Written by

Sales Engineer Manager at InterSystems

STAFF

Article Tani Frankel · Dec 8, 2022 1m read

Privileged Routine Applications (PRA) and $ROLES After

#Caché #Ensemble #HealthShare #InterSystems IRIS #InterSystems IRIS for Health #Access control #ObjectScript #Security #Tips & Tricks

When creating a PRA (Privileged Routine Application; which by the way is not relevant just for Routines but also for Classes/Methods), it is important to make sure you include a new $ROLES, before calling AddRoles(). For example:

new$ROLESset status=$System.Security.AddRoles("MyPrivilegedRoutineApplication")

This way you ensure that indeed the added (elevated) roles "evaporate" for the User running this code, once the User is out of the scope of that routine/method.

[Thank you @Andreas Dieckow for validating this]

Discussion (3)0

Add reply

Comments

Eduard Lebedyuk · Dec 8, 2022

Great find, Tani!

You can also use the same trick to remove roles temporarily (for example if you need to execute untrusted code):

Class User.Role
{

/// do ##class(User.Role).Test()ClassMethod Test()
{
    do..SecurityContext("Test before")
    do
    . new$roles
    . do##class(%SYSTEM.Security).Login("UnknownUser") // has no roles
    . do..Untrusted()

    do..SecurityContext("Test after")
}

ClassMethod Untrusted()
{
    do..SecurityContext("Untrusted")
}

ClassMethod SecurityContext(context)
{
    w"Context: ", context, !
    w"Roles: ", $roles, !
    w"User: ", $username, !, !
}

}

Produces this output:

Context: Test before
Roles: %All
User: _SYSTEM
 
Context: Untrusted
Roles:
User: UnknownUser
 
Context: Test after
Roles: %All
User: _SYSTEM

0 0

Ben Spead · Dec 8, 2022

@Tani Frankel - thank you very much for taking the time to share this helpful tidbit!

0 0

Tani Frankel · Dec 8, 2022

The Docs also include this recommendation (thanks to @Shawn Fennell for the pointer).

0 0