Can I implement row-level security in InterSystems IRIS using class parameters and runtime filters?
We require user-specific row access (row-level security). How can we enforce this in SQL and ObjectScript using custom class parameters and dynamic WHERE clause injections?
Discussion (0)0
Comments
Yes, you can implement row-level security in InterSystems IRIS using class parameters and runtime filters. This feature ensures a high level of database security by selectively enforcing access control at the level of individual rows. Here's how you can achieve this:
Enable Row-Level Security:
- Define the
ROWLEVELSECURITYparameter within the class definition. SettingROWLEVELSECURITYto1activates row-level security and uses the default%READERLISTproperty to store the access list for rows. - Alternatively, specify a custom property to hold the access list by setting
ROWLEVELSECURITYto the property name. In this case, you will need to define an index on the property.
Parameter ROWLEVELSECURITY = 1; // or Parameter ROWLEVELSECURITY = "CustomPropertyName"; Index %RLI On CustomPropertyName;- Define the
Define a Security Policy:
- Implement the
%SecurityPolicy()class method, which specifies the roles or user names allowed to access a row. This method returns a string of comma-separated user names or role names allowed to view the row.
ClassMethod %SecurityPolicy() As %String [ SqlProc ] { QUIT "User1,RoleA" }- Implement the
Compilation:
- After defining the parameter and the security policy, compile the class and any dependent classes.
Runtime Enforcement:
- The security policy is dynamically checked at runtime each time a
SELECTquery is executed. This ensures that only authorized users have access to specific rows.
- The security policy is dynamically checked at runtime each time a
By combining these configurations, you can enforce user-specific row access in both SQL queries and ObjectScript applications [1].
Sources:
Hi Jack,
Can you check the class parameter ROWLEVELSECURITY