Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Hello everyone! 👋
I have a question regarding roles and resources.
To give you some context: I have a user who has been assigned only the role %HS_UsageDashboard_Access.This allows them to access the dashboards correctly (by giving the direct URL). Then, if I try to access the Management Portal with this same user, I can log in with no access to any resources within it (as expected).
What is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) that offers a lightweight, compact, and self-contained method for securely transmitting information between two parties. It is commonly used in web applications for authentication, authorization, and information exchange.
A JWT is typically composed of three parts:
1. JOSE (JSON Object Signing and Encryption) Header
2. Payload
3. Signature
These parts are encoded in Base64Url format and concatenated with dots (.) separating them.
Structure of a JWT
Header
{ "alg": "HS256", "typ": "JWT"}
Payload
HTTP and HTTPS with REST API
Hello
The HTTP protocol allows you to obtain resources, such as HTML documents. It is the basis of any data exchange on the Web and a client-server protocol, meaning that requests are initiated by the recipient, usually a Web browser.
REST APIs take advantage of this protocol to exchange messages between client and server. This makes REST APIs fast, lightweight, and flexible. REST APIs use the HTTP verbs GET, POST, PUT, DELETE, and others to indicate the actions they want to perform.
I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.
I've already set Parameter HandleCorsRequest = 1; on the spec class and All the endpoints I am have (a mix of GET, POST, PATCH and DELETE) are working from postman without issue, the problem is when consuming from the web front-end and the preflight checks the browser instigates. Most of the endpoints work in the browser, but some are triggering the preflight (OPTIONS) check causing the CORS issue.
This is what I am seeing in the browser:-
Here is an option for your headspace if you are designing an multi-cluster architecture and the Operator is an FTE to the design. You can run the Operator from a central Kubernetes cluster (A), and point it to another Kubernetes cluster (B), so that when the apply an IrisCluster to B the Operator works remotely on A and plans the cluster accordingly on B. This design keeps some resource heat off the actual workload cluster, spares us some serviceaccounts/rbac and gives us only one operator deployment to worry about so we can concentrate on the IRIS workloads.
Rancher Government Hauler streamlines deploying and maintaining InterSystems container workloads in air-gapped environments by simplifying how you package and move required assets. It treats container images, Helm charts, and other files as content and collections, letting you fetch, store, and distribute them declaratively or via CLI — without changing your existing workflows. Meaning your charts and what have yous, can have conditionals on your pull locations in Helm values, etc.
In today’s enterprise environments, secure communication between systems is not optional—it’s essential. Whether you're integrating InterSystems IRIS with cloud APIs, internal microservices, or third-party platforms, Mutual TLS (mTLS) offers a powerful way to ensure both ends of the connection are authenticated and encrypted.
This post walks through how to configure IRIS for mTLS and how to validate your certificates to avoid common pitfalls.
Hi Community,
We're super excited to share the new video in the "Rarified Air" series on our InterSystems Developers YouTube:
⏯ Practical Cybersecurity Measures for Stronger Organizational Resilience
Hello Community,
I’m working on an InterSystems IRIS production that needs to call an external API using OAuth client credentials (client_id and client_secret). For security reasons, I must pass these credentials via environment variables in my Docker container.
In the IRIS terminal, I can successfully retrieve these environment variables using $System.Util.GetEnviron("api-clientid") and $System.Util.GetEnviron("api-clientsecret"). However, inside my Business Operation class (OnMessage method), these environment variables return empty strings.
I have a personal copy of Cache which I use to help me with certain things. The instance resides on my Windows desktop. The apps I use a web enabled. It would be great if I could access my apps via web browser from my laptop without having to keep a copy of Cache on my laptop. It would make it difficult to keep the databases synced. So, if I restart my Cache instance, then I can use get to my apps by entering the url: http://ipadd:57772/csp/user/myapp.cls. but later, after having closed the browser on my laptop, if I try to open a browser session on my desktop I get license limit exceeded. So
Hello, how are you?
First of all thanks for your time reading this question.
We are investigating how to validate the indexes of a global. We have read:
https://docs.intersystems.com/irisforhealth20251/csp/docbook/DocBook.UI…
And:
https://docs.intersystems.com/irisforhealth20251/csp/documatic/%25CSP.D…
We want to validate the inxedes of the global titled "Ens.Util.LogD". We have executed on the ObjectScript terminal, on the desired namespace:
Hi everyone,
I’m working with an existing InterSystems IRIS server that hosts several web applications and namespace-specific code and data. I’d like to reverse-engineer the current environment into a %Installer.Manifest file so I can store it in Git and manage its changes.
My goal is to:
SQL injection remains one of the most critical vulnerabilities in database-driven applications, allowing attackers to manipulate queries and potentially access or compromise sensitive data. In InterSystems IRIS, developers have access to both Dynamic SQL and Embedded SQL, each with distinct characteristics. Understanding how to use them securely is essential for preventing SQL injection.
Hi Community,
We're super excited to share the first video in the "Rarified Air" series on our InterSystems Developers YouTube:
InterSystems is pleased to announce the General Availability (GA) of the 2025.2 release of InterSystems IRIS® data platform. This is a Continuous Delivery (CD) release. Please note that the GA versions of InterSystems IRIS for Health™ and HealthShare® Health Connect™ 2025.2 are currently withheld due to mirroring limitations introduced by security updates (details below).
This release introduces impactful enhancements across security, developer experience, operations, and interoperability. Notable new features include:
In this 3-part series of articles, is shown how you can use IAM to simply add security, according to OAuth 2.0 standards, to a previously unauthenticated service deployed in IRIS.
In the first part, was provided some OAuth 2.0 background together with some IRIS and IAM initial definitions and configurations in order to facilitate the understanding of the whole process of securing your services.
I am trying to create users who only have `%SQL` Role for the INSTANCE. But I am unable to find any documentation on the `Security.Users` class.
See:
// Instantiate the Security.Users objectSet userObj = ##class(Security.Users).%New()// Set the username and passwordSet userObj.Name = userNameSet userObj.FullName = userFullNameSet userObj.Namespace = "USER"Set userObj.Roles = "%SQL" Set sc = userObj.ChangePassword(passwd)// Save the user to the databaseSet ss = userObj.%Save()
InterSystems IRIS 2025.2 introduces the IRISSECURITY database, the new home for security data. Unlike IRISSYS, the previous home for security data, IRISSECURITY can be encrypted, which secures your sensitive data at rest. In a future version, IRISSECURITY will be mirrorable.
This version also introduces the %SecurityAdministrator role for general security administration tasks.
At hackathons that InterSystems participated and I supported, many students were asking how all their teammates could use the same IRIS database that they spun up in a container. I suggested using ngrok to expose their localhost IRIS and realized we don't have documentation on that. Hence, I thought this would be great to let more people knwo about this powerful technique for enhancing collaboration during development and testing.
Hello,
I need to expose InterSystems HealthInsight dashboards over the internet to external operators. The authentication flow is managed externally. When a user is authenticated, our system receives an HTTP request with specific headers (e.g., operator’s fiscal code and hospital identifier) that we need to extract in order to:
I created a new Web Application on IRIS as shown in the screenshot:
Hello again,
We are still seeking feedback on our two new HealthShare Unified Care Record certification exam designs. This is your opportunity to tell us what knowledge, skills, and abilities are important for Certified HealthShare Unified Care Record Specialists.
The feedback surveys are open until July 20th, 2025. All participants are eligible to receive 7000 Global Masters points for each survey they complete!
Interested in sharing your opinions? See the original post for more details on how to weigh-in on the exam topics.
I am attempting to follow the tutorial at Publishing Web Services Using Caché | Caché Web Services QuickStart Tutorial | Caché & Ensemble 2018.1.4 – 2018.1.11 to build a toy SOAP web-service using Cache but am running into what I suspect are permissions issues, or perhaps setting up the "plumbing" to get an incoming request to call the web-service methods.
Ensemble instance running on local laptop. Only the Ensemble private web-server installed on the machine (no IIS or Apache).
This is a template for a Flask application that can be deployed in IRIS as an native Web Application.
git clone
cd iris-flask-template
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
docker-compose up
The base URL is http://localhost:53795/flask/.
Hello Everyone,
The Certification team of InterSystems Learning Services is developing two new HealthShare Unified Care Record certification exams, and we are reaching out to our community for feedback that will help us evaluate and establish the contents of the exams. Please note that these exams will replace our HealthShare Unified Care Record Technical Specialist exam that we plan to retire in January 2026. Certifications earned in this technology before the exam’s retirement will remain valid for five years from the date of achievement.
I am trying to log in to the Web Gateway Management and I have missed placed the password to access the system I have tried
changing the password under local settings in the CSP.ini and that has managed to change the password to access the gateway but cannot log me into the management area I have followed a post here and read here and I seem not to get the answers that actual explain how I can get to the web gateway management.
With the release of InterSystems IRIS Cloud SQL, we're getting more frequent questions about how to establish secure connections over JDBC and other driver technologies. While we have nice summary and detailed documentation on the driver technologies themselves, our documentation does not go as far to describe individual client tools, such as our personal favourite DBeaver. In this article, we'll describe the steps to create a secure connection from DBeaver to your Cloud SQL deployment.
After we rolled out a new cointainer based on containers.intersystems.com/intersystems/irishealth:2023.1 this week, we suddenly noticed that our FHIR Repository started responding with an Error 500. This turns out to be caused by PROTECT violations on the new HSSYSLOCALTEMP namespace and database used by this version of the IRIS for Health FHIR components.
The trick to solve that is to add the "%DB_HSSYSLOCALTEMP" to the Web Application(s) that handle FHIR Requests. You can script that by running the following Class method in the namespace(s) that define these Web Applications:
InterSystems IRIS versions 2022.2 and newer feature the ability to authenticate to a REST API using JSON web tokens (JWTs). This feature enhances security by limiting where and how often passwords transfer over the network in addition to setting an expiration time on access.
The goal of this article is to serve as a tutorial on how to implement a mock REST API using InterSystems IRIS and lock access to it behind JWTs.
Question:
How can I create, change etc. Security entities (like Users and Roles) programmatically?
Answer:
You can use the Security package classes in the %SYS namespace. For example Security.Roles or Security.Users.
Of course in order to perform these actions the user will require the needed authorization.
Here's a small example using Security.Roles:
If you look at the values.yaml of the IKO's Helm chart you'll find:
useIrisFsGroup:falseLet's break down what it is and in what situations you may want to set it to true.
FsGroup refers to the file system group.
By default, Kubernetes volumes are owned by root, but we need IRIS to own its files (IRIS in containers is installed under irisowner user). To get around this we employ one of two methods: