Security | InterSystems Developer Community

Discussion

Evgeny Shvarov · Nov 24, 2020

Managing Security Strategy in InterSystems: Users or Applications?

Hi Developers!

Want to raise security discussion today!

Let's discuss how InterSystems security for applications works. In general, the concept is clear: we have Resources (what to protect), Roles which combine a set of privileges and accesses to Resources and Users which can have this or that Role.

But there is also a concept of Application which also could have a Role.

So you either provide a Role for a User or for an Application.

What do you use in production? What is your strategy and why? Pros, cons?

#Security #Caché #Ensemble #HealthShare #InterSystems IRIS #InterSystems IRIS for Health

0 4

0 245

Article

Dmitrii Kuznetsov · Oct 7, 2019 12m read

OAuth Authorization and InterSystems IRIS: Taming Trust Protocols

How can you allow computers to trust one another in your absence while maintaining security and privacy?

“A Dry Martini”, he said. “One. In a deep champagne goblet.”
“Oui, monsieur.”
“Just a moment. Three measures of Gordons, one of vodka, half a measure of Kina Lillet. Shake it very well until it’s ice-cold, then add a large thin slice of lemon peel. Got it?”
"Certainly, monsieur." The barman seemed pleased with the idea.
Casino Royale, Ian Fleming, 1953

OAuth helps to separate services with user credentials from “working” databases, both physically and geographically. It thereby strengthens the protection of identification data and, if necessary, helps you comply with the requirements of countries' data protection laws.

With OAuth, you can provide the user with the ability to work safely from multiple devices at once, while "exposing" personal data to various services and applications as little as possible. You can also avoid taking on "excess" data about users of your services (i.e. you can process data in a depersonalized form).

#JSON #OAuth2 #Security #Tutorial #InterSystems IRIS

Open Exchange app

7 1

5 1.4K

Article

Yuri Marx · Oct 7, 2020 2m read

Run your local IRIS http endpoints as https on the internet from your env

By default InterSystems IRIS expose your endpoints using http, but can be necessary run https from your dev env and/or get public internet access to your app. You can buy or get a certificate and config a gateway, spending many hours or use a great public service called ngrok. Follow the steps:

1 - Run your app, I will use FHIR template as sample, see:

1.1 download the app: git clone https://github.com/intersystems-community/iris-fhir-template.git

#REST API #Security #InterSystems IRIS

5 2

4 575

Question

Hannes Postl OEID · Sep 25, 2020

Kerberos WebGateway

Hello

#Security #InterSystems IRIS

0 2

0 350

Article

Vinicius Maranh... · Apr 2, 2020 4m read

Securing your APIs with OAuth 2.0 in InterSystems API Management – Part 1

Introduction

Nowadays, there is a lot of applications that are using Open Authorization framework (OAuth) to access resources from all kinds of services in a secure, reliable and efficient manner. InterSystems IRIS is already compatible with OAuth 2.0 framework, in fact, there is a great article in the community regarding OAuth 2.0 and InterSystems IRIS in the following link here.

#API #OAuth2 #REST API #Security #InterSystems IRIS

6 1

1 1.5K

Article

Daniel Kutac · Aug 3, 2016 13m read

InterSystems IRIS Open Authorization Framework (OAuth 2.0) implementation - part 1

This article, and following two articles of the series, is intended as a user guide for developers or system administrators, who need to work with OAuth 2.0 framework (further referred to as OAUTH for simplicity) in their InterSystems product based applications.

#Authentication #Access control #Best Practices #OAuth2 #Security #Caché #InterSystems IRIS

17 10

15 9.5K

Question

Yuri Marx · Aug 11, 2020

Label security

Is it possible restrict access in IRIS from label data classification (ultra/top secret, restrict, ostensive, etc.)?

#Security #InterSystems IRIS

1 2

1 208

Question

Simon Barker · Aug 4, 2020

Allow unorthorised access to a single REST service

Hi,

I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).

Is there a way to allow a single REST service to have unauthorised access?

I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.

Thanks

#REST API #Access control #Security #Ensemble #HealthShare

0 2

0 343

Announcement

Anastasia Dyubaylo · Jul 31, 2020

New Videos: FHIR API Management

Hey Developers,

Check out the latest video on FHIR API Management:

⏯ FHIR API Management: Basic Configuration

https://www.youtube.com/embed/EYZ4dXNZNSY
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

⏯ FHIR API Management: FHIR Dev Portal

https://www.youtube.com/embed/9yEm7ZAZENI
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

⏯ FHIR API Management: Logging and Monitoring

https://www.youtube.com/embed/xcHjcBTLw8o
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

⏯ FHIR API Management: Security

https://www.youtube.com/embed/7ImJPCdp96A
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

#API #FHIR #HL7 #Interoperability #Monitoring #REST API #Security #Video #InterSystems IRIS for Health

3 0

0 486

Question

Carl Tawn · Jul 16, 2020

Ensemble namespace permission

Hi,

I am attempting to set up a security role for our support team so they can have read access to the production and messages.

I have given the role RW rights on the resource associated with the database. However, when I log into Management Portal and select "Ensemble", the "Available Ensemble namespaces" list is empty.

What permissions do i need to set to be able to navigate to the production?

Thanks in advance,

Carl

Edit:

#Namespace #Security #Ensemble

0 8

0 973

Question

Arun Kumar · Oct 15, 2018

How to validate the CSP sessionId in another zen pages/restful api's

Hi All,

Actually, I'm developing few restful API's. I want to create a authentication tokens and display it on my login restful API. If I'm using CSP sessionId, how can I validate the session Id's in another or continues restful API's. else, is there any other approach to handle this task.

My Primary goal is, I have to integrate 2 different front end applications. One is Zen framework another one is web pages from Python.

If any lead, it would be appreciated.

Thanks,

Arun Kumar Durairaj.

#API #Authentication #Access control #Frontend #REST API #Security #ZEN #Caché

0 1

0 552

Article

Yuri Marx · Jun 8, 2020 3m read

Compliance of data solutions based on InterSystems technology with GDPR (Europe), CCPA (California) and LGPD (Brazil)

About regulations

Personal data privacy regulations have become an indispensable requirement for projects dealing with personal data. The compliance with these laws is based on 4 principles:

#Databases #Encryption #InterSystems Business Solutions and Architectures #Security #Caché #Ensemble #InterSystems IRIS #InterSystems IRIS for Health

4 0

2 425

Article

Sergey Mikhailenko · Jun 2, 2020 8m read

Increasing the Security of the InterSystems IRIS DBMS

When you first start working with InterSystems IRIS, it’s a common practice to install a system with only a minimum level of security. You have to enter passwords fewer times and this makes it easier to work with development services and web applications when you're first getting acquainted. And, sometimes, minimal security is more convenient for deploying a developed project or solution.
And yet there comes a moment when you need to move your project out of development, into an Internet environment that’s very likely hostile, and it needs to be tested with the maximum security settings (that is, completely locked down) before being deployed to production. And that’s what we’ll discuss in this article.
For more complete coverage of DBMS security issues in InterSystems Caché, Ensemble, and IRIS, you may want to read my other article, Recommendations on installing the InterSystems Caché DBMS for a production environment.
The security system in InterSystems IRIS is based on the concept of applying different security settings for different categories: users, roles, services, resources, privileges, and applications.

Users can be assigned roles. Users and roles can have privileges on resources — databases, services, and applications — with varying read, write, and use rights. Users and roles can also have SQL privileges on the SQL tables located in databases.

#Beginner #Security #System Administration #Caché #Ensemble #InterSystems IRIS #InterSystems IRIS for Health

Open Exchange app

5 2

3 1.1K

Question

István Nagy · May 27, 2020

Scheduled Task User privilege

Hi,

I've started to use Task Schedule function in Caché. But I have two questions about it:

#Security #System Administration #Access control #Caché

0 4

0 302

Question

Bharath Nunepalli · Apr 3, 2020

Calling Security.Users class in a script

Hi,

Has anyone tried to call Security.Users class (in %SYS namespace) for creating or editing users from a shell script (or any programming language)?

If yes, can you please share your code?

We are trying to automate some stuff and would like to know how this worked for others.

Thanks,

Bharath Nunepalli.

#Security #Caché

1 7

0 446

Article

Daniel Kutac · Feb 11, 2019 4m read

Using Oauth2 with SOAP (Web)Services

Hi guys,

Couple days ago, a customer approached me with the wish to enhance their existing legacy application, that uses SOAP (Web)Services so it shares the same authorization with their new application API based on REST. As their new application uses OAuth2, the challenge was clear; how to pass access token with SOAP request to the server.

After spending some time on Google, it turned out, that one of possible ways of doing so was adding an extra header element to the SOAP envelope and then making sure the WebService implementation does what is needed to validate the access token.

#Best Practices #Security #SOAP #Caché #InterSystems IRIS

8 1

3 12K

Question

Augusto Estefan · Apr 2, 2020

Special permissions to backup user

Hi,

I'm using Operating System authentication and I need to give permission on Healthshare to allow a user to run only this two commands

##Class(Backup.General).ExternalFreeze()

and

##Class(Backup.General).ExternalThaw()

This user is gonna be use to backup only.

There are any role on HealthShare for this?

#Authentication #Backup #Security #HealthShare

1 1

1 363

Question

Daniel Lee · Mar 24, 2020

Cannot type password in Terminal

I just tried to log into our QA server and connect to Terminal (v 2013.1).

I can type in my username but when I attempt to type my password, no characters are typed. When I press ENTER the password is invalid.

I can connect to the management portal and the studio development environment without any problems. Also, I do not have this problem when connecting to the terminal in our production environment (2010).

Does anyone know what can cause this type of problem?

Thanks.

#Security #Terminal #Caché

0 2

0 287

Question

Randall Hiser · Mar 13, 2020

Adding Resources to a Newly Created Role

I am attempting to pragmatically create a bunch of roles and then assign the appropriate resources to that role.

Currently, the only ways to add resources to a role are to:

1. Do through Management Portal

2. Go through ^SECURITY (add resource one at a time)

My Intention would be to do the following: do ^SECURITY Role Setup Edit Role When prompted for resources to add, be able to use *

#Security #Caché

0 2

0 321

Question

Randall Hiser · Mar 13, 2020

List All Available Resources

Maybe I haven't seen anything about it in the documentation, but why isn't there a way to list all the Resources from the %SYS namespace from a class rather than through ^SECURITY

Thinking maybe something like this:
##Class(Security.Resources).ListAll(.result)

#Security #Caché

0 1

0 313

Announcement

Anastasia Dyubaylo · Mar 3, 2020

New Video: Advances in Security

Hi Community,

Please welcome the new video on InterSystems Developers YouTube:

⏯ Advances in Security

https://www.youtube.com/embed/PR9OF4QleWg
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

#Global Summit 2019 #LDAP #Security #Video #Other

0 0

1 308

Article

Peter Steiwer · Mar 2, 2020 2m read

SQL -99 error while viewing a listing

This error is sometimes seen while viewing a listing in InterSystems IRIS Business Intelligence:
ERROR #5540: SQLCODE: -99 Message: User <USERNAME> is not privileged for the operation (4)

As the error suggests, this is due to a permission error. To figure out which permissions are missing/needed, we can take a look at the SQL query that is generated. We will use a query from SAMPLES as an example.

#Access control #Analytics #Dashboards #Security #SQL #Tips & Tricks #InterSystems IRIS #InterSystems IRIS BI (DeepSee)

1 0

0 1.2K

Question

Orlando Lagman · Jan 16, 2020

debugging web client

I used the soap wizard to create a web client based on the wsdl. I was able to get a valid response back, and now it looks like the error is in decrypting the soap message response "inbound"

ERROR #6284: Security header error: SecurityTokenUnavailable.

#Security #SOAP #Caché

0 1

0 567

Question

Paul Rick · Feb 14, 2020

Hidden change of $UserName

This is more a WARNING than a question

#Authentication #Security #Access control #Caché #InterSystems IRIS

1 2

1 496

Question

Lucas Bourré · Jan 30, 2020

Exporting security settings into a stream

Hello,

I am working on Ensemble 2017.2.1 .
I need to export my security settings into an extern database, in order to make a report.

I've created a Business Operation with an SQL Adapter into a Namespace, but I don't know how to get every security data from "%SYS" Namespace ( SQLPrivileges , Resources , Roles , Services , Users ... ).

I dont't want to use the terminal and the ^SECURITY routine, because i don't want to store a XML file on the server.

#Business Operation #ObjectScript #Security #Ensemble

0 2

0 359

Question

Sam Clarke · Jan 30, 2020

Restricting ODBC access to specific user(s)

Cache / Ensemble version 2016.2.2.853.0

I have a need to restrict ODBC access to certain users to prevent unwanted access to our cache database.

We have a limited number of legacy applications that use ODBC to connect to read data and are currently not in a position to have these amended any time soon so in the interim, I am hoping someone will be able to provide me with some assistance.

Any suggestions on where to start?

#Access control #ODBC #Security #Caché #Ensemble

0 1

0 471

Article

Josh Lubarr · Oct 15, 2019 6m read

Tips on exporting and importing security settings

InterSystems Data Platforms products allow you to export and import security settings in two different ways.

This article talks about those options:
- On the command line, using ^SECURITY
- Programmatically, using the Export and Import methods of classes in the Security package

Exporting settings on the command line (^SECURITY)

You can export everything or individual sections of the security settings.

#Security #Caché #InterSystems IRIS

5 4

0 2.4K

Question

Brendan Oakley · Oct 3, 2019

Remote terminal to IRIS container

When deploying IRIS in a container, what are recommendations for permitting users terminal access? There is docker exec -it, but that does not work from a user's workstation where - in the old deployment model - they would connect to the server over ssh using Putty and open a terminal session from there.

#Containerization #Docker #Security #Terminal #Access control #InterSystems IRIS

0 9

1 900

Question

Dmitrii Kuznetsov · Sep 1, 2019

How do I debug and test the IRIS OAuth server?

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:

#Authentication #Access control #Debugging #Docker #OAuth2 #ObjectScript #Security #SSL #Testing #InterSystems IRIS #Learning Portal

1 3

1 976

Question

Joshua Feener · Aug 23, 2019

Cannot log into another user in Management Portal

In System Management Portal, I'm on UnknownUser (which I've accidentally removed the %All role from), so I log out of UnknownUser and try to log in as root or Admin, but only see the following screen:

#Management Portal #Security #System Administration #Caché

1 9

1 1.1K