. I have a Main ZenPage on one server that has 2 buttons: each button will launch a different ZenPage on a separate server in an iFrame. All 3 servers have the same user.

Currently, the user logs in to the Main ZenPage, but when they click either button to launch the other ZenPage on the separate server they get the login screen again to login to that server.

Is there anyway I can pass the credentials from the Main ZenPage to the child ZenPages, so that the user doesn't have to login again? Thanks.

Has anyone successfully implemented Multi-factor Authentication for TrakCare?

Trying to identify which records in the %SYS.Audit table are fails.

Eg, as user "WORKER", I run an attempted a grant, the terminal returns:

SQL> GRANT SELECT ON newschema.patients TO COORDINATOR
[S1000][Iris ODBC][State : S1000][Native Code 112]
[libirisodbc35.so]
[SQLCODE: <-112>:<Access violation>]
[Location: <ServerLoop>]
[%msg: <User WORKER does not have required privileges to grant the privilege(s)>]
[ISQL]ERROR: Could not SQLExecute
 

but the record in the audit table gives

Description: "SQL GRANT Statement"

EventData: "GRANT SELECT ON newschema.

Hi anyone has created the user roles for UCR pls share details like if we want to create following roles what access rights should be give to each role.

UCR Admin - This user can stop/start productions, can enable/disable services, can run sql queries, can make changes in facility registries, assigning authority and other configuration.

Hi,

Working on integrating with O365 Sharepoint REST API. I would want to know if anyone can share their experience with integration with Sharepoint REST API and how they implemented security?

Thanks
Kiran Kumar

I'm VERY novice on all things "OpenAM", and beyond knowing that Caché supports working with OpenAM, I have nothing else to go on.

The documentation doesn't seem to be very deep on the nature of how this works beyond a single paragraph saying it's supported for Single Sign On (SSO).

For Caché to use this, I get that there is an environment variable (REMOTE_USER) which is set to "something", but it's not clear to me how this ends up mapping to a provisioned caché user (or LDAP provisioned user for that matter) and ultimately to the %Roles in effect and subsequent system access.

we have a issue with just the 1 namespace, where users log using ldap but arent getting any roles assigned to them.

Ldap does work as the user account is created as a ldap user. 

I have gone through the various settings to check that all is setup as required, but cant find a reason why the roles arent being assigned. 

Hi everyone - In IRIS we would like to arrange the access of two users in such a way that each has access to exactly one (his) database only. Which resource does this (%DB_%DEFAULT allows each of the two users access to both databases). If you create new resources (%DB_Database1 and %DB_Database2) and then add them to individual roles (each for the user to), the access for the users, for example, via a REST client does not give the desired separation (instead once Ok, other database 401 Unauthorized both OK). Is there something special to consider or a special resource that could do this or .

How do you determine what namespace to use for your custom SAML attributes? We want to receive patient context (first name, last name, dob, gender, etc.)

OASIS has resource-id but none of the other attributes. urn:oasis:names:tc:xacml:1.0:resource:resource-id

Can the built-in $System.Encryption.TOTP() function be used in conjunction with Authenticator Apps (e.g. Google, Microsoft, and so on)?

Providing the same secret/key to a variety of authentication apps, they all return the same synchronized value. However, passing the same secret/key to $System.Encryption.TOTP() is generating a different value (with all instances executing at the same time for comparison).

All of the reference material I have found so far mentions RFC4226 or RFC6238 or both, including the Intersystems documentation.

Hi Team,
I have a requirement to disable the Production Start/Stop buttons for specific support users. But they should be able to stat/stop Ensemble Hosts.
For that new Role, As per documentation along with other Ens resources, I have added %Ens_ConfigItemRun with RWU access and didnt add %Ens_ProductionRun resource.
This makes the Start/Stop buttons disappear from Production Configuration page ( meeting my requirement). But those users are Unable Start/Stop/Restart Ensemble Business Hosts.

Hello,

fine tuning access permissions is a difficult issue in Caché, at least for me as it seems. More generally, I would be interested in how to find out which permission a user is missing when a permission violation is logged. In this specific case a user, created in (from my point of view) an identical way as on other instances, is not allowed to execute an operation within a CSP service on the messagebank (which however works on the other machines). Unfortunately, the message in the errorlog does not tell where exactly the access violation occurs, or what permission is missing.

Hi,

We need to implement Oauth2 Code Flow + PKCE. Any experience with InterSystems OAuth2 Server on this would be welcome.
What parameters did you setup on OAuth 2 server configuration page  to make it work?

Thanks!

Dear Folks,

I have recently studied deepsee and developed few dashboards needed for our web app users. I am trying to embed them in our existing web app which uses angular with delegated user access. I need to embed the native IRIS dashboard into it. ( I can't use Highcharts or any other js tools). 

How do I setup the dashboards to work with delegated authentication (Without providing access to management portal or other parts) ? Also should I use the default csp/{Namespace}/_DeepSee.UserPortal.DashboardViewer.zen? or any other web application URL ?

Thanks

Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification:
Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?

Can a license be reserved for a specific user or group of users? So if I have 20 available licenses, only allow other users to use 19 of them while keeping one open for this specific user?

Hello community,

I would like to report about a security issue, that engages us for some time meanwhile.

We configured a restricted user to read data from a csp page to feed our nagios server with information about configuration items we would like to have an eye upon. The configuration of this user is the same in our production and in our development environment. The called method mainly reads data from lookup tables by sql queries and writes data to a temporary table, which is deleted in the begining.

How to set the size of the participant pool and what are the key factors that determine it? How should we set it?

Hi team.

Does anyone has any idea on how to send an encrypted / secure Print from IRIS ( which is hosted on AWS ) to a printer ( which is an on-premise device ).

Thanks

Paras

Hi everybody,

Is there a way to run code on another machine? Of course, all authentication info is known. I know only about RemoteResultSet but that seems to be query specific.

Thanks in advance,
Anna
P.S. The ultimate goal, in case that matters, is to create identical globals on 2 different machines with one run.

Hi,

I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).

Is there a way to allow a single REST service to have unauthorised access?

I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.

Thanks

I'm trying to setup a new accesss role for the company support team to use the message viewer and production config page to trace the errors that eventually could occurr on the production integrations.

Hi All,

I was just wondering whether anyone can help, I have managed to configure LDAP within Healthshare [HealthShare Modules:Core:15.032.9688], and I am also able to login with my LDAP user.  However, I am unable to assign any roles to this user, the user  appears on the users page however, it does not appear in the dropdown list of users when you try to update a particular role in the roles page (I am not sure where I have gone wrong with this).  I can login with the user but I don't get any where far with it because it has no roles assigned to it.  Any help would be great.

Hi All,

Actually, I'm developing few restful API's. I want to create a authentication tokens and display it on my login restful API. If I'm using CSP sessionId, how can I validate the session Id's in another or continues restful API's. else, is there any other approach to handle this task. 

My Primary goal is, I have to integrate 2 different front end applications. One is Zen framework another one is web pages from Python. 

If any lead, it would be appreciated. 

Thanks,

Arun Kumar Durairaj. 

Hello everyone! 

I have REST API and want check user with http header authorization,

When user input incorrect data refuse them with 401 unauthorized,

Question how to response with 401 unauthorized

   Hi,

 I've started to use Task Schedule function in Caché. But I have two questions about it:

1. I want to run the task as an indepedent, technical user. What is the minimum resources for this user to successfully run the defined task.
2. I disabled the built in user _SYSTEM, as the Tightening Security for an Instance article suggest. But I see that built in task run in the name of _SYSTEM user. For example Switch Journal. How can this work, if the user disabled? Should I use another user for this tasks?

Thanks!

Hello Community, 

I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into. 

As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself. 

System:

I've tried it on 2 different systems with pretty much the same result: 

1. IIS Server with a 2 System-Mirror Healthshare 2018.1.

I'm wondering if anybody has done an implementation of the https://www.shibboleth.net/products/service-provider/ interface in Caché / IRIS to have a application running in Caché / IRIS be acception the shibboleth tokens and data as  usage credentials.