This tag unites all posts related to roles (container that holds one or more privileges for access to SQL Tables), users (identity of the login when it is connected to a database) and authorization (function of specifying access rights/privileges to resources). Read more about roles, users and authorization in Documentation.
Hi Team, I have a requirement to disable the Production Start/Stop buttons for specific support users. But they should be able to stat/stop Ensemble Hosts. For that new Role, As per documentation along with other Ens resources, I have added %Ens_ConfigItemRun with RWU access and didnt add %Ens_ProductionRun resource.
This makes the Start/Stop buttons disappear from Production Configuration page ( meeting my requirement). But those users are Unable Start/Stop/Restart Ensemble Business Hosts.
I have recently studied deepsee and developed few dashboards needed for our web app users. I am trying to embed them in our existing web app which uses angular with delegated user access. I need to embed the native IRIS dashboard into it. ( I can't use Highcharts or any other js tools).
How do I setup the dashboards to work with delegated authentication (Without providing access to management portal or other parts) ? Also should I use the default csp/{Namespace}/_DeepSee.UserPortal.DashboardViewer.zen? or any other web application URL ?
Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification: Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?
Can a license be reserved for a specific user or group of users? So if I have 20 available licenses, only allow other users to use 19 of them while keeping one open for this specific user?
I would like to report about a security issue, that engages us for some time meanwhile.
We configured a restricted user to read data from a csp page to feed our nagios server with information about configuration items we would like to have an eye upon. The configuration of this user is the same in our production and in our development environment. The called method mainly reads data from lookup tables by sql queries and writes data to a temporary table, which is deleted in the begining.
Does anyone has any idea on how to send an encrypted / secure Print from IRIS ( which is hosted on AWS ) to a printer ( which is an on-premise device ).
Is there a way to run code on another machine? Of course, all authentication info is known. I know only about RemoteResultSet but that seems to be query specific.
I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).
Is there a way to allow a single REST service to have unauthorised access?
I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.
I'm trying to setup a new accesss role for the company support team to use the message viewer and production config page to trace the errors that eventually could occurr on the production integrations.
I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into.
As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself.
When a company is quite large and many different applications used by employees. But while those applications are mostly completely different, how to make it possible to not force users to enter credentials as many times as many applications they would like to use. The best way is to use SSO, so, it will be possible to have a portal, where users could launch any application used in a company. There are many different ways how to give access to your application by using the SSO mechanism, and some of them are:
OAuth2
Kerberos
SAML
InterSystems already supports OAuth2 and can be quite easily deal with Kerberos. But I would like to discuss about using SAML (Security Assertion Markup Language).
I'm wondering if anybody has done an implementation of the https://www.shibboleth.net/products/service-provider/ interface in Caché / IRIS to have a application running in Caché / IRIS be acception the shibboleth tokens and data as usage credentials.
This error is sometimes seen while viewing a listing in InterSystems IRIS Business Intelligence: ERROR #5540: SQLCODE: -99 Message: User <USERNAME> is not privileged for the operation (4)
As the error suggests, this is due to a permission error. To figure out which permissions are missing/needed, we can take a look at the SQL query that is generated. We will use a query from SAMPLES as an example.
I have a need to restrict ODBC access to certain users to prevent unwanted access to our cache database.
We have a limited number of legacy applications that use ODBC to connect to read data and are currently not in a position to have these amended any time soon so in the interim, I am hoping someone will be able to provide me with some assistance.
When I tried to migrate one of ZEN applications to IRIS from 2018.1 I'm faced with the issue with Login Page, in this case used some ZEN page, completely customized. But when a user tries to get access, he gets the error like below.
The requested URL /csp/user/User.Login.cls was not found on this server.
I tried to test it with a fresh just created login page class
Class User.Login Extends %CSP.Page
{
ClassMethod OnPage() As %Status
{
&html<<h1>Hello</1>>
Quit $$$OK
}
}
Set it to /csp/user application as Login page, and
Working on integrating with O365 Sharepoint REST API. I would want to know if anyone can share their experience with integration with Sharepoint REST API and how they implemented security?
We need to implement Oauth2 Code Flow + PKCE. Any experience with InterSystems OAuth2 Server on this would be welcome. What parameters did you setup on OAuth 2 server configuration page to make it work?
When deploying IRIS in a container, what are recommendations for permitting users terminal access? There is docker exec -it, but that does not work from a user's workstation where - in the old deployment model - they would connect to the server over ssh using Putty and open a terminal session from there.
OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.
Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:
I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)
Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?
I've seen a few password change posts, but I wasn't 100% sure it was the same process, so I am asking here. We periodically have to change the passwords for a few Cache user accounts across several servers. Is there a process/script to change these passwords without having to go into the web portal on each server? Thanks so much, and I apologize if this was covered in some of the other articles that I've run across. Just looking for the best method.
I am currently working on a project to send documents to a RESTful based API that supports bearer Token Authorization.
When we try to fire a JSON request from our EnsLib.Rest.Operation towards the 3rd party API with a valid Token we keep receiving Authorization Error codes HTTP 401 back.
If we use the same request and same Token from a test utility such as Postman the request is successful and we are able to move past the authorization stage.
By date
Open Exchange app