Security Administration Guide
Frequently Asked Questions about InterSystems IRIS Security
This Question and Answer Set includes the following topics:
When users attempt to use the Management Portal, they are either prompted to log in as they move among its sections or unexpectedly lack privileges on certain pages or are not allowed to perform certain operations. Why is this and how can I correct it?
The Management Portal consists of several separate web applications. The main page of the Portal is associated with the /csp/sys
application and other pages are associated with various /csp/sys/*
applications (such as the security-related content, which is associated with the /csp/sys/sec
application). If the applications do not all have a common set of authentication mechanism(s) in use, users going from one Portal page to another may encounter login prompts or sudden shifts in their level of privilege.
For example, if the /csp/sys
application is using password authentication exclusively, while other related Portal applications are using unauthenticated access exclusively, then, as users move from one Portal page to another, they go from unauthenticated access to requiring authentication. Another possible case is this: the /csp/sys
application supports only password authentication, the other applications support only unauthenticated access, and UnknownUser has no special privileges; in this case, when users go from the Portal’s main page to its other pages, they may not have sufficient privileges to perform any action.
Must I use InterSystems security?
Yes. Security in InterSystems IRIS™ is always enabled. However, you can configure an instance’s security to mimic the openness of an older system and to support legacy systems without any visible effects.
What do I need to be aware of when upgrading to the InterSystems security in version 5.1 or later?
The following items require attention when upgrading:
All users require new passwords assigned to them after an upgrade installation.
The password hash function used is more robust than those used in earlier versions of InterSystems IRIS. Since InterSystems IRIS only stored (and stores) the hashed form of the password for comparison, there is no way to invert the hashed form (giving a plaintext password) and replace it with the hashed value using the newer function. As a result, to take advantage of this robustness, users need to enter new passwords.
By default, developers do not have privileges on many of the InterSystems services they did under prior versions.
The default installation of InterSystems IRIS is configured with a relatively limited set of features accessible by default. The predefined roles do not include privileges for legacy resources such as COM ports, which most customers do not need. As necessary, administrators can alter the predefined roles or create new roles that provide a different set of privileges to meet the needs of each site.