All
Accepted answers
sween · Jan 13 go to post

This is great.
Bookmarked, printed it too, but not sure which floor it went to.
I think this means, that I can secure restful communications between two systems with JWT protected routes (in a pod or whatever), signed with user/pass from (Userland) Ens.Credentials and a random cert from somewhere, possibly sslconfigs...
This sorta solves an HS_Services type dilemma where Userland can control the user/pass, and the system can control the certificate to authenticate across systems like NATS.
can snag the certificate material in the above Cert() as an example.
 

    set ssl=##class(Security.SSLConfigs).%OpenId("%SuperServerOrWhateverIKOorCPFCreated")
    set s=##class(%Stream.FileCharacter).%New()
    Set tCertFile = ssl.CAFile
    do s.LinkToFile(tCertFile)
    while 's.AtEnd { write s.ReadLine(),! }
    do s.Close()

long winded way of saying thank you, this puts a tool in the box.
 

sween · Nov 14, 2025 go to post

I like this proposal, and would like to be in the conversation... It would be helpful to send out a survey with those questions (and more) and dump the results in an LLM and argue about the responses collectively in that discussion.
There is a divide in the open exchange between tech examples, etc and integrations, drivers, etc that cultivate maintenance because they are in use and chasing versions... your work is in this category for sure with the python dbi driver, lately go, etc.    These projects need to be pulled from Open Exchange immediately, or just be placeholder that point to an opencollective (as an example), I think OpenExchange is giving the illusion that OSS is being supported in some way, but not in the ways you listed above.  There is also a proliferation of github projects out there with the two words "intersystems" and "community" slammed together in some shape or form out there that gas light this subject.
Id pipe up during this call and probably blather on about the following:
Are there any examples other than the above that are based on a derivative proprietary work ?
What are the previous attempts at this ? I think Globals java was Open Sourced, Id like to undrstand the legal behind that and understand the shortcomings/successes of that...I think rzf may be something on the horizon, any others ?
Id like to understand what went on with the VSCode extensions as an example and have that play out differently with oss too.
I have fallen in the trap of being in between these worlds, OSS and proprietary software and want to share the experience... in a nutshell, I got these two responses:  InterSystems: you cant resell that.  OSS (spark library), Apache2: you cant distribute that.
Ultimately I think what needs to happen is we go out on our own and provide incontraverable value and have some thick skin, knowing that intersystems can fork it at anytime and "do it better" or resist "selling" the project in any shape or form.  We'd also need to dismiss any wind that internally at InterSystems "its in the backlog" and not let that deter development.
InterSystems would have to look at the community output/features/governance, along with the 5 pillars you listed above, and know that they would be better off funding the project externally than doing it themselves. Also, if its important enough, allowing for them to provide priorities in the development... we would need to be meticulous around the release cycles of IRIS too.
Ill tell you that when I saw your post about the Go Library and immediately framed a project that I well know could take advantage of your library with a ++, and would push InterSystems hand in this regard... it may be a cool excercise to see what would happen if the Go library were forked immediately under an Apache2 license or something.  I have a good idea here.
The elephant in the room is the legal needed to avoid violating agreements ourselves, crossing InterSystems boundaries to maintain a healthy collaboration, or allowing some other company to fork it and bury it in their monitoring app or something without acknowleding the component in their solution... The open collective pilot would help shake out some gaps for sure.
I think we could all use our Global Masters points to score a bunch of socks or something and sell them on ebay to start an initial fund to derive percentages, org structures, yadda yadda.
Im in, and would prioritize attending and contributing to the discussion.

sween · Jul 20, 2025 go to post

I use this one quite a bit...

Set tSC=##Class(Security.Users).Create("user","%SQL","pass","NAMESPACE","","","",0,1,,,,,,1,1)
sween · Apr 1, 2025 go to post

from the screenshot, looks lke you need MTC_88* in the BlobNamePattern field, not the prefix.  The prefix is essentially a key (folder), and the BlobNames are the objects.
currently you are looking in s3://MTCbucket/MTC_88/

sween · Mar 3, 2025 go to post

Thank you for getting this out there, has been super frustrating understanding some of these errors while using these drivers with the promise of DB-API.  At least the distribution has gone public with maven, pypi, etc as a step in the right direction and hopefully will help things, especially with the drivers being the "front door" to alot of the cloud offerings.
The alchemy workaround for compatibility is especially great.

sween · Oct 21, 2024 go to post

Hi Luca,
Admittedly I am swimming in a pretty good amount of Kool Aid at the moment (by design) as I am attracted to solutions that check a lot of boxes in one full swoop (much like IRIS!), but one of the things I was attracted to in the eBPF space is the promise that it is more "lightweight" on resources and the promise was the "Death of the Sidecar" 
A: My pre answer with a little hand waving is, more efficient with the network stuff.
Layer 5 downloadward, less resource intensive.
Layer 7, more resource intensive... sidecar did not die here.
eBPF less intensive than Kube Proxy (iptables) uses sequential processing (isovalent benched this and stands by it).
Wish I could have looked over your shoulder in the Sysdig eval to see what you were experiencing, if you could paraphrase it and send it my way, Ill take it to the booth.
Will circle back to this after KubeCon next month and see if I can get you a real answer backed with my own evaluation, Im a meeting or two away from Tetragon Enterprise eval too, and setup on bare metal so Ill add it to the take aways to get my moneys worth.
 

sween · Sep 18, 2024 go to post

Ive used the reverse method like this, in a BP, converting a CCDA to SDA, then SDA to FHIR...
 

set fhir=##class(HS.FHIR.DTL.Util.API.Transform.SDA3ToFHIR).TransformStream(sdaStream,"HS.SDA3.Container","R4")


It has a counterpart that does what you are asking for in HS.FHIR.DTL.Util.API.Transform.FHIRToSDA3 which may be the method you need in a business process.
 

sween · Jul 29, 2024 go to post

Hi Adam,

Consider setting up a rule in your pipeline, so that it only executes if you merge to a particular branch.  I know your use case seems to be "PR approval" not merge, but the below rule will only execute on merges to main.
There are other free variables in the pipeline to maybe accomplish what you want.
 

  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"'`

This is a very good post on the subject that is exhaustive you may want to checkout:
https://community.intersystems.com/post/continuous-delivery-your-inters…

variables:
  SESSION_NAME:
    value: "IRIS"
  NAMESPACE:
    value: "ACME"

stages:
  - deploy

deploy main:
  stage: deploy
  tags:
    - dev
  before_script:
    - export WORKING_DIR=$(pwd)
  script:
    - echo "Initializing ACME CI/CD Build DEV..."
    - echo "Deploying code ${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME} branch to instance..."
    - |
      /usr/bin/irissession ${SESSION_NAME} <<EODEPLOY
      ${IrisUser}
      ${IrisPass}
      zn "${NAMESPACE}"
      w ##class(%SYSTEM.OBJ).LoadDir("${WORKING_DIR}/src","ck",,1)
      set sc = ##class(Ens.Director).UpdateProduction()
      EOFDEPLOY
  rules:
    # only runs if merged to main
    - if: '$CI_COMMIT_BRANCH == "main"'
sween · Jun 4, 2024 go to post

Thanks Alexander, this is good feedback/info, glad I poked the bear.

sween · Jun 4, 2024 go to post

Reduced the backup list to mvd  for a quick test...

*** The time is: 2024-06-04 16:03:43 ***

              InterSystems IRIS Backup Utility
              --------------------------------
Performing a Full backup.
Backing up to device: /media/FullDBList_20240604_001.cbk
Description
Full backup of all databases that are in the backup database list.

WARNING - the following directories could not be backed up
 /data/IRIS/mgr/mvd/ Multi-volume database not supported


Nothing to Backup

I agree its a big feature with a lot of edges

sween · May 16, 2024 go to post

I use these globals to take a peak at the calls:

	zn "YOURFHIRNAMESPACE"
	Set ^FSLogChannel("all")=1
    zn "%SYS"
    Kill ^%ISCLOG 
	Kill ^ISCLOG 
	Set ^%ISCLOG=5 
	Set ^%ISCLOG("Category","HSFHIR")=5 
	Set ^%ISCLOG("Category","HSFHIRServer")=5 
	Set ^%ISCLOG("Category","OAuth2")=5 
	Set ^%ISCLOG("Category","OAuth2Server")=5

then
 

zw ^FSLOG

in the fhir namespace.

Shows the route, params and helpful with oauth2/SMART where the route has to match the patientid in the token.
 

sween · Mar 22, 2024 go to post

Michael, if you drop the generated token into https://jwt.io, does Okta have the the list of scopes in an `scp` parameter?
I recall having to do something like this in an Interaction Strategy to get ValidateToken() to work with Okta, wondering if the same is necessary for ValidateJWT().
 

		Do JWTObj.%Set("client_id", OktaJWTObj.cid)
        Do JWTObj.%Set("scope",OktaJWTObj.scp)
sween · Mar 8, 2024 go to post

Great discussion/question...

Disadvantages that come to mind:

  • support of $all operation is on the patient resource
  • yet another resource to consider for merges and outside of newer ops like $merge
  • "RelatedPerson" is built on a codified Relationship type you should ensure meets the use case.
  • Patient has a relationship that rolls up to the Account object (guarantor), Person does not.

In general on the mapping of known classifications implemented in our practices:
Account = Guarantor
Patient = A "Person" with at least one: visit or encounter or claim or social need/fulfillment.
Person = Established identity with no visits or encounter, used for proxy access to records, not tied to the account , but exists for oauth2 scopes.
RelatedPersons = known children or persons without workload relevance. (use this in SDOH heavily)

As an example of our lastest use case of the Person resources:
Social needs web wizard, that collected QuestionairreResource responses and tied them to a "Person" as the identity was not proofed until contact was met with the "Person" by the Social Navigator.  Upon contact, a more formal "Patient" record was created to attach the ServiceRequest to.
hope some of that helps, mostly brain dumping here...

sween · Mar 6, 2024 go to post

This illustrates a particular subject that seems to be getting some traction in the FHIR community as a "FHIR Interceptor"... personally I have implemented this competency using an api manager (Kong, API Gateway) through an integration layer (function) prior to hitting IRIS which works but splits the business logic in two differnet places.
Your way here keeps the "intercepts" in IRIS and the resource server which I like.

Here is the "intercept layer" concept ablaze: https://darrendevitt.com/building-a-fhir-intercept-layer/ 

sween · Feb 29, 2024 go to post

This is ridiculously good work, the implementation of the custom operation and the fact it is a patient merge is fantastic.  I have found native object de-duping, deepdiff, and two line list de-duping in python to be a way to quickly get to the point with FHIR Resource pair manipulation. 
Thank you for taking the time on this, most likely going to have to read it a few times and load it up on my eReader.

One thing I'd add to tips and tricks from something I stole from someone somewhere:

     zn "<FHIRNAMESPACE>"	
    Set ^FSLogChannel("all")=1
    zn "%SYS"
    Kill ^%ISCLOG 
	Set ^%ISCLOG=5 
	Set ^%ISCLOG("Category","HSFHIR")=5 
	Set ^%ISCLOG("Category","HSFHIRServer")=5 
	Set ^%ISCLOG("Category","OAuth2")=5 
	Set ^%ISCLOG("Category","OAuth2Server")=5

Seems to give up a good mix of  token processing and fhir calls debuggery.
 

sween · Dec 29, 2023 go to post

Hi Pierre,

I use and see it resident in code bases...

$$$AddAllRoleTemporary

It It adds %ALL in %SYS...

compiles to:

i '($e($roles,1,$l("%All"))="%All") { n $ET,$roles s $ET="",$roles=$roles_","_"%All"}

Basically adds %All to the current execution role.

I asked the question of @Eduard Lebedyuk some time ago and paying his wisdom forward.
 

sween · Aug 22, 2023 go to post

Thats really good work, even follows the adapter guidelines.  Pointing the community your way before preceding down the post.

Looks like my process for pre-post searches to look for duplicate content needs a re-think:

https://community.intersystems.com/smartsearch?search=dbt

https://openexchange.intersystems.com/?search=dbt&sort=r

These were goose eggs, so I proceeded down the path... however glad I played with duckdb and the plugins anyway.

sween · Oct 7, 2022 go to post

@Regilo Regilio Guedes de Souza , late 2020 dropbox deprecated long lived tokens , and went to a refresh_token approach instead.  If you use the dropbox sdk the transition gets handled for you, but if not (and pretty sure we do not), what it entails is adding `token_access_type=offline` to the token request... this may need to be included a little deeper under the hood.
I see the MFT api has "IsAuthorized()" so it would be possible to do a check before hand in a process and manually invoke something, but I dont see the magic behind the UI's "GetAccessToken" in the UI.
Ill keep you posted!
 

sween · Jul 13, 2022 go to post

This is a great resource, nice work and a top chapter in this series for sure.

There seems to be different ways to approach declared IRIS state by codifying things, you can codify the exported objects and import them or like you mentioned, use the installer method that builds things as code.... which I have had pretty good success with in the past, like Tasks below.

<Method name="CreateClaims">
<ClassMethod>1</ClassMethod>
<FormalSpec>pVars,pLogLevel,tInstaller</FormalSpec>
<ReturnType>%Status</ReturnType>
<Implementation><![CDATA[


Set configItems = $LISTBUILD(

$LISTBUILD(1,
"Return payload from customer",
"create 835 from adjudicated claims",
"NS.Package.Task.CreateClaim")


for i = 1:1:$LISTLENGTH(configItems) {

    Set item = $LISTGET(configItems, i)
    Set Task=##Class(%SYS.Task).%OpenId($LISTGET(item,1))

    if 'Task {

        Set Task = ##Class(%SYS.Task).%New()
        Set Task.Name = $LISTGET(item,2)
        Set Task.Description = $LISTGET(item,3)
        Set Task.NameSpace = "USER"
        Set Task.Type = 2
        Set Task.TaskClass= $LISTGET(item,4)
        Set Task.TimePeriod = 5
        Do Task.idSet($LISTGET(item,1))
        Set Task.RunAsUser = "intersystems"
        Set status=Task.%Save()
        $$$ThrowOnError(status)

    }

}

]]></Implementation>
</Method>