This tag unites all posts related to roles (container that holds one or more privileges for access to SQL Tables), users (identity of the login when it is connected to a database) and authorization (function of specifying access rights/privileges to resources). Read more about roles, users and authorization in Documentation.
Hi All,
Actually, I'm developing few restful API's. I want to create a authentication tokens and display it on my login restful API. If I'm using CSP sessionId, how can I validate the session Id's in another or continues restful API's. else, is there any other approach to handle this task.
My Primary goal is, I have to integrate 2 different front end applications. One is Zen framework another one is web pages from Python.
If any lead, it would be appreciated.
Thanks,
Arun Kumar Durairaj.
Hello everyone!
I have REST API and want check user with http header authorization,
When user input incorrect data refuse them with 401 unauthorized,
Question how to response with 401 unauthorized
Hi,
I've started to use Task Schedule function in Caché. But I have two questions about it:
_SYSTEM, as the Tightening Security for an Instance article suggest. But I see that built in task run in the name of _SYSTEM user. For example Switch Journal. How can this work, if the user disabled? Should I use another user for this tasks?Thanks!
Hello Community,
I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into.
As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself.
System:
I've tried it on 2 different systems with pretty much the same result:
I'm wondering if anybody has done an implementation of the https://www.shibboleth.net/products/service-provider/ interface in Caché / IRIS to have a application running in Caché / IRIS be acception the shibboleth tokens and data as usage credentials.
This error is sometimes seen while viewing a listing in InterSystems IRIS Business Intelligence:
ERROR #5540: SQLCODE: -99 Message: User <USERNAME> is not privileged for the operation (4)
As the error suggests, this is due to a permission error. To figure out which permissions are missing/needed, we can take a look at the SQL query that is generated. We will use a query from SAMPLES as an example.
SELECT TOP 1000 %ID, DateOfSale, Outlet->City, %EXTERNAL(Channel) AS Channel, Product->Name AS Product, UnitsSold, AmountOfSale AS Revenue, (Discount * 100) || '%' AS Discount, Comment FROM HoleFoods.
This is more a WARNING than a question
Cache / Ensemble version 2016.2.2.853.0
I have a need to restrict ODBC access to certain users to prevent unwanted access to our cache database.
We have a limited number of legacy applications that use ODBC to connect to read data and are currently not in a position to have these amended any time soon so in the interim, I am hoping someone will be able to provide me with some assistance.
Any suggestions on where to start?
When I tried to migrate one of ZEN applications to IRIS from 2018.1 I'm faced with the issue with Login Page, in this case used some ZEN page, completely customized. But when a user tries to get access, he gets the error like below.
The requested URL /csp/user/User.Login.cls was not found on this server.
I tried to test it with a fresh just created login page class
Class User.Login Extends %CSP.Page
{
ClassMethod OnPage() As %Status
{
&html<<h1>Hello</1>>
Quit $$$OK
}
}Set it to /csp/user application as Login page, and
$ curl http://localhost:32784/csp/user/menu.
Hello.
I want to grant access only to the Message Viewer page to an specific user, in all Namespaces. I have created a rol with this privileges:
%Ens_MessageContent
%Ens_MessageHeader
%Ens_MessageTrace
%Ens_Portal
But if I want to see the list of messages, I have to grant SELECT access to the Ens.MessageHeader and Ens.MessageBody tables of each Namespace.
Is there anyway to grant access to this tables in all Namespaces at a time, even if new ones are created?
Thank you in advance.
When deploying IRIS in a container, what are recommendations for permitting users terminal access? There is docker exec -it, but that does not work from a user's workstation where - in the old deployment model - they would connect to the server over ssh using Putty and open a terminal session from there.
OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.
Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:
https://52773b-62955584.labs.learning.intersystems.com/oauth2/authorize?response_type=code&client_id=nHCv5A-u_5T1YAwk_tJ7xpi1ky-s2AnRQMaL6YHsUgU&redirect_uri=https%3A//52773b-99792125.labs.learning.intersystems.com/csp/sys/oauth2/OAuth2.Response.
Hi All,
I want to implement SOAP authentication and Security. Please let me know what are all the best ways to Implement it.
Advance thanks,
Presenter: Dan Kutac
Task: Use a common login identity and a central mechanism of authentication across environments from multiple entities
Approach: Provide examples and code samples of an application environment using OpenID Connect and OAuth 2.0
Description: In this session we will demonstrate an application environment using OpenID Connect and OAuth 2.0. Hear how this is done and what options you have; and yes, you get to keep the code.
Problem: How to use a a common login identity (e.g. Facebook credentials) and a central mechanism of authorization cross environments from multiple entities.
Solution: Create awareness and interest in using OAuth 2.0
Content related to this session, including slides, video and additional learning content can be found here.
Hello,
I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)
Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?
Thank you very much!
Hi dev community,
I am currently working on a project to send documents to a RESTful based API that supports bearer
Token Authorization.
When we try to fire a JSON request from our EnsLib.Rest.Operation towards the 3rd party API with a
valid Token we keep receiving Authorization Error codes HTTP 401 back.
If we use the same request and same Token from a test utility such as Postman the request is
successful and we are able to move past the authorization stage.
We are inputting the Token in the header of the HTTP request as specified by the 3rd party API
specification.
I've seen a few password change posts, but I wasn't 100% sure it was the same process, so I am asking here. We periodically have to change the passwords for a few Cache user accounts across several servers. Is there a process/script to change these passwords without having to go into the web portal on each server? Thanks so much, and I apologize if this was covered in some of the other articles that I've run across. Just looking for the best method.
I have a few cubes and numerous dashboards and I am ready to deploy them to our end users and administrators. How to configure DeepSee so that users don’t disrupt each other’s areas and are restricted from using functionalities specific to developers?
Hi!
I have a qeustion if it possible to let Ensemble manage user rights from AD-user group?
What i want is to let external user have access to certain CPS-pages to read information. But not let them have access to Ensemble it self. And instead to set up individual accounts in Ensemble for each one of them i rather want to have dem in an AD-securitygroup.
Is that possible and also limit them only to choosen CSP-pages?
I'm not a administrator of our platform, i'm just develope productions so i would be greatful for information i could bring to our tech-guys and ask them to set it tup, if possible.
Hi,
I need to create a role that is able to monitor the production, but isn't allowed to shut down the production or individual services.
Is there a particular resource that is allowed to do this, so I can remove it?
Any help is appreciated.
Joost
Hi,
We have Mirroring established between NODE 1 & Node 2 . We have set the "cachesys" database enabled for Journalling. But we dont see the User Accounts , Roles, Resources created on Node 1 ( favoured Primary) reflected on Node 2 . Is creating them manually again is the only option for this ? . Is there any way to sync them or would adding %SYS to MIRROR a possible solution. Would it be great if anyone has faced this as we have an issue that during failovers Team is locked out .
Best Regards,
Arun Madhan
I have created some roles, and would like to know if there is a way to export the Roles and save them off to a file? I want to create a backup file of these roles for DR purpose, and in case I ever get hit by the preverbal bus.
Thanks
Scott Roth
The Ohio State University Wexner Medical Center
Hi,
we have Angular solution and Cache server. We need to have separate users and sessions on same browser (laptop, table etc) for every user and for one user with many connections.
Thought this was resolved, but unfortunately not.
-----------------------------------------------------------------------------------------------------------------------
I got the code away from here, because it was some how ok.
Do you want to simplify your user management by using Windows domain accounts? When you add LDAP integration to your system, you can:
In Active Directory Integration with LDAP, a live webinar (June 21, 11:00 a.m. EDT) Katherine Reid, Senior Support Specialist at InterSystems, will discuss the main options for integrating your user accounts with your domain, including delegated authentication and LDAP authentication.
Hi,
I have a problem with CSP Application Authentication, when the user input you correct password, however the message "Invalid password" returns.
This error returns just Cache password user type, for user delegated don't.
this error is momentary also, if you wait a moment, it stops.
Does anyone have any sample code for updating Caché users (and specifically Full Name and Comments) via SQL?
Bonus points for knowing specifically what security resource needs to be assigned to allow someone to run the SQL.
Thanks in Advance!
Ben
In old Caché versions it was possible to create a new role based on predefined %Developer by copying it and adding some resources as needed. It was true at least from 2010.1 to 2015.1.
After upgrade from 2015.1.4 to 2017.2.1 it turned that it's only partially true now. User with a "New-Developer" role can enter Studio and open existing cls/mac/etc for editing and everything is OK unless he tries to create something new (Ctrl-N), than he gets a pop-up with %msg: <User xxx does not have enough privilege to execute stored procedure %CSP.
Hello; we have users on the system with cache logins. They have access to a specific namespace, and no access to %SYS of course. I'd like to give each user the ability to change his own password from within our application, using Security.User.PasswordExternal. This only exists in the %SYS namespace, and the average user can't get to it.
Should I give the users access to this column in this table (column Password, table Security.Users)? What about access to the namespace? Is this possible? Has anyone done this before?
Thanks,
Laura
I would like to remove the login requirement, such that when
the Terminal option on the Cache Cube is clicked, the session goes directly
to the mumps prompt.
Also, how can I change terminal user's login password.
I am working on an ZAUTHENTICATE.mac to move us from local cache users to Delegated Authentication against LDAP.
I have created a user role within my instance of Ensemble that matches the AD Group that I will be assigning everyone in my group to. Is there a way to query the list of available Roles within Ensemble, and if one of my AD groups matches that role, set the role for that user?
How would I compare the AD Group against the Role listing?
Thanks
Scott