Topic outline

• Configuring Role-Based Access

  Configuring Role-Based Access

  Content Type
  Exercise

  Duration
  15m

  Level
  Introductory

  Learn how to secure your system and specify the actions that each user of InterSystems IRIS® data platform can perform. The mechanism we use to control user authorization to perform actions is called role-based access control.

  If you are already familiar with role-based access control, the InterSystems IRIS scheme will likely resemble some of those you have worked with before. With role-based access, you can:

  • Group permissions into particular roles. This streamlines the process of providing access to new users and updating permissions for multiple users in a role, and it optimizes administrator time.
  • Use a set of predefined roles or modify them to fit your needs.
  • Easily add a new set of permissions to a user by grouping permissions into a new role and assigning that role to the user.

  Learning Objectives

  • Identify the purpose and key components of role-based access control in InterSystems IRIS.
  • Locate and recognize system resources that determine Management Portal page access.
  • Create and assign custom manager roles to control user permissions.
  • Apply role-based access control by creating users, assigning roles, and verifying their access in the Management Portal.

  
  

  Prerequisites

  None
  
  

  Watch the video and try the exercise below!
• Start the Exercise

  Start the Exercise

  The example below shows you how to set up two types of manager roles for use in the Management Portal. The first role will have access to pages that allow modification of security-related items such as user and role definitions. The second role will not have that access. You will also see how users with these roles interact with the Management Portal. Of note, LDAP is also supported but not covered in this exercise.

  • You must be logged in to launch this VM.

    • Log in with your existing account.
    • Don't have an InterSystems account? Create a new account.
  • Discover resources for Management Portal page access
    

    Access to each page in the Management Portal is protected by at least one resource. You can discover the resources needed by following these steps:

    1. Open the Management Portal for your instance using the VM launcher above. Log in with the credentials:
       • Username: student
       • Password: demo3232
    2. Navigate to System Administration > Security by clicking each of those words in their corresponding menu items.
    Tip:
    In the Management Portal, menu items with child pages include a >> next to the name of the item. Pages have no such marker.
    3. In the Users menu item, click anywhere to the right of the word Users. This action displays the resource needed to view the Users page, which is %Admin_Secure. Note that all pages within the Security and Encryption submenus require use permissions (U) on the %Admin_Secure resource.
       
    
    
    4. Navigate to System Administration > Configuration > System Configuration.
    5. Click anywhere to the right of the words Memory and Startup. You will see that the resource needed to view the page is %Admin_Manage.
  • Create and assign your own manager roles
    

    For pages within the System Administration menu of the Management Portal, you need roles with privileges to the %Admin_Secure and %Admin_Manage resources.

    Given this structure, it is plausible that you would want to create roles that reflect two levels of management: one that can access all pages except for security-related pages, and the other that can perform all actions, including security-related actions. There is a predefined %Manager role that you can use as a template.

    1. Navigate to System Administration > Security > Roles and click Go. You will see a list of roles with which InterSystems IRIS was installed, including a %Manager role.
    2. Click the %Manager link. The General tab displays the privileges (resources paired with permissions) available to users with this role.
       • Among the privileges, you will see use permissions on %Admin_Secure and %Admin_Manage.
       • You will see many other privileges as well. This is because you need access to many different resources to be able to view and modify InterSystems IRIS settings. Since there is only one critical resource, %Admin_Secure, in terms of access for security-related pages within System Administration, access to that resource will be the only difference between our two custom roles.
    3. Click Cancel beneath Edit %Manager to return to the main Roles page.

    Create a Standard Manager Role

    1. On the Roles page, click Create New Role. A role definition page will appear.
    2. In the Name field, enter Standard_Mgr.
    3. In the Copy from drop-down menu, select %Manager. This will copy all information, including privileges, from the predefined %Manager role to the new one.
    4. Change the description to one of your choice, such as Role for System Administration without security access.
    5. Click Save. A Role saved message will appear, and you will see the list of privileges for the new role in the General tab.
    6. In the row for %Admin_Secure, click Delete. This removes the privilege from the role.
    7. Click Save again to save changes.

    Create a Security Manager Role

    1. On the Roles page, click Create New Role. A role definition page will appear.
    2. In the Name field, enter Security_Mgr.
    3. In the Copy from drop-down menu, select %Manager. This will copy all information, including privileges, from the predefined %Manager role to the new one.
    4. Change the description to one of your choice, such as Role for System Administration with security access.
    5. Click Save. A Role saved message appears, and you will see the list of privileges for the new role in the General tab.
  • Create users and assign new roles
    

    To see the roles in action, you will need to create two users, one for each of your new roles.

    1. Navigate to System Administration > Security > Users and click Go. You will see a list of user definitions with which InterSystems IRIS was installed.

    Creating a Standard Manager User

    1. On the main Users page, click Create New User. A user definition page will appear.
    2. In the Name field, enter Std_Mgr. Note that the name of the user cannot match the name of the role.
    3. In the Password and Password (confirm) fields, enter a password of your choice.
    4. Click Save. A User saved message will appear.
    5. Click the Roles tab. Scroll through the Available list on the left and highlight Standard_Mgr.
    6. Click the right-pointing arrow to add the role to the Selected list, then click Assign.
    7. Click Cancel to return to the main Users page.

    Creating a Security Manager User

    1. On the main Users page, click Create New User. A user definition page will appear.
    2. In the Name field, enter Sec_Mgr.
    3. In the Password and Password (confirm) fields, enter a password of your choice.
    4. Click Save. A User saved message will appear.
    5. Click the Roles tab. Scroll through the Available list on the left and highlight Security_Mgr.
    6. Click the right-pointing arrow to add the role to the Selected list, then click Assign.
    7. Click Cancel to return to the main Users page.
  • Try out roles in the Management Portal
    

    1. Log out and log in to the Management Portal as the Std_Mgr user. You will see that:
       • Security-related menu options are greyed out, as expected.
       • The Interoperability menu option is also greyed out because the predefined %Manager role from which the two custom roles were copied does not have the privileges necessary for those pages.
       • The Management Portal menu for System Administration shows restricted access for the Std_Mgr user.
    2. Log out, and log back in as the Sec_Mgr user.
       • This user, as you will see, has full access to the pages in the System Administration > Security and System Administration > Encryption submenus.
       • The Management Portal menu for System Administration shows full access for the Sec_Mgr user.
• What's next?

  What's next?

  To learn more about role-based access control and the InterSystems IRIS security model, see the following resources:

  • Learn about tools for determining what a user can access (documentation, 1m).
  • Learn about role-based access control for application developers in the "InterSystems IRIS Security" and "Namespaces and Databases" sections of the InterSystems IRIS Programming Orientation Guide (documentation, 10-20m).
    
  • Find step-by-step instructions for creating users, roles, and privileges (documentation, 15m).

  • Share Your Feedback!