#Access control

Trying to identify which records in the %SYS.Audit table are fails.

Eg, as user "WORKER", I run an attempted a grant, the terminal returns:

SQL> GRANT SELECT ON newschema.patients TO COORDINATOR
[S1000][Iris ODBC][State : S1000][Native Code 112]
[libirisodbc35.so]
[SQLCODE: <-112>:<Access violation>]
[Location: <ServerLoop>]
[%msg: <User WORKER does not have required privileges to grant the privilege(s)>]
[ISQL]ERROR: Could not SQLExecute
 

but the record in the audit table gives

Description: "SQL GRANT Statement"

EventData: "GRANT SELECT ON newschema.patients TO COORDINATOR"

Many password requirements can be enforced using a password validation routine which is available to implement in System Management Portal. But how about this one:

Check that at least 50% of the characters changed from old password to new password.

We need to have access to the old password to check this, currently password validation routine only gets the new password.

We can create a new form to update the password where user must enter the old password and new password. I think I can block users from changing the password the usual way by having a password routine reject all passwords. 

Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?

For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?

These are not applications that were developed using CacheDirect.

Hi anyone has created the user roles for UCR pls share details like if we want to create following roles what access rights should be give to each role.

UCR Admin - This user can stop/start productions, can enable/disable services, can run sql queries, can make changes in facility registries, assigning authority and other configuration.

UCR Developer - This user can add new services in the production but can not make any change in the registires and other configuraiton

Hi,

Working on integrating with O365 Sharepoint REST API. I would want to know if anyone can share their experience with integration with Sharepoint REST API and how they implemented security?

Thanks
Kiran Kumar

I'm VERY novice on all things "OpenAM", and beyond knowing that Caché supports working with OpenAM, I have nothing else to go on.

The documentation doesn't seem to be very deep on the nature of how this works beyond a single paragraph saying it's supported for Single Sign On (SSO).

For Caché to use this, I get that there is an environment variable (REMOTE_USER) which is set to "something", but it's not clear to me how this ends up mapping to a provisioned caché user (or LDAP provisioned user for that matter) and ultimately to the %Roles in effect and subsequent system access.

we have a issue with just the 1 namespace, where users log using ldap but arent getting any roles assigned to them.

Ldap does work as the user account is created as a ldap user. 

I have gone through the various settings to check that all is setup as required, but cant find a reason why the roles arent being assigned. 

Created by Daniel Kutac, Sales Engineer, InterSystems

Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.

Part 2. Authorization server, OpenID Connect server

Hi Developers!

Here're the technology bonuses for the Security Contest 2021 that will give you extra points in the voting:

• Basic Authentication usage - 2
• Bearer/JWT Authentication usage - 3
• OAuth 2.0 usage - 5
• Authorization components usage - 2
• Auditing usage - 2
• Data Encryption usage - 2
• Docker container usage - 2 
• ZPM Package deployment - 2
• Online Demo - 2
• Code Quality pass - 1
• Article on Developer Community - 2
• Video on YouTube - 3

See the details below.

Hi everyone - In IRIS we would like to arrange the access of two users in such a way that each has access to exactly one (his) database only. Which resource does this (%DB_%DEFAULT allows each of the two users access to both databases). If you create new resources (%DB_Database1 and %DB_Database2) and then add them to individual roles (each for the user to), the access for the users, for example, via a REST client does not give the desired separation (instead once Ok, other database 401 Unauthorized both OK). Is there something special to consider or a special resource that could do this or

How do you determine what namespace to use for your custom SAML attributes? We want to receive patient context (first name, last name, dob, gender, etc.)

OASIS has resource-id but none of the other attributes. urn:oasis:names:tc:xacml:1.0:resource:resource-id

Can the built-in $System.Encryption.TOTP() function be used in conjunction with Authenticator Apps (e.g. Google, Microsoft, and so on)?

Providing the same secret/key to a variety of authentication apps, they all return the same synchronized value. However, passing the same secret/key to $System.Encryption.TOTP() is generating a different value (with all instances executing at the same time for comparison).

When a company is quite large and many different applications used by employees. But while those applications are mostly completely different, how to make it possible to not force users to enter credentials as many times as many applications they would like to use. The best way is to use SSO, so, it will be possible to have a portal, where users could launch any application used in a company. There are many different ways how to give access to your application by using the SSO mechanism, and some of them are:

• OAuth2
• Kerberos
• SAML

Hi Team,
I have a requirement to disable the Production Start/Stop buttons for specific support users. But they should be able to stat/stop Ensemble Hosts.
For that new Role, As per documentation along with other Ens resources, I have added %Ens_ConfigItemRun with RWU access and didnt add %Ens_ProductionRun resource.
This makes the Start/Stop buttons disappear from Production Configuration page ( meeting my requirement). But those users are Unable Start/Stop/Restart Ensemble Business Hosts.

Hello,

Hi,

We need to implement Oauth2 Code Flow + PKCE. Any experience with InterSystems OAuth2 Server on this would be welcome.
What parameters did you setup on OAuth 2 server configuration page  to make it work?

Thanks!

Dear Folks,

I have recently studied deepsee and developed few dashboards needed for our web app users. I am trying to embed them in our existing web app which uses angular with delegated user access. I need to embed the native IRIS dashboard into it. ( I can't use Highcharts or any other js tools). 

How do I setup the dashboards to work with delegated authentication (Without providing access to management portal or other parts) ? Also should I use the default csp/{Namespace}/_DeepSee.UserPortal.DashboardViewer.zen? or any other web application URL ?

Thanks

Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification:Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?We (as in me and my organization) use Cache Authentication for our instances, and one of the reasons to use LDAP for this system was to avoid

Can a license be reserved for a specific user or group of users? So if I have 20 available licenses, only allow other users to use 19 of them while keeping one open for this specific user?

Hello community,

I would like to report about a security issue, that engages us for some time meanwhile.

We configured a restricted user to read data from a csp page to feed our nagios server with information about configuration items we would like to have an eye upon. The configuration of this user is the same in our production and in our development environment. The called method mainly reads data from lookup tables by sql queries and writes data to a temporary table, which is deleted in the begining.

How to set the size of the participant pool and what are the key factors that determine it? How should we set it?

Hi team.

Does anyone has any idea on how to send an encrypted / secure Print from IRIS ( which is hosted on AWS ) to a printer ( which is an on-premise device ).

Thanks

Paras

Hi everybody,

Is there a way to run code on another machine? Of course, all authentication info is known. I know only about RemoteResultSet but that seems to be query specific.

Thanks in advance,
Anna
P.S. The ultimate goal, in case that matters, is to create identical globals on 2 different machines with one run.

This article, and following two articles of the series, is intended as a user guide for developers or system administrators, who need to work with OAuth 2.0 framework (further referred to as OAUTH for simplicity) in their InterSystems product based applications.

Hi,

I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).

Is there a way to allow a single REST service to have unauthorised access?

I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.

Thanks

I'm trying to setup a new accesss role for the company support team to use the message viewer and production config page to trace the errors that eventually could occurr on the production integrations.

I've already assign the following privileges:

• %EnsRole_Administrator role
• %DB_* roles related to the native and custmon namespaces
• SELECT GRANT to all tables on the namespaces we need to provide access

Hi All,

I was just wondering whether anyone can help, I have managed to configure LDAP within Healthshare [HealthShare Modules:Core:15.032.9688], and I am also able to login with my LDAP user.  However, I am unable to assign any roles to this user, the user  appears on the users page however, it does not appear in the dropdown list of users when you try to update a particular role in the roles page (I am not sure where I have gone wrong with this).  I can login with the user but I don't get any where far with it because it has no roles assigned to it.  Any help would be great.

Kind Regards,

Hi All,

Actually, I'm developing few restful API's. I want to create a authentication tokens and display it on my login restful API. If I'm using CSP sessionId, how can I validate the session Id's in another or continues restful API's. else, is there any other approach to handle this task. 

My Primary goal is, I have to integrate 2 different front end applications. One is Zen framework another one is web pages from Python. 

If any lead, it would be appreciated. 

Thanks,

Arun Kumar Durairaj. 

Hello everyone! 

I have REST API and want check user with http header authorization,

When user input incorrect data refuse them with 401 unauthorized,

Question how to response with 401 unauthorized

   Hi,

 I've started to use Task Schedule function in Caché. But I have two questions about it:

1. I want to run the task as an indepedent, technical user. What is the minimum resources for this user to successfully run the defined task.
2. I disabled the built in user _SYSTEM, as the Tightening Security for an Instance article suggest. But I see that built in task run in the name of _SYSTEM user. For example Switch Journal. How can this work, if the user disabled? Should I use another user for this tasks?

Thanks!