Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
During some consulting activity, I found at the client's site CACHEAUDIT database of more than 100 GB size. The reason was simple: several processes produced a great amount of %System/%System/OSCommand audit records due to frequent external calls ($zf(-100,...)). As it is well-known, those events can be easily disabled systemwide, while this can be hardly considered secure enough. Reducing the number of days before audit cleanup from default 62 to some reasonable figure (e.g. 15) seems to be a better solution, but...
Can a license be reserved for a specific user or group of users? So if I have 20 available licenses, only allow other users to use 19 of them while keeping one open for this specific user?
I would like to report about a security issue, that engages us for some time meanwhile.
We configured a restricted user to read data from a csp page to feed our nagios server with information about configuration items we would like to have an eye upon. The configuration of this user is the same in our production and in our development environment. The called method mainly reads data from lookup tables by sql queries and writes data to a temporary table, which is deleted in the begining.
Is there any functionality I could use that triggers real time user-defined code on certain audit events? Right now I am interested in triggering such code on a routine modification event, like the one below. I do know how to access this record programmatically, via %SYS.Audit.
The InterSystems IRIS has two major paths to a digital service: API/Web Service into Interoperability module and multimodel Database/Analytics. Each of them has your security configuration.
To do API security you apply an OAuth or JWT plug-in to the API endpoint. So in the Admin Portal, API producer and consumers get the keys to authenticate the API and consume it. The Admin Portal allows you configure RBAC policies too.
In InterSystems IRIS, the default form of access to the management portal is HTTP, which means that if the client is in the office and the server is in the cloud, many clients probably desire to encrypt their traffic in some way.
Thus, we would like to show you some ways to encrypt your traffic to and from the IRIS management portal (or various REST services) running on AWS.
Let's discuss how InterSystems security for applications works. In general, the concept is clear: we have Resources (what to protect), Roles which combine a set of privileges and accesses to Resources and Users which can have this or that Role.
But there is also a concept of Application which also could have a Role.
So you either provide a Role for a User or for an Application.
What do you use in production? What is your strategy and why? Pros, cons?
How can you allow computers to trust one another in your absence while maintaining security and privacy?
“A Dry Martini”, he said. “One. In a deep champagne goblet.” “Oui, monsieur.” “Just a moment. Three measures of Gordons, one of vodka, half a measure of Kina Lillet. Shake it very well until it’s ice-cold, then add a large thin slice of lemon peel. Got it?” "Certainly, monsieur." The barman seemed pleased with the idea. Casino Royale, Ian Fleming, 1953
OAuth helps to separate services with user credentials from “working” databases, both physically and geographically. It thereby strengthens the protection of identification data and, if necessary, helps you comply with the requirements of countries' data protection laws.
With OAuth, you can provide the user with the ability to work safely from multiple devices at once, while "exposing" personal data to various services and applications as little as possible. You can also avoid taking on "excess" data about users of your services (i.e. you can process data in a depersonalized form).
By default InterSystems IRIS expose your endpoints using http, but can be necessary run https from your dev env and/or get public internet access to your app. You can buy or get a certificate and config a gateway, spending many hours or use a great public service called ngrok. Follow the steps:
1 - Run your app, I will use FHIR template as sample, see:
Nowadays, there is a lot of applications that are using Open Authorization framework (OAuth) to access resources from all kinds of services in a secure, reliable and efficient manner. InterSystems IRIS is already compatible with OAuth 2.0 framework, in fact, there is a great article in the community regarding OAuth 2.0 and InterSystems IRIS in the following link here.
This article, and following two articles of the series, is intended as a user guide for developers or system administrators, who need to work with OAuth 2.0 framework (further referred to as OAUTH for simplicity) in their InterSystems product based applications.
I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).
Is there a way to allow a single REST service to have unauthorised access?
I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.
https://www.youtube.com/embed/EYZ4dXNZNSY [This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]
https://www.youtube.com/embed/9yEm7ZAZENI [This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]
https://www.youtube.com/embed/xcHjcBTLw8o [This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]
https://www.youtube.com/embed/7ImJPCdp96A [This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]
I am attempting to set up a security role for our support team so they can have read access to the production and messages.
I have given the role RW rights on the resource associated with the database. However, when I log into Management Portal and select "Ensemble", the "Available Ensemble namespaces" list is empty.
What permissions do i need to set to be able to navigate to the production?
Actually, I'm developing few restful API's. I want to create a authentication tokens and display it on my login restful API. If I'm using CSP sessionId, how can I validate the session Id's in another or continues restful API's. else, is there any other approach to handle this task.
My Primary goal is, I have to integrate 2 different front end applications. One is Zen framework another one is web pages from Python.
Personal data privacy regulations have become an indispensable requirement for projects dealing with personal data. The compliance with these laws is based on 4 principles:
When you first start working with InterSystems IRIS, it’s a common practice to install a system with only a minimum level of security. You have to enter passwords fewer times and this makes it easier to work with development services and web applications when you're first getting acquainted. And, sometimes, minimal security is more convenient for deploying a developed project or solution.
And yet there comes a moment when you need to move your project out of development, into an Internet environment that’s very likely hostile, and it needs to be tested with the maximum security settings (that is, completely locked down) before being deployed to production. And that’s what we’ll discuss in this article.
For more complete coverage of DBMS security issues in InterSystems Caché, Ensemble, and IRIS, you may want to read my other article, Recommendations on installing the InterSystems Caché DBMS for a production environment.
The security system in InterSystems IRIS is based on the concept of applying different security settings for different categories: users, roles, services, resources, privileges, and applications.
Users can be assigned roles. Users and roles can have privileges on resources — databases, services, and applications — with varying read, write, and use rights. Users and roles can also have SQL privileges on the SQL tables located in databases.
Couple days ago, a customer approached me with the wish to enhance their existing legacy application, that uses SOAP (Web)Services so it shares the same authorization with their new application API based on REST. As their new application uses OAuth2, the challenge was clear; how to pass access token with SOAP request to the server.
After spending some time on Google, it turned out, that one of possible ways of doing so was adding an extra header element to the SOAP envelope and then making sure the WebService implementation does what is needed to validate the access token.
I just tried to log into our QA server and connect to Terminal (v 2013.1).
I can type in my username but when I attempt to type my password, no characters are typed. When I press ENTER the password is invalid.
I can connect to the management portal and the studio development environment without any problems. Also, I do not have this problem when connecting to the terminal in our production environment (2010).
Does anyone know what can cause this type of problem?
Maybe I haven't seen anything about it in the documentation, but why isn't there a way to list all the Resources from the %SYS namespace from a class rather than through ^SECURITY
Thinking maybe something like this: ##Class(Security.Resources).ListAll(.result)
https://www.youtube.com/embed/PR9OF4QleWg [This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]
By update.png)
.png)
Open Exchange app