New post

#Security

6

Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.

See the InterSystems Documentation on Security.

In preparation for a presentation I need a real-world LDAP schema that has been customized a bit beyond the basics. Perferably this would be based on an OpenLDAP system which would make it easier to merge into this presentation.

If you have such a schema you would be willing to share please respond or contact my directly at Rich.Taylor@InterSystems.com

Thanks in advance.

Rich Taylor

0 1
0 305

Hi community ,

i use postman for testing my request , i need to extract access token from it (i put it inside the "Get url" using post man before sending my request).

i use the GetAccessTokenFromRequest of (%SYS.OAuth2.AccessToken) class , but in my rest code party , when i send request from post man , i can't extract my access token, it's empty.

can please give me help?

thank you

0 1
0 305
Question
· Dec 2, 2021
SNN Encryption

I need to store an equivalent of the SNN (Social Security number). I need it to be encrypted and I'll have to be able to search for it once stored.

For what I've seen my options are:

- SHAHash from the %system.encryption library. Simple and easy to implement. My question is, might collisions be a problem? We are talking about a 10 millions entry.

- AES encryption. In this case I'd like to know if there is a standard way for key management in the InterSystems environment.

0 2
0 304

Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?

For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?

These are not applications that were developed using CacheDirect.

0 6
0 292
Question
· Nov 30, 2022
Delegated Users

In our current UCR arhcitecture, we use two installations. We have one machine with Access, Registry and Edges and one machine with the ODS. On the machine with the Registry, I can create a user/clinician. When I log into the management portal with this user, a so-called delegated user is created in the cached users table. So far everything is going well.

When I try the same on the machine with the ODS I get the message : 'ERROR #822: Access Denied' . so no delegated user is created.... Does anyone have any idea where I can find the solution?

1 1
0 289

Hello,

I am working on Ensemble 2017.2.1 .
I need to export my security settings into an extern database, in order to make a report.

I've created a Business Operation with an SQL Adapter into a Namespace, but I don't know how to get every security data from "%SYS" Namespace ( SQLPrivileges , Resources , Roles , Services , Users ... ).

I dont't want to use the terminal and the ^SECURITY routine, because i don't want to store a XML file on the server.

0 2
0 276

During some consulting activity, I found at the client's site CACHEAUDIT database of more than 100 GB size. The reason was simple: several processes produced a great amount of %System/%System/OSCommand audit records due to frequent external calls ($zf(-100,...)). As it is well-known, those events can be easily disabled systemwide, while this can be hardly considered secure enough. Reducing the number of days before audit cleanup from default 62 to some reasonable figure (e.g. 15) seems to be a better solution, but...

0 2
0 275

My original ZAUTHENTICATE.mac to use Delegated sign on did not include GetCredentials(), however I am being told it probably should have it so I am eliminate an error I am seeing when trying to troubleshoot the ZAUTHENTICATION. I am trying to add the GetCredentials() from the documentation to the existing ZAUTHENTICATE.mac but I am getting an error

0 7
0 273

Hi everybody,

Is there any functionality I could use that triggers real time user-defined code on certain audit events? Right now I am interested in triggering such code on a routine modification event, like the one below. I do know how to access this record programmatically, via %SYS.Audit.

Thanks in advance,
Anna

1 8
0 272

Hi,

I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).

Is there a way to allow a single REST service to have unauthorised access?

I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.

Thanks

0 2
0 259
Question
· Mar 13, 2020
List All Available Resources

Maybe I haven't seen anything about it in the documentation, but why isn't there a way to list all the Resources from the %SYS namespace from a class rather than through ^SECURITY

Thinking maybe something like this:
##Class(Security.Resources).ListAll(.result)

0 1
0 257

Hello everyone,

I am looking for the syntax or the way to use a class created in the "BNA" Namespace (my application) from the %SYS Namespace.

Here is the context:

I have a "BNA" application contained in the "BNA" NS, this application provides a user creation functionality. This feature creates both the user in a table in the application and in the Iris system.

0 9
0 256
Question
· Mar 24, 2020
Cannot type password in Terminal

I just tried to log into our QA server and connect to Terminal (v 2013.1).

I can type in my username but when I attempt to type my password, no characters are typed. When I press ENTER the password is invalid.

I can connect to the management portal and the studio development environment without any problems. Also, I do not have this problem when connecting to the terminal in our production environment (2010).

Does anyone know what can cause this type of problem?

Thanks.

0 2
0 243

I recently started work on trying to Tighten Security in our Development Instance of IRIS that is running based on recommendations from our Audit as you might of seen from my other posts. I am currently trying to get into the Private Web Gateway Manager within IRIS as CSPSystem, but when I attempt to sign in nothing happens.

I went through and reset the password in the CSP.ini and within IRIS for CSPSystem. I made sure it had the new GatewayRole per suggested

0 2
0 243

I would like to allow some departmental user to view the ensemble portal. I want to make sure they are not allowed to do any changes (like stop and start interfaces from portal)

I have created one userbut limited with SQL privilages. But using this account, the portal view is not accessible.

It would be appreciated if anyone can adice me on this. I know this may be a silly question.

Regards,

Bava

0 1
0 230

I am attempting to pragmatically create a bunch of roles and then assign the appropriate resources to that role.

Currently, the only ways to add resources to a role are to:

1. Do through Management Portal

2. Go through ^SECURITY (add resource one at a time)

My Intention would be to do the following: do ^SECURITY Role Setup Edit Role When prompted for resources to add, be able to use *

0 2
0 229

Is there a way to add specific table permissions to a security role programmatically? I'm working on scripting some of the initial setup work when we sell certain add-ons to our software, and I see how I can assign resources to a role and give it a description, but I don't see how I tell it that this role gives the user, for example, SELECT privileges only on the invoices table, or SELECT, INSERT, UPDATE, and DELETE.

0 1
1 206

Hi,

Our application needs to create system users from a request form.

To use Security classes, it is necessary to have rights to use the %SYS namespace, which is not the case for users who validate requests.

It is not desirable for these users to have this role permanently, so I proceeded as follows:

I created a facade class for the Security.Users, Security.Roles, Security.Resources classes which allows me to log in with an authorized user on the NS %SYS

Here is an example method:

1 7
0 199