Skip to main content

First Look: Role-Based Access Control

This document introduces you to role-based access control, explains how it works in InterSystems IRIS® data platform, and helps you explore it yourself.

To browse all of the First Looks, including those that can be performed on a free evaluation instance of InterSystems IRIS, see InterSystems First Looks.

Role-Based Access Control: Why Is It Important?

When you first start working with a new database platform, one thing will likely become clear quickly: you probably do not want all of your organization’s users to be able to see and change everything on the system.

InterSystems IRIS, like all database platforms, allows you to specify carefully the actions that each user of InterSystems IRIS can perform. The mechanism we use to control user authorization to perform actions is called role-based access control.

If you’re already familiar with role-based access control, the InterSystems IRIS scheme will likely resemble some of those you’ve worked with before. You’ll find more detail about how we handle it in the next section.

If you’re new to role-based access control, what this means is time savings over older access control methods that don’t provide for grouping of permissions to perform system actions.

  • Without role-based access control, assigning each user a permission to work with each aspect of InterSystems IRIS, one by one, could take hours or even days. Then, if a new employee needs access, you would have to repeat the process.

  • Role-based access control allows you to group permissions into roles when you initially configure InterSystems IRIS. Then you can assign one or more of those ready-made roles to each of your system’s users. A set of predefined roles is also available to you for use or modification.

  • Further, with role-based access control, if a user needs to take on a new set of permissions, that set can be grouped into a role and that role assigned to the user. And you can always change the list of permissions within roles.

Role-Based Access Control: How It Works Within InterSystems IRIS

InterSystems IRIS provides a full solution for role-based access control, which we’ll describe in this section. Native InterSystems role-based access control is available with every type of authentication mechanism that InterSystems IRIS supports, including LDAP, Kerberos, and OS-based. You can use LDAP instead of InterSystems IRIS for role assignment if you wish.

A Brief Conceptual Overview

Think of the information and capabilities within InterSystems IRIS as assets you want to protect, just as you insure assets that belong to you.

Among the items that are considered assets in InterSystems IRIS are:

  • Databases, which store data and code as objects.

  • Services, which control users’ ability to connect to InterSystems IRIS.

  • Certain administrative privileges.

  • InterSystems IRIS applications, including individual pages in the Management Portal, which is the system administration user interface for InterSystems IRIS.

Each asset is represented in InterSystems IRIS by a resource, and a single resource can represent more than one asset.

The resource acts as a gatekeeper for the assets it represents: it is paired with “read”, “write” (which includes read), and, in some cases, “use” (execute) permissions depending on the resource type. For example, only two types of permissions exist for databases: read, which allows viewing of data and execution of routines, and write, which allows modification of data.

A pairing of a resource with a permission is called a privilege, and privileges are grouped into roles.

Finally, roles are assigned to users within InterSystems IRIS. Each user has one or more roles assigned to them when they first authenticate with InterSystems IRIS. It’s possible to add or remove roles from a user for the duration of a session.

The exact manner in which authorization with role-based access control takes place depends on the authentication mechanism you’ve chosen. This aspect of authorization is covered fully in the online documentation.

Tip:

For internal test and staging systems, you may not want to bother setting up password-based authentication or different levels of role-based access control. This option is available to you if you install your instance with “minimal” security, which by default gives full administrative privileges to anyone with the Management Portal URL for the instance.

An Sample Use Case

As mentioned above, individual pages in the Management Portal are assets in InterSystems IRIS that you can protect. The Management Portal allows users to view and perform operations on fundamental aspects of InterSystems IRIS, such as globals, namespaces, and even resources and roles themselves.

The screenshot below shows what the Management Portal looks and acts like when the instance’s administrator logs in with the _SYSTEM user account created during installation. The _SYSTEM user can access System Administration > Security> Users, which lets them view and modify any user and their roles.

You may want to restrict the role assignments of certain Management Portal users so that they can’t view or modify user accounts or any other information that is critical to security. In the next section, we’ll show you how to do that.

The default layout of the Management Portal menu when it displays the choice for the Users page.

Role-Based Access Control: Exploring It

The example below shows you how to set up two types of “manager” roles for use in the Management Portal. The first role will have access to pages that allow modification of security-related items such as user and role definitions. The second role will not have that access.

Then you’ll see how users with those roles interact with the Management Portal.

Important:

To give you a taste of InterSystems IRIS without bogging you down in details, we’ve kept this exploration simple. For example, we’ve had you use as many default settings as possible.

When you bring InterSystems IRIS to your production systems, though, there are many things you will need to do differently, especially in regard to (but not limited to) security.

So be sure not to confuse this exploration of InterSystems IRIS with the real thing! The sources provided at the end of this document will give you a good idea of what’s involved in using InterSystems IRIS in production.

Before You Begin

To use the procedure, you will need a running InterSystems IRIS instance. Your choices include several types of licensed and free evaluation instances; the instance need not be hosted by the system you are working on (although they must have network access to each other). For information on how to deploy each type of instance if you do not already have one to work with, see Deploying InterSystems IRIS in InterSystems IRIS Basics: Connecting an IDE. Connect Visual Studio to your InterSystems IRIS instance using the information in InterSystems IRIS Connection Information and .Net IDEs in the same document.

Discovering the Resources Needed For Management Portal Page Access

Access to each page in the Management Portal is protected by at least one resource. You can discover the needed resources as follows:

  1. Open the Management Portal for your instance in your browser, using the URL described for your instance in InterSystems IRIS Basics: Connecting an IDE.

  2. Navigate to System Administration > Security by clicking each of those words in their corresponding menu items.

    Tip:

    In the Management Portal, menu items with child pages include a >> next to the name of the item. Pages have no such marker.

  3. In the Users menu item, click anywhere to the right of the word “Users”. This action displays the needed resource to view the Users page, which is %Admin_Secure. (All pages within the Security and Encryption submenus require use permissions (“U”) on the %Admin_Secure resource.)

    The Management Portal menu with the choice for the Users page, including its security access details.

  4. Navigate to System Administration > Configuration > System Configuration.

  5. Click anywhere to the right of the words “Memory and Startup.” You’ll see that the needed resource to view the page is %Admin_Manage.

Creating and Assigning Your Own Manager Roles

For pages within the System Administration menu of the Management Portal, you need roles with privileges to the %Admin_Secure and %Admin_Manage resources.

Given this structure, it’s plausible that you’d want to create roles that reflect two levels of management, one that can access all pages except for security-related pages, and the other that can perform all actions, including security-related actions. There is a predefined %Manager role that you can use as a template.

  1. Log into the Management Portal with the _SYSTEM account.

  2. Navigate to System Administration > Security > Roles and click Go. You’ll see a list of roles with which InterSystems IRIS was installed, including a %Manager role.

  3. Click the %Manager link. The General tab displays the privileges (resources paired with permissions) available to users with this role.

    • Among the privileges, you will see use permissions on %Admin_Secure and %Admin_Manage.

    • You’ll see many other privileges as well. This is because you need access to many different resources to be able to view and modify InterSystems IRIS settings. Since we know that there is only one critical resource, %Admin_Secure, in terms of access for security-related pages within System Administration, access to that resource will be the only difference between our two custom roles.

  4. Click Cancel (beneath Edit %Manager) to return to the main Roles page.

Creating a “Standard Manager” Role

  1. On the Roles page, click Create New Role. A role definition page will appear.

  2. In the Name field, enter “Standard_Mgr”.

  3. In the Copy from dropdown, select %Manager. This will copy all information, including privileges, from the predefined %Manager role to the new one.

  4. Change the description to one of your choice, such as “Role for System Administration without security access”.

  5. Click Save. A Role saved message will appear and you’ll see the list of privileges for the new role in the General tab.

  6. In the row for %Admin_Secure, click Delete. This removes the privilege from the role.

  7. Click Save again to save changes.

Creating a “Security Manager” Role

  1. On the Roles page, click Create New Role. A role definition page will appear.

  2. In the Name field, enter “Security_Mgr”.

  3. In the Copy from dropdown, select %Manager. This will copy all information, including privileges, from the predefined %Manager role to the new one.

  4. Change the description to one of your choice, such as “Role for System Administration with security access

  5. Click Save. A Role saved message will appear and you’ll see the list of privileges for the new role in the General tab.

Creating Users and Assigning the New Roles

To see the roles in action, you’ll need to create two users, one for each of your new roles.

  1. Log into the Management Portal with the _SYSTEM account.

  2. Navigate to System Administration > Security > Users and click Go. You’ll see a list of user definitions with which InterSystems IRIS was installed.

Creating a “Standard Manager” User

  1. On the main Users page, click Create New User. A user definition page will appear.

  2. In the Name field, enter “Std_Mgr”. (The name of the user cannot match the name of the role.)

  3. In the Password and Password (confirm) fields, enter a password of your choice.

  4. Click Save. A User saved message will appear.

  5. Click the Roles tab. Scroll through the Available list on the left and highlight Standard_Mgr.

  6. Click the right-pointing arrow to add the role to the Selected list. Then click Assign.

  7. Click Cancel to return to the main Users page.

Creating a “Security Manager” User

  1. On the main Users page, click Create New User. A user definition page will appear.

  2. In the Name field, enter “Sec_Mgr”.

  3. In the Password and Password (confirm) fields, enter a password of your choice.

  4. Click Save. A User saved message will appear.

  5. Click the Roles tab. Scroll through the Available list on the left and highlight Security_Mgr.

  6. Click the right-pointing arrow to add the role to the Selected list. Then click Assign.

  7. Click Cancel to return to the main Users page.

Trying Out the Roles in Management Portal

  1. Log into the Management Portal as the Std_Mgr user. You’ll see that security-related menu options are grayed out, as expected. The Interoperability menu option is also grayed out because the predefined %Manager role from which the two custom roles were copied does not have the privileges necessary for those pages.

    The Management Portal menu for System Administration with restricted access for the Std_Mgr user.

  2. Log out, and log back in as the Sec_Mgr user. This user, as you’ll see, has full access to the pages in the System Administration > Security and System Administration > Encryption submenus.

    The Management Portal menu for System Administration with full access for the Sec_Mgr user.

Learn More About Role-Based Access Control

To learn more about role-based access control and the InterSystems IRIS security model, see: