This tag unites all posts related to roles (container that holds one or more privileges for access to SQL Tables), users (identity of the login when it is connected to a database) and authorization (function of specifying access rights/privileges to resources). Read more about roles, users and authorization in Documentation.
In today's rapidly evolving threat landscape, organizations deploying mission-critical applications must implement robust security architectures that protect sensitive data while maintaining high availability and performance. This is especially crucial for enterprises utilizing advanced database management systems like InterSystems IRIS, which often powers applications handling highly sensitive healthcare, financial, or personal data.
I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.
I'm trying to authorise my app using OAuth 2.0 i Cache. Sadly I'm unable to exchange the authorization code for an access token.
I am able to redirect user to the /authorize page, where the user can login and approve my app. The user is then correctly redirected back to my app and a ?code parameter is sent back.
I will try to explain my problem. I have a Main ZenPage on one server that has 2 buttons: each button will launch a different ZenPage on a separate server in an iFrame. All 3 servers have the same user.
Currently, the user logs in to the Main ZenPage, but when they click either button to launch the other ZenPage on the separate server they get the login screen again to login to that server.
Is there anyway I can pass the credentials from the Main ZenPage to the child ZenPages, so that the user doesn't have to login again? Thanks.
The ideal number of table permissions to assign for your users is zero. Permissions should be granted upon sign-in based on the application used for access. For web applications, we have a simple way of doing this by appointing application roles, matching roles, and required resources in the System Management Portal.
ODBC and JDBC connections present a different problem, however, especially when third-party applications are involved. As providers of an ERP system, our customers often wish to be able to employ various software packages to integrate with or report on their data. Many of these programs are capable of running any kind of query. Yet, letting them do that can be devastating to a customer’s data.
So far, we have covered how to use ObjectScript to manage users, roles, resources, and applications. There are a few other classes in this package that work similarly to the ones mentioned above. However, these four classes are the ones everyone will have to use to manage their application security.
Here in %SYS, we have already examined users, resources, and roles. Now that we know how to set all of that up, we should give it a purpose. Next we will talk about applications! As you may expect, we will see various identical class methods defined here that we have seen in the previous classes. However, some of them will have some tiny yet significant differences.
I was attempting to find a solution to grant clients anonymous access to certain API endpoints while securing others within my REST API. However, when defining a Web Application, you can only secure the entire application and not specific parts of it.
I am trying to lock down security within our Development environment per requirements from a Security Audit that was done earlier this year. I need to try to limit access at a public level, access to cache users, and exposure.
I installed IRIS with the Lockdown method, and have configured my web applications, services, resources, etc.
When I go into my namespace, I am constantly presented with the following error when I try to start or stop an Object...
My original ZAUTHENTICATE.mac to use Delegated sign on did not include GetCredentials(), however I am being told it probably should have it so I am eliminate an error I am seeing when trying to troubleshoot the ZAUTHENTICATION. I am trying to add the GetCredentials() from the documentation to the existing ZAUTHENTICATE.mac but I am getting an error
Watch this video to explore how to use the passwordless ipm module to turn on and off entering login-password during docker build with your InterSystems IRIS:
https://www.youtube.com/embed/ygIJsTMO0Gw?controls=0 [This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]
Recently I had the challenge to create a secure authentication method to authorize access to some data, but unfortunately I had zero experience with those security configurations and I felt that I was missing some basic concepts to have a better understanding of the official documentation.
After studying and managing to deliver the classes that I was asked to develop, I'd like to share a little bit of my new knowledge, which helped me follow the topics in the documentation.
I want to grant access to view the Error Trap in System Management Portal to certain admins, without giving them access to anything that would alter Caché behavior, such as users or database sizes. I was looking for a granular Resource that would do this, but haven't been able to find what I'm looking for.
When creating a PRA (Privileged Routine Application; which by the way is not relevant just for Routines but also for Classes/Methods), it is important to make sure you include a new $ROLES, before calling
In our current UCR arhcitecture, we use two installations. We have one machine with Access, Registry and Edges and one machine with the ODS. On the machine with the Registry, I can create a user/clinician. When I log into the management portal with this user, a so-called delegated user is created in the cached users table. So far everything is going well.
When I try the same on the machine with the ODS I get the message : 'ERROR #822: Access Denied' . so no delegated user is created.... Does anyone have any idea where I can find the solution?
Watch this video to learn how InterSystems has been building out capabilities to support current and future regulations in the US market that can have a significant impact on payers and providers:
https://www.youtube.com/embed/vt7KHbln3lY [This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]
Is there a way to add specific table permissions to a security role programmatically? I'm working on scripting some of the initial setup work when we sell certain add-ons to our software, and I see how I can assign resources to a role and give it a description, but I don't see how I tell it that this role gives the user, for example, SELECT privileges only on the invoices table, or SELECT, INSERT, UPDATE, and DELETE.
I'm trying to create a read-only role for most pages on the Management Portal. However, I cannot figure out resource permissions for the HealthShare tab or how to assign custom resource permissions, if any, to the registries. I would like for the role to include read-only access to the registries (service, consent, otherwise). How do I go about doing this?
I am trying to secure a rest service but I lack the understanding of how to achieve this if anyone will explain in details how I could achieve the following:
Securing The REST Service with Basic Auth (username and password)
if any one has a sample code on this will appreciate
Trying to identify which records in the %SYS.Audit table are fails.
Eg, as user "WORKER", I run an attempted a grant, the terminal returns:
SQL> GRANT SELECT ON newschema.patients TO COORDINATOR [S1000][Iris ODBC][State : S1000][Native Code 112] [libirisodbc35.so] [SQLCODE: <-112>:<Access violation>] [Location: <ServerLoop>] [%msg: <User WORKER does not have required privileges to grant the privilege(s)>] [ISQL]ERROR: Could not SQLExecute
Many password requirements can be enforced using a password validation routine which is available to implement in System Management Portal. But how about this one:
Check that at least 50% of the characters changed from old password to new password.
We need to have access to the old password to check this, currently password validation routine only gets the new password.
Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?
For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?
These are not applications that were developed using CacheDirect.
Hi anyone has created the user roles for UCR pls share details like if we want to create following roles what access rights should be give to each role.
UCR Admin - This user can stop/start productions, can enable/disable services, can run sql queries, can make changes in facility registries, assigning authority and other configuration.
UCR Developer - This user can add new services in the production but can not make any change in the registires and other configuraiton
Working on integrating with O365 Sharepoint REST API. I would want to know if anyone can share their experience with integration with Sharepoint REST API and how they implemented security?
I'm VERY novice on all things "OpenAM", and beyond knowing that Caché supports working with OpenAM, I have nothing else to go on.
The documentation doesn't seem to be very deep on the nature of how this works beyond a single paragraph saying it's supported for Single Sign On (SSO).
By update
Open Exchange app