Skip to main content

Example Three: %DB_USER Resource

In this example you experiment with different privileges on the USER database and a user's ability to use the data and code stored in the database.

  1. Open the Terminal and while still logged in as the UnknownUser execute the CreateTestData method of SecurityTutorial.AuthorizationExample. This creates some data that we will use later in the example.

    USER>Do ##class(SecurityTutorial.AuthorizationExample).CreateTestData()
    USER>Write ^TestData
  2. Create a new role named UserDatabase. Give the role the following privileges:

    1. %DB_USER:READ.

    2. %Development:USE.

  3. Create a new user and add the user to the UserDatabase role.

  4. Open the Terminal and use $SYSTEM.Security.Login to login as the user created in the previous step.

  5. Execute the ReadTestData method of SecurityTutorial.AuthorizationTests. This method reads some data from the USER database and displays it. Since the user has %DB_USER:READ, the method successfully returns data.

    USER>Do $System.Security.Login("MyUser","MyUser")
    USER>Write $Username,!,$Roles
    USER>Write ##class(SecurityTutorial.AuthorizationExample).ReadTestData()
  6. Now attempt to execute the UpdateTestData method of SecurityTutorial.AuthorizationExample. This method writes some data to the USER database. Since the user does not have %DB_USER:WRITE, the method fails and generates a <PROTECT> error.

    USER>Write $System.Security.Check("%DB_USER")
    USER>Do ##class(SecurityTutorial.AuthorizationExample).UpdateTestData()
      Set ^TestData = "MyUpdatedData" }
    <PROTECT>zUpdateTestData+1^SecurityTutorial.AuthorizationExample.1 ^TestData,c:\intersystems\iris\mgr\user\
    USER 2d1>
  7. Next, edit the UserDatabase role so that it has %DB_USER:READ,WRITE.

  8. While logged in as the user created above and, execute the UpdateTestData method. The user now has write privileges on the USER database so the method succeeds.

FeedbackOpens in a new tab