This tag unites all posts related to roles (container that holds one or more privileges for access to SQL Tables), users (identity of the login when it is connected to a database) and authorization (function of specifying access rights/privileges to resources). Read more about roles, users and authorization in Documentation.
I'm VERY novice on all things "OpenAM", and beyond knowing that Caché supports working with OpenAM, I have nothing else to go on.
The documentation doesn't seem to be very deep on the nature of how this works beyond a single paragraph saying it's supported for Single Sign On (SSO).
I've seen a few password change posts, but I wasn't 100% sure it was the same process, so I am asking here. We periodically have to change the passwords for a few Cache user accounts across several servers. Is there a process/script to change these passwords without having to go into the web portal on each server? Thanks so much, and I apologize if this was covered in some of the other articles that I've run across. Just looking for the best method.
I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).
Is there a way to allow a single REST service to have unauthorised access?
I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.
Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?
For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?
These are not applications that were developed using CacheDirect.
I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].
I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’
It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?
Is there a way to run code on another machine? Of course, all authentication info is known. I know only about RemoteResultSet but that seems to be query specific.
Many password requirements can be enforced using a password validation routine which is available to implement in System Management Portal. But how about this one:
Check that at least 50% of the characters changed from old password to new password.
We need to have access to the old password to check this, currently password validation routine only gets the new password.
I have accidentally clicked the remember password option in my Ensemble studio. So it is now not asking for username and password and even the authentication popup is not showing every time i open the studio.
Is there anyway to remove the remember password option for the cache studio.
Does anyone has any idea on how to send an encrypted / secure Print from IRIS ( which is hosted on AWS ) to a printer ( which is an on-premise device ).
I'm trying to authorise my app using OAuth 2.0 i Cache. Sadly I'm unable to exchange the authorization code for an access token.
I am able to redirect user to the /authorize page, where the user can login and approve my app. The user is then correctly redirected back to my app and a ?code parameter is sent back.
We have a need to mount remote databases using ECP, but with the Application servers mounting some of the remote databases as Read Only. The Data servers will keep them R+W as normal.
I am working through trying to use ZAUTHENTICATE.mac and LDAP.mac to do Delegated sign on into Ensemble. In reading over the samples and the documentation, I am not clearly finding on how to set the Appropriate Role from the LDAP group I return. Can someone help explain this part to me? If I have a user sign on, and I return a "Group" from the Authentication, how do I get that to transform into the Role I need for Ensemble.
I'm trying to create a read-only role for most pages on the Management Portal. However, I cannot figure out resource permissions for the HealthShare tab or how to assign custom resource permissions, if any, to the registries. I would like for the role to include read-only access to the registries (service, consent, otherwise). How do I go about doing this?
I am working on an ZAUTHENTICATE.mac to move us from local cache users to Delegated Authentication against LDAP.
I have created a user role within my instance of Ensemble that matches the AD Group that I will be assigning everyone in my group to. Is there a way to query the list of available Roles within Ensemble, and if one of my AD groups matches that role, set the role for that user?
How would I compare the AD Group against the Role listing?
When deploying IRIS in a container, what are recommendations for permitting users terminal access? There is docker exec -it, but that does not work from a user's workstation where - in the old deployment model - they would connect to the server over ssh using Putty and open a terminal session from there.
I would like to report about a security issue, that engages us for some time meanwhile.
We configured a restricted user to read data from a csp page to feed our nagios server with information about configuration items we would like to have an eye upon. The configuration of this user is the same in our production and in our development environment. The called method mainly reads data from lookup tables by sql queries and writes data to a temporary table, which is deleted in the begining.
I am trying to secure a rest service but I lack the understanding of how to achieve this if anyone will explain in details how I could achieve the following:
Securing The REST Service with Basic Auth (username and password)
if any one has a sample code on this will appreciate
We need to implement Oauth2 Code Flow + PKCE. Any experience with InterSystems OAuth2 Server on this would be welcome. What parameters did you setup on OAuth 2 server configuration page to make it work?
Can a license be reserved for a specific user or group of users? So if I have 20 available licenses, only allow other users to use 19 of them while keeping one open for this specific user?
Is there a way to add specific table permissions to a security role programmatically? I'm working on scripting some of the initial setup work when we sell certain add-ons to our software, and I see how I can assign resources to a role and give it a description, but I don't see how I tell it that this role gives the user, for example, SELECT privileges only on the invoices table, or SELECT, INSERT, UPDATE, and DELETE.
Initially when setting up a cache instance one creates or imports the user/ resources roles etc .
After the Mirror has been activated you can add users, resources etc. But when trying to add new SQL Table privileges to a namespace where the databases are mirrored it seems that you are not able to , Getting error:
Working on integrating with O365 Sharepoint REST API. I would want to know if anyone can share their experience with integration with Sharepoint REST API and how they implemented security?
Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification: Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?
By likes