#Access control

0

This tag unites all posts related to roles (container that holds one or more privileges for access to SQL Tables), users (identity of the login when it is connected to a database) and authorization (function of specifying access rights/privileges to resources). Read more about roles, users and authorization in Documentation.

Hello community,

I would like to report about a security issue, that engages us for some time meanwhile.

We configured a restricted user to read data from a csp page to feed our nagios server with information about configuration items we would like to have an eye upon. The configuration of this user is the same in our production and in our development environment. The called method mainly reads data from lookup tables by sql queries and writes data to a temporary table, which is deleted in the begining.

0 2
0 476

Is there a way to add specific table permissions to a security role programmatically? I'm working on scripting some of the initial setup work when we sell certain add-ons to our software, and I see how I can assign resources to a role and give it a description, but I don't see how I tell it that this role gives the user, for example, SELECT privileges only on the invoices table, or SELECT, INSERT, UPDATE, and DELETE.

0 1
1 285

Hi,

Initially when setting up a cache instance one creates or imports the user/ resources roles etc .

After the Mirror has been activated you can add users, resources etc. But when trying to add new SQL Table privileges to a namespace where the databases are mirrored it seems that you are not able to , Getting error:

ERROR #5002: Cache error: <DIRECTORY>SQLUserPrivsExecute+13^%SYS.SQLSEC

SOURCE ELEMENT: %CSP.UI.Component.SQLTables (SQLTables)


How do you maintain these privileges?

0 1
0 388

Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification:
Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?

0 5
0 333

When I tried to migrate one of ZEN applications to IRIS from 2018.1 I'm faced with the issue with Login Page, in this case used some ZEN page, completely customized. But when a user tries to get access, he gets the error like below.

The requested URL /csp/user/User.Login.cls was not found on this server.

I tried to test it with a fresh just created login page class

Class User.Login Extends %CSP.Page
{ 

ClassMethod OnPage() As %Status
{
  &html<<h1>Hello</1>>
  Quit $$$OK
} 

}

Set it to /csp/user application as Login page, and

0 4
1 991

Dear Folks,

I have recently studied deepsee and developed few dashboards needed for our web app users. I am trying to embed them in our existing web app which uses angular with delegated user access. I need to embed the native IRIS dashboard into it. ( I can't use Highcharts or any other js tools).

How do I setup the dashboards to work with delegated authentication (Without providing access to management portal or other parts) ? Also should I use the default csp/{Namespace}/_DeepSee.UserPortal.DashboardViewer.zen? or any other web application URL ?

Thanks

0 1
0 213

Hello; we have users on the system with cache logins. They have access to a specific namespace, and no access to %SYS of course. I'd like to give each user the ability to change his own password from within our application, using Security.User.PasswordExternal. This only exists in the %SYS namespace, and the average user can't get to it.

Should I give the users access to this column in this table (column Password, table Security.Users)? What about access to the namespace? Is this possible? Has anyone done this before?

Thanks,

Laura

0 10
0 1.3K

Hi,

we have Angular solution and Cache server. We need to have separate users and sessions on same browser (laptop, table etc) for every user and for one user with many connections.

Thought this was resolved, but unfortunately not.

-----------------------------------------------------------------------------------------------------------------------

I got the code away from here, because it was some how ok.

The session on server mixed, but no any more, thanks our folk and local engineer's tools :)

0 1
0 574

Cache / Ensemble version 2016.2.2.853.0

I have a need to restrict ODBC access to certain users to prevent unwanted access to our cache database.

We have a limited number of legacy applications that use ODBC to connect to read data and are currently not in a position to have these amended any time soon so in the interim, I am hoping someone will be able to provide me with some assistance.

Any suggestions on where to start?

0 1
0 467

Hi All -

Our environment has multiple instances of HealthShare installed and most are on separate VMs/servers. Does anyone have any ideas on how to efficiently manage user accounts across all of these multiple instances of HealthShare? As you can imagine, creating 10 separate Cache accounts on each instance during onboarding of new associates is cumbersome and tedious as is disabling them. We have yet to integrate with AD but we do have a Cyberark initiative under way but it is in the very early stages.

0 3
0 825

My original ZAUTHENTICATE.mac to use Delegated sign on did not include GetCredentials(), however I am being told it probably should have it so I am eliminate an error I am seeing when trying to troubleshoot the ZAUTHENTICATION. I am trying to add the GetCredentials() from the documentation to the existing ZAUTHENTICATE.mac but I am getting an error

0 7
0 476

Hello,

I have a problem with an Ensemble instance on Windows to access to a network shared directory. Ensemble service (services.msc) is executed with a user which has access to this network shared directory :

- When I try to copy or access files from a terminal ==> this is OK : the command w ##class(%SYS.ProcessQuery).%OpenId($Job).OSUserName returns the user defined in Ensemble service logon screen.

0 6
0 1.1K

Hi All,

Actually, I'm developing few restful API's. I want to create a authentication tokens and display it on my login restful API. If I'm using CSP sessionId, how can I validate the session Id's in another or continues restful API's. else, is there any other approach to handle this task.

My Primary goal is, I have to integrate 2 different front end applications. One is Zen framework another one is web pages from Python.

If any lead, it would be appreciated.

Thanks,

Arun Kumar Durairaj.

0 1
0 552

Hi Team,
I have a requirement to disable the Production Start/Stop buttons for specific support users. But they should be able to stat/stop Ensemble Hosts.
For that new Role, As per documentation along with other Ens resources, I have added %Ens_ConfigItemRun with RWU access and didnt add %Ens_ProductionRun resource.

This makes the Start/Stop buttons disappear from Production Configuration page ( meeting my requirement). But those users are Unable Start/Stop/Restart Ensemble Business Hosts.

0 3
0 420

I am trying to lock down security within our Development environment per requirements from a Security Audit that was done earlier this year. I need to try to limit access at a public level, access to cache users, and exposure.

I installed IRIS with the Lockdown method, and have configured my web applications, services, resources, etc.

When I go into my namespace, I am constantly presented with the following error when I try to start or stop an Object...

0 3
0 241

I have multiple namespaces in a Cache environment say NS1 & NS2. I want to add some restriction so that a routine running in the NS1 should not access any resource(global/routine) belongs to namespace NS2.

The above restriction need for few of the clients only, so we do not want to write any custom logic in code.

We are looking for some solution provided by Cache where we can restrict the namespace access.

Can somebody please help me on this.

0 1
0 364
Question
· Jun 10, 2021
HealthShare UCR User Roles

Hi anyone has created the user roles for UCR pls share details like if we want to create following roles what access rights should be give to each role.

UCR Admin - This user can stop/start productions, can enable/disable services, can run sql queries, can make changes in facility registries, assigning authority and other configuration.

UCR Developer - This user can add new services in the production but can not make any change in the registires and other configuraiton

0 1
2 358

Hello.

I want to grant access only to the Message Viewer page to an specific user, in all Namespaces. I have created a rol with this privileges:

%Ens_MessageContent
%Ens_MessageHeader
%Ens_MessageTrace
%Ens_Portal

But if I want to see the list of messages, I have to grant SELECT access to the Ens.MessageHeader and Ens.MessageBody tables of each Namespace.

Is there anyway to grant access to this tables in all Namespaces at a time, even if new ones are created?

Thank you in advance.

0 2
0 444