In this 3-part series of articles, is shown how you can use IAM to simply add security, according to OAuth 2.0 standards, to a previously unauthenticated service deployed in IRIS.

In the first part, was provided some OAuth 2.0 background together with some IRIS and IAM initial definitions and configurations in order to facilitate the understanding of the whole process of securing your services.

This part will now discuss and show in detail the steps needed to configure IAM to validate the access token present in the incoming request and forward the request to the backend if the validation

I am trying to create users who only have `%SQL` Role for the INSTANCE. But I am unable to find any documentation on the `Security.Users` class.

See:

// Instantiate the Security.Users objectSet userObj = ##class(Security.Users).%New()// Set the username and passwordSet userObj.Name = userNameSet userObj.FullName = userFullNameSet userObj.Namespace = "USER"Set userObj.Roles = "%SQL"
   Set sc = userObj.ChangePassword(passwd)// Save the user to the databaseSet ss = userObj.%Save()

I cant figure out the "Namespace" property for this

InterSystems IRIS 2025.2 introduces the IRISSECURITY database, the new home for security data. Unlike IRISSYS, the previous home for security data, IRISSECURITY can be encrypted, which secures your sensitive data at rest. In a future version, IRISSECURITY will be mirrorable.

This version also introduces the %SecurityAdministrator role for general security administration tasks. 

The changes described here affect both continuous delivery (CD) and extended maintenance (EM) release tracks.

At hackathons that InterSystems participated and I supported, many students were asking how all their teammates could use the same IRIS database that they spun up in a container. I suggested using ngrok to expose their localhost IRIS and realized we don't have documentation on that. Hence, I thought this would be great to let more people knwo about this powerful technique for enhancing collaboration during development and testing.

Step-by-Step Guide to Exposing InterSystems IRIS with ngrok

This guide will walk you through the process of exposing your local InterSystems IRIS instance using

Hello,

I need to expose InterSystems HealthInsight dashboards over the internet to external operators. The authentication flow is managed externally. When a user is authenticated, our system receives an HTTP request with specific headers (e.g., operator’s fiscal code and hospital identifier) that we need to extract in order to:

• Authorize the user to access the dashboards.
• Apply row-level security on the dashboards, filtering the data by hospital and user role.

I created a new Web Application on IRIS as shown in the screenshot:

I follow this page of the documentation for the settings: https://

I am attempting to follow the tutorial at Publishing Web Services Using Caché | Caché Web Services QuickStart Tutorial | Caché & Ensemble 2018.1.4 – 2018.1.11 to build a toy SOAP web-service using Cache but am running into what I suspect are permissions issues, or perhaps setting up the "plumbing" to get an incoming request to call the web-service methods.

Ensemble instance running on local laptop. Only the Ensemble private web-server installed on the machine (no IIS or Apache).

Working through the tutorial, when I get to testing the service using the terminal (Testing the Service from the

Description

This is a template for a Flask application that can be deployed in IRIS as an native Web Application.

Installation

1. Clone the repository
2. Create a virtual environment
3. Install the requirements
4. Run the docker-compose file

git clone
cd iris-flask-template
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
docker-compose up

Usage

The base URL is http://localhost:53795/flask/.

Endpoints

• /iris - Returns a JSON object with the top 10 classes present in the IRISAPP namespace.
• /interop - A ping endpoint to test the interoperability framework of IRIS.
• /posts - A

Hello Everyone,

The Certification team of InterSystems Learning Services is developing two new HealthShare Unified Care Record certification exams, and we are reaching out to our community for feedback that will help us evaluate and establish the contents of the exams.  Please note that these exams will replace our HealthShare Unified Care Record Technical Specialist exam that we plan to retire in January 2026. Certifications earned in this technology before the exam’s retirement will remain valid for five years from the date of achievement.

How do I provide my input? Complete our Job Task

I am trying to log in to the Web Gateway Management and I have missed placed the password to access the system I have tried 

changing the password under local settings in the CSP.ini  and that has managed to change the password to access the gateway but cannot log me into the management area I have followed a post here and read here and I seem not to get the answers that actual explain how I can get to the web gateway management.

I understand that changing the user in the management portal does not change the password set up in the installation to access the web management gateway if anyone has

After we rolled out a new cointainer based on containers.intersystems.com/intersystems/irishealth:2023.1 this week, we suddenly noticed that our FHIR Repository started responding with an Error 500. This turns out to be caused by PROTECT violations on the new HSSYSLOCALTEMP namespace and database used by this version of the IRIS for Health FHIR components.

The trick to solve that is to add the "%DB_HSSYSLOCALTEMP" to the Web Application(s) that handle FHIR Requests. You can script that by running the following Class method in the namespace(s) that define these Web Applications:

do

Foreword

InterSystems IRIS versions 2022.2 and newer feature the ability to authenticate to a REST API using JSON web tokens (JWTs). This feature enhances security by limiting where and how often passwords transfer over the network in addition to setting an expiration time on access.

The goal of this article is to serve as a tutorial on how to implement a mock REST API using InterSystems IRIS and lock access to it behind JWTs.

NOTE I am NOT a developer.

Question:

How can I create, change etc. Security entities (like Users and Roles) programmatically?

Answer:

You can use the Security package classes in the %SYS namespace. For example Security.Roles or Security.Users.

Of course in order to perform these actions the user will require the needed authorization.

Here's a small example using Security.Roles:

// Create a Role
%SYS>Set status = ##class(Security.Roles).Create("testRole","a test Role","%Development:U,%DB_USER:R")
 

// Creation was successful
%SYS>Write status
1

// Now lets examine the Role created
%SYS>Set status =

If you look at the values.yaml of the IKO's Helm chart you'll find:

useIrisFsGroup:false

Let's break down what it is and in what situations you may want to set it to true.

FsGroup refers to the file system group.

By default, Kubernetes volumes are owned by root, but we need IRIS to own its files (IRIS in containers is installed under irisowner user). To get around this we employ one of two methods:

1) initContainers

The initContainers run before app containers (like IRIS) in a pod.

Background:

This guideline provides an overview of how to design and implement a REST API interface for querying patient demographic data from an Electronic Patient Record (EPR) system using HealthConnect. The process involves sending a query request with the patient's identification number, retrieving the response from the EPR system, extracting the required patient demographic data from the HL7 message, and sending it as a JSON response to the supplier. The high-level process diagram is shown below (Screenshot 1).

Hi, Community!

🔒Are you linking your InterSystems Cloud Services deployments to a private network? See how to do this securely:

Creating and Managing VPNs with InterSystems Network Connect

Hey Community,

Enjoy the new video on InterSystems Developers YouTube:

⏯ Security Database and Wallet - Encryption, Mirroring and More @ Global Summit 2024

Hi,

I'm trying to create a user with access to the HS namespaces management portal.
I'm having trouble identifying the correct resource to assign to the user. I'm testing various resources, but every time I go to the HS management section, a blank page appears, and the Home button disappears.

Does anyone know the correct resource to assign? (I've already granted Read permissions to the Namespace databases)
Thank you!

Hi,

In a customer project we started enforcing the "Inactivity Limit" as defined in System-Wide Security Parameters. The customer would expect accounts to become Disabled after they have been inactive for the specified amount of days. However, that doesn't happen; it seems the Inactivity Limit is only established after logging in.

Furthermore, the account inactivity only starts being applied after the first login. Can you confirm that?

Lastly, for accounts that have been manually Disabled, and have an expired password, we see the following weird behavior:

1. User logs in
2. Needs to change his/her

Is there any mechanism already implemented in IRIS to prevent XSS exploits ? 

This case happen when user input html/javascript content into fields and submit the page. If saved content is rendered as is, it's going to be executed by anyone visiting the page.

What I am looking for : 

• Built-in protection mechanisms that can be enabled globally (eg: per web application) or per CSP page. Something similar to a web application firewall.
• Functions to call manually that can detect such content in fields or sanitize them (remove unwanted content).

Hi all,

I'm performing a migration of some services from one instance to another, and I noticed that the technique defined within the InterSystems Server Migration Guide does not include OAuth client configurations. The recommended technique is to use the ##class(Security.System).ExportAll() and ##class(Security.System).ImportAll() methods.

Is there a way to migrate OAuth client configurations, or do those have to be re-created manually?

Description

This is a template for a FastApi application that can be deployed in IRIS as an native Web Application.

Installation

1. Clone the repository
2. Create a virtual environment
3. Install the requirements
4. Run the docker-compose file

git clone
cd iris-fastapi-template
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
docker-compose up

Usage

The base URL is http://localhost:53795/fastapi/.

Endpoints

• /iris - Returns a JSON object with the top 10 classes present in the IRISAPP namespace.
• /interop - A ping endpoint to test the interoperability framework of IRIS.
• /posts - A

Runtime Enforcement

Hi,

I try to generate JWT tokens in Cache (not in IRIS).

In IRIS I managed to generate tokens using ##class(%OAuth2.JWKS).AddOct("HS256",secret,.jwks).
But In Cache there is no such routine.

Could you provide me a place to find an example how to use JWT, please ?  I am interested to generate a token in Cache, send it to javascript client, and read a token provided by the client and check it is valid.

Kind regards,

Alin Soare.

Hi Community,

🔐 Make sure your data is secure! Learn some strategies for enhancing security in InterSystems IRIS® data platform:

Navigating SQL Privileges and Security in InterSystems IRIS

I want to try out iris-DataViz app to visualize my own data. I cloned the repo and docker-compose up -d in AWS. IRIS portal works, but on port 8051 I get nothing. I checked my AWS security groups. I reversed IRIS webserver port and 8051 and I can connect to Management portal using port 8051. I don't understand what is refusing connection on port 8051 running in iris-DataViz container.

There's an easy new way to add certificate authority (CA) certificates to your SSL/TLS configurations on InterSystems IRIS 2019.1 (and 2018.1.2) on Windows and Mac.  You can ask IRIS to use the operating system's certificate store by entering:

%OSCertificateStore

in the field for "File containing Trusted Certificate Authority X.509 certificate(s)".   Here's an image of how to do this in the portal:

And here's a link to the documentation which describes this.  It's in the list of options under "File containing trusted Certificate Authority certificate(s)".

That's all you need to do!

Anakin Skywalker challenged the high ground and has been terribly injured on Mustafar.  

So if you are following from the previous post or dropping in now, let's segway to the world of eBPF applications and take a look at Parca, which builds on our brief investigation of performance bottlenecks using eBPF, but puts a killer app on top of your cluster to monitor all your iris workloads, continually, cluster wide!  

Continous Profiling with Parca, IRIS Workloads Cluster Wide

I attended Cloud Native Security Con in Seattle with full intention of crushing OTEL day, then perusing the subject of security applied to Cloud Native workloads the following days leading up to CTF as a professional excercise. This was happily upended by a new understanding of eBPF, which got my screens, career, workloads, and atitude a much needed upgrade with new approaches to solving workload problems. 

So I made it to the eBPF party and have been attending clinic after clinic on the subject ever since, here I would like to "unbox" eBPF as a technical solution, mapped directly to what we do in practice (even if its a bit off), and step through eBPF through my experimentation on supporting InterSystems IRIS Workloads, particularly on Kubernetes, but not necessarily void on standalone workloads.

eBee Steps with eBPF and InterSystems IRIS Workloads