The ideal number of table permissions to assign for your users is zero. Permissions should be granted upon sign-in based on the application used for access. For web applications, we have a simple way of doing this by appointing application roles, matching roles, and required resources in the System Management Portal.

ODBC and JDBC connections present a different problem, however, especially when third-party applications are involved. As providers of an ERP system, our customers often wish to be able to employ various software packages to integrate with or report on their data. Many of these programs are capable of running any kind of query. Yet, letting them do that can be devastating to a customer’s data.

So far, we have covered how to use ObjectScript to manage users, roles, resources, and applications. There are a few other classes in this package that work similarly to the ones mentioned above. However, these four classes are the ones everyone will have to use to manage their application security. Suppose you wanted to create your own Security management portal for this package. There would be some specific issues to think about for an API. Since the classes use similar methods, we can create fewer API endpoints using indirection. However, we should consider differences between those methods

All FHIR resources have a Meta element containing metadata about the resource. Some attributes are updated by the server, others are populated by the app constructing the resource.

Here are the 3 common attributes of FHIR’s Meta element: 

1. versionId
This is an ID that identifies a saved version of the resource on the FHIR server. Many servers use a GUID here, others use an integer. But it’s a string value, so don’t write code against this assuming a sequential integer, regardless of what the server does.

Hi,

Our application needs to create system users from a request form.

To use Security classes, it is necessary to have rights to use the %SYS namespace, which is not the case for users who validate requests.

It is not desirable for these users to have this role permanently, so I proceeded as follows:

I created a facade class for the Security.Users, Security.Roles, Security.Resources classes which allows me to log in with an authorized user on the NS %SYS

Here is an example method:

Hi community,

I´ve setup a local FHIR server via the framework functionality und set a service config name for the created endpoint since I plan to use a production based FHIR server. I´ve created an additional ressource "FhirClientRessource" and role "FhirClientRole" as well as a user named "FhirClient". The Role resource "FhirClientRessource" ist set as "required resource" in the FHIR server configuration page. The user "FhirClient" is member of the Role "FhirClientRole" which in turn holds RWU priveliges on the "FhirClientRessources".

I have a case where the Active Directory Service Account passwords will be changed periodically every 3 months and the changes are shared via the LastPass application which requires logging into the app to retrieve the new password and manually entering it into the Interoperability Credentials configuratrion, or the Service Registry.

> Is there a way to retrieve the password automatically?

In this case the organization plans to use gMSA (Group Managed Service Account) and BeyondTrust for setting up new password in the future.

How have people delt with this?

I was recently asked whether we have a function to convert LDAP date time stamps into $HOROLOG format or other formats and the answer is not at the moment, but there is a simple method to do the conversion.

Let us look at the facts and figures involved...

1) Active Directory's (AD) date 0 (zero) is 1601-01-01 00:00:00.000 or January 1st, 1601 at midnight (00:00:00)

2) AD timestamps are calculated as the number of 100 nanosecond intervals from date 0

3) 864000000000 is the number of 100 nanosecond intervals per day

Will it hurt anything if I disable the user that installed IRIS, within IRIS? Does this cause a problem with background processes running or with the restart? I know the _Ensemble user is used to start/stop/restart objects within IRIS, just didn't see anything in the documentation about the user that installed IRIS.

Thanks

Scott

We are back to %SYS once again! Since we covered managing users and resources in the last two articles, we can finally move on to roles. As you may have guessed, there are a lot of methods of managing them that you have already seen in our previous writings. However, we can still encounter key differences in this particular class.

I recently started work on trying to Tighten Security in our Development Instance of IRIS that is running based on recommendations from our Audit as you might of seen from my other posts. I am currently trying to get into the Private Web Gateway Manager within IRIS as CSPSystem, but when I attempt to sign in nothing happens. 

I went through and reset the password in the CSP.ini and within IRIS for CSPSystem. I made sure it had the new GatewayRole per suggested 

https://docs.intersystems.com/healthconnect20231/csp/docbook/DocBook.UI.Page.cls?KEY=GSECURING_tighten#GSECURING_tighten_smp_CSPSysAuthe

I am trying to lock down security within our Development environment per requirements from a Security Audit that was done earlier this year. I need to try to limit access at a public level, access to cache users, and exposure.

I installed IRIS with the Lockdown method, and have configured my web applications, services, resources, etc.

When I go into my namespace, I am constantly presented with the following error when I try to start or stop an Object...

Cannot login as IRIS manager. Please confirm the '_Ensemble' user is enabled and is assigned the '%All' role.

My original ZAUTHENTICATE.mac to use Delegated sign on did not include GetCredentials(), however I am being told it probably should have it so I am eliminate an error I am seeing when trying to troubleshoot the ZAUTHENTICATION. I am trying to add the GetCredentials() from the documentation to the existing ZAUTHENTICATE.mac  but I am getting an error

Hi,

I want to write a class to write a customized SSL/TLS certificate expiry alerts using ObjectScript?

Any sample code for reference available?

Thanks, 

Have you ever thought of creating your own systems for editing users or, perhaps, even an API that you can call? Today, you’re going to join me in the %SYS namespace and get to know Security.Users! 

Currently, the SQL privileges (SELECT, INSERT, UPDATE, DELETE) are managed at the tables level, which can be very tedious when you have to administer many roles in an organization, and need to keep them sync with a constantly evolving data models.
By managing privileges at the schemas level, will allow to give SELECT and other DML privileges to *all* or *several schemas* to a role|user, fixing the need to manually synchronize the new tables|views to the roles.

If you agree, I invite you to vote for this idea.

When installing IRIS, all the system AUDIT events are not enabled.

What is the fastest way to activate all events?

  System > Security Management > System Audit Events 

It sometimes happens that due to an adverse event the AUDIT database (IRISAUDIT) has grown to such proportions that the disk it resides on is full and the daily purge cannot be expected to reclaim disk space.

As IRISAUDIT is a system database required at startup, there is no question of attempting to restart IRIS after simply deleting IRIS.DAT from the <IRIS ROOT>/mgr/irisaudit/ database, nor of hot swapping, by system manipulations trying to dismount, replace, remount, since it is simply not possible to dismount it.

IRISAUDIT database: mounting required when starting IRIS

Hi, 

I am in need of a routine or class method to generate an Oauth 1.0 signature.  I was about to code this myself, but thought to check first to see if anyone has already done this and is willing to share.

Thanks in advance for any help.

[UPDATE  06/28/2016]

There are several ways of classifying cryptographic algorithms: 1) Secret Key Cryptography (SKC) - Uses a single key for both encryption and decryption. It is also called symmetric encryption. Primarily, it was used for privacy and confidentiality; 2) Public Key Cryptography (PKC) - Uses one key for encryption and another one for decryption. It is also called asymmetric encryption. Initially, it was utilised for authentication, non-repudiation, and key exchange; 3) Hash Functions - Uses a mathematical transformation to irreversibly "encrypt" information, providing a digital fingerprint.

REST API for Security Package

Hi community,

In this article, we will learn how to set up a REST API for the IRIS Security Package. We will be able to create users, roles, add applications, etc... by simple HTTP requests as well as generate a client application in ObjectScript.

Requirements

We need :

1. An IRIS instance (installation kit or docker).
2. ObjectScript package manager (ZPM).
3. (Optional) A second IRIS instance to generate an ObjectScript client.

Hello,

We currently have the following scenario: We have a bussiness SOAP Operation, where we get a SAML String and we convert it into a %SAML.Assertion object correctly.

👩‍💻👨‍💻 We would need to send the SAML Assertion inside the SOAP Header to the Target System.

First of all thanks for reading, and thanks for answering.

We currently have opened Log Soap and we do not observe it being added to the SOAP Header, as you would observe in the following Log Soap:

Hi Community,

Watch this video to learn about the new and future changes to the security framework in the HealthShare product suite. Topics include OAuth 2.0, SSO, and the Universal Login Page:

⏯ Updates in Security in the HealthShare Suite @ Global Summit 2022

Good afternoon,

first thank you from heart and mind, mind and heart; for reading, thinking, reflecting, responding, and above all explaining a possible solution and/or documentation to address this doubt.

We would need a way to get inside a SOAP Web Service the SAML Assertion, and then, send it directly to the endpoint throught a SOAP Operation.

Currently we have researched and developed how to get the SAML Assertion with the following code:

We are very eager to learn what kind of feedback you might have for InterSystems.

We hope you had a chance to download and install one of the kits that show how the new process works. If not, you still can do it, following the instructions on these posts:

• https://community.intersystems.com/post/how-do-i-apply-nopws-early-acce…
• https://community.intersystems.com/post/discontinue-apache-web-server-installations-aka-private-web-server-pws

Our target release is InterSystems IRIS 2023.2 (and InterSystems IRIS for Health 2023.2) and will be available in a few months.
 

Several steps should be done in order to secure the connection through xDBC clients to an IRIS Server instance using TLS. Most of the information can be obtained from the documentation about TLS on IRIS here, about configuring the security layer for encrypted connections. In the next paragraphs we will cover an step-by-step guide on how to configure and test the connection using SQL Clients apps using ODBC and JDBC.

You can download the drivers from InterSystems IRIS Driver Packages

Configuring IRIS SuperServer to use TLS

IRIS Documentation on this link

Be in touch with InterSystems and receive alerts, advisories and product news quickly. The process is really simple:

• Click in this link: https://www.intersystems.com/support/product-alerts-advisories/ 
• Fill in the form with your contact information and
• You're all set!

As you can see, it takes less than a minute to keep informed about the news!

It is a recommended security practice to login into sensitive Administrator Portals without any input passwords. Thus, it is necessary to identify and authenticate the users correctly. A common technique employed by web portals and mobile applications is to use Google social login. Today, Google Gmail has 2 billion users (source:https://www.usesignhouse.com/blog/gmail-stats). Therefore, it is a perfect shared login service to utilize to login InterSystems IRIS users when they need to manage their instances. This article will detail all the steps to embed Google Login into your InterSystems Management Portal.

Register your InterSystems instance in the Google Console

1. Go to https://console.cloud.google.com and log in with your Google user account.
2. On the header click Select a project:

When you install an IRIS or Caché instance on Windows Server, you'll usually need to install it under a specific user account that has network access permissions. This is very handy when you needs to access network resources for creating files or directly accessing printers.

TL;DR: see key takeaways at the bottom!

When you need to change the Windows user account the IRIS/Caché service is running as, you can configure (after installation):