Skip to main content

Example Two: %Development Resource

In this example, you create a role that has the %Development:USE privilege. This role grants its members privileges to use the Terminal. The role does not, however, grant its members privileges to execute code in the USER database.

  1. Create a role named DevOnly.

  2. Assign the new role the %Development:USE privilege.

  3. Create a user and add the user to the DevOnly role.

  4. Open the Terminal and use $SYSTEM.Security.Login to login as the user created in the previous step. The DevOnly role provides the user with privileges to use the Terminal.

  5. Attempt to execute the HelloUser method of SecurityTutorial.AuthorizationTests. A user that is member of the DevOnly role does not have sufficient privileges to execute any code stored in the USER database. Any attempt generates a <PROTECT> error.

    
    USER>Do $System.Security.Login("MyUser","MyUser")
     
    USER>Write $Username,!,$Roles
    MyUser
    DevOnly
    USER>Do ##class(SecurityTutorial.AuthorizationExample).HelloUser()
     
    DO ##CLASS(SecurityTutorial.AuthorizationExample).HelloUser()
    ^
    <PROTECT>
    USER>
    

The problem is that the code is stored in the USER database. In order to execute the code, a user needs permissions to read the USER database. The DevOnly role does not grant these permissions. Enhancing DevOnly by adding the %DB_USER:READ privilege would allow a member of the DevOnly role to execute the code.

Feedback