User bio
Graduated in Software Engineering and Information Security.
I work as a Caché developer and currently as a Caché/IRIS Database Administrator, managing and automating multiple instances in the Cloud Environment.
My areas of interest are Security, Performance Database and Linux Environment.
Member since Dec 5, 2018
Posts:
Replies:
You may find more information in this legacy documentation:
https://docs.intersystems.com/latest/csp/docbook/Doc.View.cls?KEY=GDOC_legacy
Hi Philip,
Another way is to use the ##class(Backup.General).IsWDSuspendedExt() routine.
According to the documentation:
"When called in an external script, exit status is set to 5 if WD is suspended or 3 otherwise."
Example:
irisowner:~$ iris terminal IRIS -U%SYS "##class(Backup.General).ExternalFreeze()"
irisowner:~$ iris terminal IRIS -U%SYS "##class(Backup.General).IsWDSuspendedExt()"
irisowner:~$ echo $?
5
irisowner:~$ iris terminal IRIS -U%SYS "##class(Backup.General).ExternalThaw()"
irisowner:~$ iris terminal IRIS -U%SYS "##class(Backup.General).IsWDSuspendedExt()"
irisowner:~$ echo $?
3
Certifications & Credly badges:
Global Masters badges:
Lucas has no Global Masters badges yet.
Followers:
Following:
If the access is via SQL (INSERT, UPDATE), it is possible.
You can create a role with RW access to the database resource and grant INSERT privileges without the SELECT privilege.
If the access is via Global (SET), it is not so simple. Because you need to grant RW permission to the Database Resource and, consequently, the user will be able to read the data from the global resource.
For example, you create the logs_w role and grant it to the user
%SYS>do ##class(Security.Roles).Create("logs_w", "", "%DB_LOGS:RW") %SYS>do ##class(%SQL.Statement).%ExecDirect(,"GRANT logs_w TO appuser") %SYS>set $NAMESPACE="LOGS" LOGS>do ##class(%SQL.Statement).%ExecDirect(,"GRANT INSERT ON app.Log TO logs_w")If the user tries to execute a SELECT they will receive an error
LOGS>do $SYSTEM.Security.Login("appuser") LOGS>do $SYSTEM.SQL.Shell() [SQL]LOGS>>SELECT * FROM app.Log ERROR #5540: SQLCODE: -99 Message: User appuser is not privileged for the operationIf the user tries to execute an INSERT, it will succeed.
[SQL]LOGS>>INSERT INTO app.Log VALUES ('Test 1') 1. INSERT INTO app.Log VALUES ('Test 1') 1 Row Affected ---------------------------------------------------------------------------But this permission is not valid for globals, the user will be able to read
LOGS>zw ^app.LogD ^app.LogD=1 ^app.LogD(1)=$lb("","Test 1")In this case you can follow other strategies, such as Applications and Privilege Escalation. Here you isolate the database and the user does not have default access when logging in. Access is granted temporarily when executing a method/routine. A simple example:
In a database to which the user has default access, create a method that receives temporary privileges to write to the protected database
Class service.Log { ClassMethod write(msg As %String) As %Status { do $SYSTEM.Security.AddRoles("grant_logs_w") new $NAMESPACE set $NAMESPACE="LOGS" do ##class(%SQL.Statement).%ExecDirect(,"INSERT INTO app.Log VALUES (?)", msg) return 1 } }Create a Privileged Routine Applications for this method
set p("Name") = "grant_logs_w" set p("CookiePath") = "grant_logs_w/" set p("Description") = "Applications and Privilege Escalation" set p("Type") = 4 set p("Resource") = "%Development" set p("AutheEnabled") = 64 set p("Enabled") = 1 set p("MatchRoles") = ":logs_w" set p("Routines") = "service.Log:APP:1" do ##class(Security.Applications).Create("grant_logs_w", .p)The user does not have access to the LOGS database, but can execute the write method with temporary privileges.
APP>w $ROLES %Developer,%DB_APP APP>do ##class(service.Log).write("Test 2")