This tag unites all posts related to roles (container that holds one or more privileges for access to SQL Tables), users (identity of the login when it is connected to a database) and authorization (function of specifying access rights/privileges to resources). Read more about roles, users and authorization in Documentation.
I am working through trying to use ZAUTHENTICATE.mac and LDAP.mac to do Delegated sign on into Ensemble. In reading over the samples and the documentation, I am not clearly finding on how to set the Appropriate Role from the LDAP group I return. Can someone help explain this part to me? If I have a user sign on, and I return a "Group" from the Authentication, how do I get that to transform into the Role I need for Ensemble.
Thanks
Scott Roth
In part 1, part 2, and part 3 parts of this series we set up three user types. In part 4 we saw how to secure model elements and DeepSee items. In this last part of the tutorial we conclude with some remarks on DeepSee security and troubleshooting tips. In particular, we see how pivot tables in User Portal can be "hidden".
In part 1 we started working on a security model for DeepSee and create a user type having privileges typical of end users. In this part we are going to create a second user type with ability to edit and create DeepSee pivot tables and dashboards.
Hi I've created a word macro in order to convert doc to txt via the command line, this works fine via the command line by myself or another user but when I try as an the intersystems user which runs under LocalSystem it doesn't work.
So can I change the user, or set the $ZF to run as a different user?
Or do I have to try another way to convert doc to txt - it's looking like libreOffice?
I just wanted to stick with word because I could be guaranteed on the result being accurate.
Thanks
Regards
Richard
Hi guys,
I have accidentally clicked the remember password option in my Ensemble studio. So it is now not asking for username and password and even the authentication popup is not showing every time i open the studio.
Is there anyway to remove the remember password option for the cache studio.
Thanks,
Hi, folks!
When you deploy DeepSee solutions you often do not want grant a User %All Role to work with a particular Dashboard.
Consider a Dashboard 'Dash' with a few widgets where listings are being used.
If you manage a Role to get access to the Dash you need to grant access to %DB_DBNAME resource to have a database access, grant access to a Dashboard resource (if any) and ... grant SELECT accesses to all the tables involved in SQL queries being used in all the listings of widgets.
And every
Hi Everybody
Question , I need to define a user that will be limited to only to one namespace.
I defined the start up namespace in the user's definition , but it doesn't limit the user.
Any advice would be appreciated.
Thank you Simcha
Hi, Community!
Check the new video of the week on the InterSystems Developers YouTube Channel:
LDAP - Beyond the Simple Schema
Hello, I am writing to request assistance on an issue I appear to be having when accessing Ensemble. I have it running on a Windows virtual machine, on a Mac laptop, and am trying to access it through the emergency ID account. When starting Ensemble through the command line window using ccontrol start ENSEMBLE /Em.
Unless I'm mistaken, 2017.1 doesn't appear to support RFC 7523 (JSON Web Token Profile for OAuth 2.0 Client Authentication and Authorization Grants). Is that coming in 2017.2?
In order to support it in 2017.1, I'd have to override the OAuth 2.0 token endpoint to cater for the additional grant types - what's the best way to do this?
Thanks.
Hi All -
Our environment has multiple instances of HealthShare installed and most are on separate VMs/servers. Does anyone have any ideas on how to efficiently manage user accounts across all of these multiple instances of HealthShare? As you can imagine, creating 10 separate Cache accounts on each instance during onboarding of new associates is cumbersome and tedious as is disabling them. We have yet to integrate with AD but we do have a Cyberark initiative under way but it is in the very early stages.
It's almost a year since I have published a series of articles explaining how to configure Cache instance as a client / resource server / authorization server. By that time, the implementation of OAuth 2.0 was still a pre-release software.
With the advent of Cache version 2017.1 a lot has changed. OAuth 2.0 implementation is fully completed and supported. Numerous new features were added (e.g. dynamic client registration) - see release notes here for full details - and configuration pages have been redesigned to a great extent as well.
Created by Daniel Kutac, Sales Engineer, InterSystems
Part 3. Appendix
In the previous part of our series we have learned about configuring InterSystems IRIS to act as an OAUTH client as well as authorization and authentication server (by means of OpenID Connect). In this final part of our series we are going to describe classes implementing InterSystems IRIS OAuth 2.0 framework. We will also discuss use cases for selected methods of API classes.
The API classes implementing OAuth 2.0 can be separated into three different groups according to their purpose. All classes are implemented in %SYS namespace. Some of them are public (via % package), some not and should not be called by developers directly.
We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).
Two questions:
1. The initial authentication seems only work if credentials are placed in the url parameters. Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-
2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?
I have Parameter UseSession As Integer = 1 in my service class, but what else do I need to do?
I have multiple namespaces in a Cache environment say NS1 & NS2. I want to add some restriction so that a routine running in the NS1 should not access any resource(global/routine) belongs to namespace NS2.
The above restriction need for few of the clients only, so we do not want to write any custom logic in code.
We are looking for some solution provided by Cache where we can restrict the namespace access.
Can somebody please help me on this.
Hello,
I have a problem with an Ensemble instance on Windows to access to a network shared directory. Ensemble service (services.msc) is executed with a user which has access to this network shared directory :
- When I try to copy or access files from a terminal ==> this is OK : the command w ##class(%SYS.ProcessQuery).%OpenId($Job).OSUserName returns the user defined in Ensemble service logon screen.
- When I try to copy or access files from a service, process or operation item of the running Production ==> this is KO and the command ##class(%SYS.ProcessQuery).%OpenId($Job).
In the previous article, I had just started working with Arduino, and got a meteorological station to show as a result. In this article, let's go further: we will set up authentication via RFID cards and Arduino against the InterSystems Caché application.
I use Cache Instance. I'm trying to implement OAuth 2.0 in Cache instance.
Is it possible to use Cache instance as Client and Server?
And What is the Difference between CLIENT and AUTHSERVER instance?
Why is it used? I want to know which instance use which type of application?
Hi,
Initially when setting up a cache instance one creates or imports the user/ resources roles etc .
After the Mirror has been activated you can add users, resources etc. But when trying to add new SQL Table privileges to a namespace where the databases are mirrored it seems that you are not able to , Getting error:
ERROR #5002: Cache error: <DIRECTORY>SQLUserPrivsExecute+13^%SYS.SQLSEC
SOURCE ELEMENT: %CSP.UI.Component.SQLTables (SQLTables)
How do you maintain these privileges?
Imagine that your .NET project uses the Caché DBMS and you need a fully-functional and reliable authorization system. Writing such a system from scratch would not make much sense, and you will clearly want to use something that already exists in .NET, e.g. ASP.NET Identity. By default, however, this framework supports only its native DBMS – MS SQL. Our task was to create an adaptor that would let us quickly and easily port Identity to the InterSystems Caché DBMS. This work resulted in creation of the ASP.NET Identity Caché Provider.
MSSQL is the default data provider for ASP.
Hi -
I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)
Hello community!
I am trying to set up Startup Tag^Routine field for the UnknownUser as follows:
And my simple routine is the next:
Calling do ZitRoStart^ZitRo in the terminal prints "Hello", but when opening Caché Terminal it results with the next:
And the terminal closes.
// Cache for Windows (x86-64) 2016.2 (Build 636U) Wed Apr 13 2016 20:58:35 EDT
What am I doing wrong in setup?
Thank you very much!
I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].
I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’
It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?
Hey guys
We have a need to mount remote databases using ECP, but with the Application servers mounting some of the remote databases as Read Only. The Data servers will keep them R+W as normal.
From what I can gather this isn't possible using a "Mount Read Only" option, it looks like ECP just inherits the Database servers settings. My reading seems to require roles/access/permissions to enforce Read Only on these remote mounts. Does anyone have an easy guide/cheat sheet to set up read only ECP Application server read-only mounting using roles/permissions?
This post is meant to provide a quick possible explanation for a very perplexing problem.
Scenario: You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché. You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.
You’ve written a very advanced routine with a break command in it for debugging:
MyTestRoutine
set ^MyInitGlobal = 1
write "Hello, my name is.
Is there any method or routine available to export and import the user roles and the sql table and sql procedures associated with each role?
Presenter: Rich Taylor
Task: Use an LDAP schema that differs from the provided default
Approach: Give examples of customized LDAP schema development, using LDAP APIs and ZAUTHORIZE
In this session we explore the various options of for working with LDAP as an authentication and authorization framework. We will look beyond the simple LDAP schemas into working with more complex LDAP configurations that incorporate application level security information.
Content related to this session, including slides, video and additional learning content can be found here.
I need to perform additional checks before Cache user logins (let's say in a terminal for simplicity) and allow access only to those, who passed them. How do I do it?
