Hi everyone - In IRIS we would like to arrange the access of two users in such a way that each has access to exactly one (his) database only. Which resource does this (%DB_%DEFAULT allows each of the two users access to both databases). If you create new resources (%DB_Database1 and %DB_Database2) and then add them to individual roles (each for the user to), the access for the users, for example, via a REST client does not give the desired separation (instead once Ok, other database 401 Unauthorized both OK).

0 2
0 170

Hi Team,
I have a requirement to disable the Production Start/Stop buttons for specific support users. But they should be able to stat/stop Ensemble Hosts.
For that new Role, As per documentation along with other Ens resources, I have added %Ens_ConfigItemRun with RWU access and didnt add %Ens_ProductionRun resource.

This makes the Start/Stop buttons disappear from Production Configuration page ( meeting my requirement). But those users are Unable Start/Stop/Restart Ensemble Business Hosts.

0 3
0 189

Hello community,

I would like to report about a security issue, that engages us for some time meanwhile.

We configured a restricted user to read data from a csp page to feed our nagios server with information about configuration items we would like to have an eye upon. The configuration of this user is the same in our production and in our development environment. The called method mainly reads data from lookup tables by sql queries and writes data to a temporary table, which is deleted in the begining.

0 2
0 170

Hello Community, 

I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into. 

As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself. 


1 3
0 370

Cache / Ensemble version 2016.2.2.853.0

I have a need to restrict ODBC access to certain users to prevent unwanted access to our cache database.

We have a limited number of legacy applications that use ODBC to connect to read data and are currently not in a position to have these amended any time soon so in the interim, I am hoping someone will be able to provide me with some assistance.

Any suggestions on where to start?

0 1
0 304

I've seen a few password change posts, but I wasn't 100% sure it was the same process, so I am asking here. We periodically have to change the passwords for a few Cache user accounts across several servers. Is there a process/script to change these passwords without having to go into the web portal on each server?  Thanks so much, and I apologize if this was covered in some of the other articles that I've run across. Just looking for the best method.

0 3
0 276


I want to grant access only to the Message Viewer page to an specific user, in all Namespaces. I have created a rol with this privileges:


But if I want to see the list of messages, I have to grant SELECT access to the Ens.MessageHeader and Ens.MessageBody tables of each Namespace.

Is there anyway to grant access to this tables in all Namespaces at a time, even if new ones are created?

Thank you in advance.

0 2
0 273


We have Mirroring established between NODE 1 & Node 2 . We have set the "cachesys" database enabled for Journalling. But we dont see the User Accounts , Roles, Resources created on Node 1 ( favoured Primary) reflected on Node 2 . Is creating them manually again is the only option for this ? . Is there any way to sync them or would adding %SYS to MIRROR a possible solution. Would it be great if anyone has faced this as we have an issue that during failovers Team is locked out . 

Best Regards,

Arun Madhan

1 10
1 589

I am working through trying to use ZAUTHENTICATE.mac and LDAP.mac to do Delegated sign on into Ensemble. In reading over the samples and the documentation, I am not clearly finding on how to set the Appropriate Role from the LDAP group I return. Can someone help explain this part to me? If I have a user sign on, and I return a "Group" from the Authentication, how do I get that to transform into the Role I need for Ensemble.


Scott Roth

0 1
0 437

Hi I've created a word macro in order to convert doc to txt via the command line, this works fine via the command line by myself or another user but when I try as an the intersystems user which runs under  LocalSystem it doesn't work. 

So can I change the user, or set the $ZF to run as a different user?

Or do I have to try another way to convert doc to txt - it's looking like libreOffice?

I just wanted to stick with word because I could be guaranteed on the result being accurate.




0 11
0 883

I have multiple namespaces in a Cache environment say NS1 & NS2. I want to add some restriction so that  a routine running in the NS1 should not access any resource(global/routine) belongs to namespace NS2.

The above restriction need for few of the clients only, so we do not want to write any custom logic in code. 

We are looking for some solution provided by Cache where we can restrict the namespace access.

Can somebody please help me on this.

0 1
0 266



I have a problem with an Ensemble instance on Windows to access to a network shared directory. Ensemble service (services.msc) is executed with a user which has access to this network shared directory :

 - When I try to copy or access files from a terminal ==> this is OK : the command w ##class(%SYS.ProcessQuery).%OpenId($Job).OSUserName returns the user defined in Ensemble service logon screen.

0 6
0 766

Hi All -

Our environment has multiple instances of HealthShare installed and most are on separate VMs/servers. Does anyone have any ideas on how to efficiently manage user accounts across all of these multiple instances of HealthShare? As you can imagine, creating 10 separate Cache accounts on each instance during onboarding of new associates is cumbersome and tedious as is disabling them. We have yet to integrate with AD but we do have a Cyberark initiative under way but it is in the very early stages.


0 3
0 623

Hello; we have users on the system with cache logins.  They have access to a specific namespace, and no access to %SYS of course.  I'd like to give each user the ability to change his own password from within our application, using Security.User.PasswordExternal.  This only exists in the %SYS namespace, and the average user can't get to it.  


Should I give the users access to this column in this table (column Password, table Security.Users)?  What about access to the namespace?  Is this possible? Has anyone done this before?




0 10
0 815

Hi -

I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)

1 3
0 468