I think it's a namespace thing, so I'll let you all know what I find.

We've been using the $SYSTEM.Security.ChangePassword since 3/2017, apparently, and only recently have I noticed that it's logging a <PROTECT> error, and yet still changes the user's password (only recently have users been required to change passwords):

<PROTECT>EMSUpdatePassword+2^%SYS.SECURITY *c:\intersystems\ensembledev\mgr\"  at  8:27 am.   $I=|TNT|192.168.32.100:62074|11696   ($X=0  $Y=26)
     $J=11696  $ZA=0   $ZB=$c(13)   $ZS=262144 ($S=268247904)
     source   code not available

I'm using this line of code: 

set bChanged = $system.Security.ChangePassword($username,newPass,oldPass,.ok)

bChanged is not in the error trap; ok =1; the user's password is generally changed, as far as I can tell, because we don't get users asking why they cannot log in.  I can recreate this from the terminal using a username without much acess (no %SYS access).

I'm sure there's a security thing going on here.  Why would this error get logged?  It makes me nervous, as we're adding more users who will need to change their passwords often.

Any ideas?

I can't compile or step through the code - it's hidden.

Thanks,

Laura

A task, of course... I'll have to go through the list of users and check their LastLoginTime/CreateTime, Enabled, etc.  For future users who are looking for this, I'll use the SQL procedure Security.Users_Detail().

I did not know about the Security.Scan, but I'll take a look, and see what else I should tack on to it.  Good idea to run our custom security task after the SecurityScan.

Thanks! Getting there.  And perhaps InterSystems will add this concept in the 2017 (2018?) release.

Laura

Ha!  That was it.  Thanks.  Wish we had entered all our usernames in one case, but alas.  

Thanks for the help - I appreciate all the answers.  Now, to go through our security and update all the appropriate roles.... 

I am not sure.  I'll check now.

Edited to: I wish I could paste an image, but this may be the problem.  I granted my laura_test_dev user

1. direct permission to execute

2. the %Library.File_FileSet SQL Procedure,

3. in the PMG namespace.   

Logged out of the terminal, logged back in as that user, and got this:

 Instance: ENSEMBLEDEV
 
Username: laura_test_DEV
Password: *********
PMG>w $system.SQL.CheckPriv("laura_test_dev","9,%Library.File_FileSet","e","PMG")
0
 

I agree; this seems like it should work, and for some reason that I haven't yet figured out, it is not working.  At this point, the folder structure and who created the folders has no bearing.  We're on version 2016.2.2.

MISSED A CRITICAL STEP.  I then ran the query from the terminal, after having given that user the direct permission, and the query worked.  Now I'm confused as to why I got a 0 on the priv check, but the query worked.  But, it worked.  So maybe I won't mess with it.

We do have auditing turned on, for all kinds of events.  I was looking at that, and didn't see much that I could use.   Scratch that -- we happen to have %System/%DirectMode/DirectMode events turned on, and I could only see the fact that user Laura_test_DEV ran that command line in the terminal, but the Details page doesn't show failure or any more info.

Didn't think to debug the %PRepare method.  I can probably see what line of code is actually failing.  The other "low-level" (as I think of it) call to FileSetFunc works at the terminal prompt, but I'm not sure if it's working from the application.  I can only hope it has something to do with the test folders.

Thanks for the help.  I'll update with my final solution.

From the terminal prompt, logged in as my application user, the ##class(%File).FileSetFunc(directory) appears to be working.  Oddly, giving the user execute permissions like John suggested didn't work.  I wish it had because my code is all set up for the class query.

I had seen the FileSestFunc in other posts... I don't know why this works differently.  Can I use a FileMask, however?  

set rs=##class(%File).FileSetFunc("c:\","*.pdf;*.csv")

Oh, and we're on Windows, and the instance is running as a domain user with lots of privileges, but if the application user copies and deletes a file, who is actually doing it?  The instance's user, or the application user?

Too early for me.

Also, I did try the call with a FileMask, and it does work.  Is it the same as the FileSet query?  I can't find it in the code... must be a lower-level call to that query or something.  

John, thanks for the info.  It was indeed a windows security problem, related to the new Cache_Instance_instancename group.  I had created 3 namespaces before we ran the cinstall (windows-level caché command to set up the windows security needed), and then because they were located outside of the cache tree, lost access to them.

Note: this was a very special case where I installed the new instance to run as the local system, and then needed to run the cinstall command to change it to use another windows domain user.  We also ran into a few windows security issues after the upgrade that we're still working out.

We rectified it by added the appropriate security to the e:\ drive where the dataset are located.

Also note: I created a test namespace AFTER we ran the command to set up the windows security (i.e. today, I created it), and the caché service user DOES automatically get access to the folder with the new dataset.

Thanks for all the speedy help!

Laura

Great idea! Yes indeed! this is what it says:

 DKMOUNT: Mounted SFN 5 DB 'e:\datasets\demo\' as Read Only DB. File or filesystem allows read-only access. 

Looks like it's related to our new windows security setup, which, by the way, was implemented as part of the 2016 upgrade.  The 2016 version wants a windows group called Cache_Instance_instancename and the username that runs the instance is moved to this group.  We had to run something to change this windows security after we installed this instance as 2016.  Origainlly, the instance was installed to run as SYSTEM.

I wonder - should I uninstall the instance and reinstall so that it's run as the user?  It's still early enough in the game that I could do that.  Would that automatically give my user access to the e:\datasets\ folder since I'm creating namespaces in the Installer manifest?  not sure.

Anyway, after I've figured out the windows security for this folder, I'll let you know if that helps.

Thanks! 

Hi Danny,

That seemed promising, but when I stop Caché, the cache.lck file is removed, and appears again when I restart the instance. 

Yes, the root database name is not the same as my caché system.  Caché is installed in the typical c:\intersystems\instance while these namespaces' databases are on another drive - e:\datasets.  Also, we changed the underlying Windows security recently for our 2016 upgrade, so I'll have to make sure the instance's service user has access to the e:\ drive.

This is what appears in the cache.lck file:

c:\intersystems\rhs01p\mgr\

SERVER01

where rhs01p is the instance name, and SERVER01 is the server name.

I'll check the Windows security and let you know.

Thanks,

Laura

Hi Eduard,

Interesting hack, and a good point.  There's enough going back and forth between namespaces, importing new code, and running new methods in the newly created namespace already, so I'd prefer to keep my manifest simple.  If I find that it needs to be done in, say, 5 places, I'll just say it needs to be the one value ("ABC") and I can create a copy of the installer if it needs to be a new value ("XYZ").  If it needs to be a new value, then we're probably moving toward replacing the old value anyway.

Thanks.

Yan, yes, this looks like it's working.  The OnCreateResultSet method is called, but not the OnExecuteResultSet.  Thanks!

Laura

Hi Timothy,

Yes, indeed, thanks.  I already have a SessionEvents class set up for all my web applications involved, so I stuck in this method:

ClassMethod OnLogin() As %Status
{
if ^ZPMGSYSTEM("%DOWNFLAG")=1 quit $$$ERROR($$$GeneralError,"Logins are currently disabled")
quit 1
}
 

This caused an actual login that got around our flag (via special testing, in this case) to get a response of 

Not Found

The requested URL /Works/PMG.Works.Home.cls was not found on this server.

Is that the expected behavior?

So, I would say this works.  Unfortunately, it also removes my backdoor -- it keeps out everyone!  I guess I could add a little backdoor into this method as well; a screen door, if you will, on my back door.

Yan, that sounds promising.  I'll check, and let you know. Thanks!

I did not know that - but I tried taking it out, but my test global is still populated with method calls to OnCreateResultSet and OnExecuteResultSet methods.  The table itself if hidden at first.  In fact, there are multiple tablesPanes, and they are all getting called upon page load, even though the tablePane group is hidden.  

I'm going to play around with pInfo.QueryExecuted; and there's a runflag set up, which I can see why it was set up now.

THanks.

I often forget to mention that we are on 2014.  Thanks - at least I can tell him we can't do it but maybe in a future release we can change the IS logo.

Thanks,

Laura

I can't believe how much I look forward to these discussions.  Unfortunately, there is no EnsembleLogo* anywhere in the InterSystems directory.  

It almost looks like it's simple text, made to look like a logo using CSS. This is from the page source:

The class portalLogoBox must do all that CSS/html stuff to make it look cool.  I was wondering if I can change the text from Ensemble to something else.

 If the user is in the DeepSee Analyzer, it will say DeepSee by InterSystems instead, but with similar CSS modifications.

I figured out why  he wants to do this; we have a few "portal" users who have accss to all of the clients' namespaces.  For a demo, they will go into the DeepSee UserPortal, then exit to the management portal to switch namespaces, then go back in to the DeepSee user portal.  THe DeepSee user portal has settings where you can change the logo that is displayed (what are those classes?  I need to be able to change them programmatically rather than manually 50 times!) but when the portal users go back to the management portal, our company logo is lost; instead the lovely Ensemble by InterSystems (Powered by Zen) is there.  I personally think IS should get the credit, but my boss is wondering if we can change it for the purposes of these demos.

If not, that's OK; but now I'm simply curious.

Thanks!

Laura

Wow, that works in 2014 too!  So, there must be something with my $lb parameter, you're right.  

Note what happens here, without the ... .  What is that?  Can't find it in the documentation.  Nevermind, I found it: http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=...

quit $classmethod($this, "Sum", .args)

ClassMethod Sum(n... As %Integer)

zw n
n=1
n(1)=3
n(1,1)=10
n(1,2)=20
n(1,3)=30

But... does it work for a SQL query?  It's fine in COS, but what about a %ResultSet.Execute() call?  Should I change it to %SQL.Statement?

Well, it all works if I force feed the params list.  If I do get it, I'll let you know.  Thanks for all the help!