New post

#Access control

0

This tag unites all posts related to roles (container that holds one or more privileges for access to SQL Tables), users (identity of the login when it is connected to a database) and authorization (function of specifying access rights/privileges to resources). Read more about roles, users and authorization in Documentation.

Created by Daniel Kutac, Sales Engineer, InterSystems

Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.

Part 2. Authorization server, OpenID Connect server

9 12
3 5.6K

Introduction

In today's rapidly evolving threat landscape, organizations deploying mission-critical applications must implement robust security architectures that protect sensitive data while maintaining high availability and performance. This is especially crucial for enterprises utilizing advanced database management systems like InterSystems IRIS, which often powers applications handling highly sensitive healthcare, financial, or personal data.

9 3
1 133

Created by Daniel Kutac, Sales Engineer, InterSystems

Part 3. Appendix

InterSystems IRIS OAUTH classes explained

In the previous part of our series we have learned about configuring InterSystems IRIS to act as an OAUTH client as well as authorization and authentication server (by means of OpenID Connect). In this final part of our series we are going to describe classes implementing InterSystems IRIS OAuth 2.0 framework. We will also discuss use cases for selected methods of API classes.

The API classes implementing OAuth 2.0 can be separated into three different groups according to their purpose. All classes are implemented in %SYS namespace. Some of them are public (via % package), some not and should not be called by developers directly.

7 0
3 3.5K

This post is meant to provide a quick possible explanation for a very perplexing problem.

Scenario: You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché. You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.

You’ve written a very advanced routine with a break command in it for debugging:

7 1
0 524

Here in %SYS, we have already examined users, resources, and roles. Now that we know how to set all of that up, we should give it a purpose. Next we will talk about applications! As you may expect, we will see various identical class methods defined here that we have seen in the previous classes. However, some of them will have some tiny yet significant differences.

6 1
3 436

Why I decided to write this

Recently I had the challenge to create a secure authentication method to authorize access to some data, but unfortunately I had zero experience with those security configurations and I felt that I was missing some basic concepts to have a better understanding of the official documentation.

After studying and managing to deliver the classes that I was asked to develop, I'd like to share a little bit of my new knowledge, which helped me follow the topics in the documentation.

6 0
1 489

Imagine that your .NET project uses the Caché DBMS and you need a fully-functional and reliable authorization system. Writing such a system from scratch would not make much sense, and you will clearly want to use something that already exists in .NET, e.g. ASP.NET Identity. By default, however, this framework supports only its native DBMS – MS SQL. Our task was to create an adaptor that would let us quickly and easily port Identity to the InterSystems Caché DBMS. This work resulted in creation of the ASP.NET Identity Caché Provider.

4 1
0 1.4K
Article
· May 11, 2020 5m read
Work with SAML in IRIS

When a company is quite large and many different applications used by employees. But while those applications are mostly completely different, how to make it possible to not force users to enter credentials as many times as many applications they would like to use. The best way is to use SSO, so, it will be possible to have a portal, where users could launch any application used in a company. There are many different ways how to give access to your application by using the SSO mechanism, and some of them are:

  • OAuth2
  • Kerberos
  • SAML

InterSystems already supports OAuth2 and can be quite easily deal with Kerberos. But I would like to discuss about using SAML (Security Assertion Markup Language).

Open Exchange app
4 2
5 2K

Hi, Community!

Check the new video of the week on the InterSystems Developers YouTube Channel:

LDAP - Beyond the Simple Schema

https://www.youtube.com/embed/CCQjZgEvAbc
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

3 0
0 400

The ideal number of table permissions to assign for your users is zero. Permissions should be granted upon sign-in based on the application used for access. For web applications, we have a simple way of doing this by appointing application roles, matching roles, and required resources in the System Management Portal.

ODBC and JDBC connections present a different problem, however, especially when third-party applications are involved. As providers of an ERP system, our customers often wish to be able to employ various software packages to integrate with or report on their data. Many of these programs are capable of running any kind of query. Yet, letting them do that can be devastating to a customer’s data.

3 0
3 308

Hello,

I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)

Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?

Thank you very much!

2 1
2 1.4K
Question
· Apr 11, 2017
Authentication with REST

We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).

Two questions:

1. The initial authentication seems only work if credentials are placed in the url parameters. Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-Origin. How can I resolve this?

2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?

2 7
0 2.8K

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:

1 3
1 974

In old Caché versions it was possible to create a new role based on predefined %Developer by copying it and adding some resources as needed. It was true at least from 2010.1 to 2015.1.

After upgrade from 2015.1.4 to 2017.2.1 it turned that it's only partially true now. User with a "New-Developer" role can enter Studio and open existing cls/mac/etc for editing and everything is OK unless he tries to create something new (Ctrl-N), than he gets a pop-up with %msg: <User xxx does not have enough privilege to execute stored procedure %CSP.StudioTemplateMgr_Templates>

1 3
0 504
Question
· Jul 13, 2017
EmergencyId startup

Hello, I am writing to request assistance on an issue I appear to be having when accessing Ensemble. I have it running on a Windows virtual machine, on a Mac laptop, and am trying to access it through the emergency ID account. When starting Ensemble through the command line window using ccontrol start ENSEMBLE /Em... I get an error and Ensemble does not start. Below is the error message I am getting when checking the logs:

1 2
0 973

Hi, folks!

When you deploy DeepSee solutions you often do not want grant a User %All Role to work with a particular Dashboard.

Consider a Dashboard 'Dash' with a few widgets where listings are being used.

If you manage a Role to get access to the Dash you need to grant access to %DB_DBNAME resource to have a database access, grant access to a Dashboard resource (if any) and ... grant SELECT accesses to all the tables involved in SQL queries being used in all the listings of widgets.

1 3
0 534