go to post Laura Cavanaugh · May 23, 2018 I think it's a namespace thing, so I'll let you all know what I find.
go to post Laura Cavanaugh · May 23, 2018 We've been using the $SYSTEM.Security.ChangePassword since 3/2017, apparently, and only recently have I noticed that it's logging a <PROTECT> error, and yet still changes the user's password (only recently have users been required to change passwords):<PROTECT>EMSUpdatePassword+2^%SYS.SECURITY *c:\intersystems\ensembledev\mgr\" at 8:27 am. $I=|TNT|192.168.32.100:62074|11696 ($X=0 $Y=26) $J=11696 $ZA=0 $ZB=$c(13) $ZS=262144 ($S=268247904) source code not availableI'm using this line of code: set bChanged = $system.Security.ChangePassword($username,newPass,oldPass,.ok)bChanged is not in the error trap; ok =1; the user's password is generally changed, as far as I can tell, because we don't get users asking why they cannot log in. I can recreate this from the terminal using a username without much acess (no %SYS access).I'm sure there's a security thing going on here. Why would this error get logged? It makes me nervous, as we're adding more users who will need to change their passwords often.Any ideas?I can't compile or step through the code - it's hidden.Thanks,Laura
go to post Laura Cavanaugh · Mar 21, 2018 A task, of course... I'll have to go through the list of users and check their LastLoginTime/CreateTime, Enabled, etc. For future users who are looking for this, I'll use the SQL procedure Security.Users_Detail().I did not know about the Security.Scan, but I'll take a look, and see what else I should tack on to it. Good idea to run our custom security task after the SecurityScan.Thanks! Getting there. And perhaps InterSystems will add this concept in the 2017 (2018?) release.Laura
go to post Laura Cavanaugh · Feb 23, 2018 Ha! That was it. Thanks. Wish we had entered all our usernames in one case, but alas. Thanks for the help - I appreciate all the answers. Now, to go through our security and update all the appropriate roles....
go to post Laura Cavanaugh · Feb 23, 2018 I am not sure. I'll check now.Edited to: I wish I could paste an image, but this may be the problem. I granted my laura_test_dev user1. direct permission to execute2. the %Library.File_FileSet SQL Procedure,3. in the PMG namespace. Logged out of the terminal, logged back in as that user, and got this: Instance: ENSEMBLEDEV Username: laura_test_DEVPassword: *********PMG>w $system.SQL.CheckPriv("laura_test_dev","9,%Library.File_FileSet","e","PMG")0 I agree; this seems like it should work, and for some reason that I haven't yet figured out, it is not working. At this point, the folder structure and who created the folders has no bearing. We're on version 2016.2.2.MISSED A CRITICAL STEP. I then ran the query from the terminal, after having given that user the direct permission, and the query worked. Now I'm confused as to why I got a 0 on the priv check, but the query worked. But, it worked. So maybe I won't mess with it.
go to post Laura Cavanaugh · Feb 23, 2018 We do have auditing turned on, for all kinds of events. I was looking at that, and didn't see much that I could use. Scratch that -- we happen to have %System/%DirectMode/DirectMode events turned on, and I could only see the fact that user Laura_test_DEV ran that command line in the terminal, but the Details page doesn't show failure or any more info.Didn't think to debug the %PRepare method. I can probably see what line of code is actually failing. The other "low-level" (as I think of it) call to FileSetFunc works at the terminal prompt, but I'm not sure if it's working from the application. I can only hope it has something to do with the test folders.Thanks for the help. I'll update with my final solution.
go to post Laura Cavanaugh · Feb 23, 2018 From the terminal prompt, logged in as my application user, the ##class(%File).FileSetFunc(directory) appears to be working. Oddly, giving the user execute permissions like John suggested didn't work. I wish it had because my code is all set up for the class query. I had seen the FileSestFunc in other posts... I don't know why this works differently. Can I use a FileMask, however? set rs=##class(%File).FileSetFunc("c:\","*.pdf;*.csv") Oh, and we're on Windows, and the instance is running as a domain user with lots of privileges, but if the application user copies and deletes a file, who is actually doing it? The instance's user, or the application user? Too early for me. Also, I did try the call with a FileMask, and it does work. Is it the same as the FileSet query? I can't find it in the code... must be a lower-level call to that query or something.
go to post Laura Cavanaugh · Nov 14, 2017 John, thanks for the info. It was indeed a windows security problem, related to the new Cache_Instance_instancename group. I had created 3 namespaces before we ran the cinstall (windows-level caché command to set up the windows security needed), and then because they were located outside of the cache tree, lost access to them.Note: this was a very special case where I installed the new instance to run as the local system, and then needed to run the cinstall command to change it to use another windows domain user. We also ran into a few windows security issues after the upgrade that we're still working out. We rectified it by added the appropriate security to the e:\ drive where the dataset are located. Also note: I created a test namespace AFTER we ran the command to set up the windows security (i.e. today, I created it), and the caché service user DOES automatically get access to the folder with the new dataset. Thanks for all the speedy help!Laura
go to post Laura Cavanaugh · Nov 14, 2017 Great idea! Yes indeed! this is what it says: DKMOUNT: Mounted SFN 5 DB 'e:\datasets\demo\' as Read Only DB. File or filesystem allows read-only access. Looks like it's related to our new windows security setup, which, by the way, was implemented as part of the 2016 upgrade. The 2016 version wants a windows group called Cache_Instance_instancename and the username that runs the instance is moved to this group. We had to run something to change this windows security after we installed this instance as 2016. Origainlly, the instance was installed to run as SYSTEM. I wonder - should I uninstall the instance and reinstall so that it's run as the user? It's still early enough in the game that I could do that. Would that automatically give my user access to the e:\datasets\ folder since I'm creating namespaces in the Installer manifest? not sure. Anyway, after I've figured out the windows security for this folder, I'll let you know if that helps. Thanks!
go to post Laura Cavanaugh · Nov 14, 2017 Hi Danny,That seemed promising, but when I stop Caché, the cache.lck file is removed, and appears again when I restart the instance. Yes, the root database name is not the same as my caché system. Caché is installed in the typical c:\intersystems\instance while these namespaces' databases are on another drive - e:\datasets. Also, we changed the underlying Windows security recently for our 2016 upgrade, so I'll have to make sure the instance's service user has access to the e:\ drive.This is what appears in the cache.lck file:c:\intersystems\rhs01p\mgr\SERVER01where rhs01p is the instance name, and SERVER01 is the server name.I'll check the Windows security and let you know.Thanks,Laura
go to post Laura Cavanaugh · Nov 7, 2017 Hello John,I'm trying to get more information about a similar $ZF issue, and running the caché instance as a Windows user rather than Local SYSTEM. I have this link from IS to help me out: http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=GCRNA_C157184 But I was hoping to get a little bit more info from the link you sent out; unfortunately the link gives me a "missing" error. Do you think you can find that link again? This is my issue: after we upgraded from 2014 to 2016, the ability to use call out (such as w $zf(-1,"dir *.*") ) is gone. IS recommended using the cinstall command, as noted above, but it's not working. I'm asking IS about it now... We run our instances under a particular user, not as local system.I can update this thread with the solution.Thanks,Laura Cavanaugh
go to post Laura Cavanaugh · Oct 12, 2017 Hi Eduard,Interesting hack, and a good point. There's enough going back and forth between namespaces, importing new code, and running new methods in the newly created namespace already, so I'd prefer to keep my manifest simple. If I find that it needs to be done in, say, 5 places, I'll just say it needs to be the one value ("ABC") and I can create a copy of the installer if it needs to be a new value ("XYZ"). If it needs to be a new value, then we're probably moving toward replacing the old value anyway. Thanks.
go to post Laura Cavanaugh · Sep 8, 2017 Yan, yes, this looks like it's working. The OnCreateResultSet method is called, but not the OnExecuteResultSet. Thanks!Laura
go to post Laura Cavanaugh · Aug 17, 2017 Hi Timothy,Yes, indeed, thanks. I already have a SessionEvents class set up for all my web applications involved, so I stuck in this method: ClassMethod OnLogin() As %Status{if ^ZPMGSYSTEM("%DOWNFLAG")=1 quit $$$ERROR($$$GeneralError,"Logins are currently disabled")quit 1} This caused an actual login that got around our flag (via special testing, in this case) to get a response of Not FoundThe requested URL /Works/PMG.Works.Home.cls was not found on this server.Is that the expected behavior?So, I would say this works. Unfortunately, it also removes my backdoor -- it keeps out everyone! I guess I could add a little backdoor into this method as well; a screen door, if you will, on my back door.
go to post Laura Cavanaugh · Aug 16, 2017 Yan, that sounds promising. I'll check, and let you know. Thanks!
go to post Laura Cavanaugh · Aug 11, 2017 I did not know that - but I tried taking it out, but my test global is still populated with method calls to OnCreateResultSet and OnExecuteResultSet methods. The table itself if hidden at first. In fact, there are multiple tablesPanes, and they are all getting called upon page load, even though the tablePane group is hidden. I'm going to play around with pInfo.QueryExecuted; and there's a runflag set up, which I can see why it was set up now.THanks.
go to post Laura Cavanaugh · Aug 2, 2017 I often forget to mention that we are on 2014. Thanks - at least I can tell him we can't do it but maybe in a future release we can change the IS logo.Thanks,Laura
go to post Laura Cavanaugh · Aug 2, 2017 I can't believe how much I look forward to these discussions. Unfortunately, there is no EnsembleLogo* anywhere in the InterSystems directory. It almost looks like it's simple text, made to look like a logo using CSS. This is from the page source: <div class="portalLogoBox"> <div class="portalLogo" title="Powered by Zen">Ensemble</div> <div class="portalLogoSub">by InterSystems</div> The class portalLogoBox must do all that CSS/html stuff to make it look cool. I was wondering if I can change the text from Ensemble to something else. If the user is in the DeepSee Analyzer, it will say DeepSee by InterSystems instead, but with similar CSS modifications.I figured out why he wants to do this; we have a few "portal" users who have accss to all of the clients' namespaces. For a demo, they will go into the DeepSee UserPortal, then exit to the management portal to switch namespaces, then go back in to the DeepSee user portal. THe DeepSee user portal has settings where you can change the logo that is displayed (what are those classes? I need to be able to change them programmatically rather than manually 50 times!) but when the portal users go back to the management portal, our company logo is lost; instead the lovely Ensemble by InterSystems (Powered by Zen) is there. I personally think IS should get the credit, but my boss is wondering if we can change it for the purposes of these demos. If not, that's OK; but now I'm simply curious. Thanks!Laura
go to post Laura Cavanaugh · Jul 20, 2017 Wow, that works in 2014 too! So, there must be something with my $lb parameter, you're right. Note what happens here, without the ... . What is that? Can't find it in the documentation. Nevermind, I found it: http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=...quit $classmethod($this, "Sum", .args)ClassMethod Sum(n... As %Integer)zw nn=1n(1)=3n(1,1)=10n(1,2)=20n(1,3)=30But... does it work for a SQL query? It's fine in COS, but what about a %ResultSet.Execute() call? Should I change it to %SQL.Statement?
go to post Laura Cavanaugh · Jul 18, 2017 Well, it all works if I force feed the params list. If I do get it, I'll let you know. Thanks for all the help!