Example Two: %Development Resource
In this example, you create a role that has the %Development:USE privilege. This role grants its members privileges to use the Terminal. The role does not, however, grant its members privileges to execute code in the USER database.
-
Create a role named DevOnly.
-
Assign the new role the %Development:USE privilege.
-
Create a user and add the user to the DevOnly role.
-
Open the Terminal and use $SYSTEM.Security.Login to login as the user created in the previous step. The DevOnly role provides the user with privileges to use the Terminal.
-
Attempt to execute the HelloUser method of SecurityTutorial.AuthorizationTests. A user that is member of the DevOnly role does not have sufficient privileges to execute any code stored in the USER database. Any attempt generates a <PROTECT> error.
USER>Do $System.Security.Login("MyUser","MyUser")
USER>Write $Username,!,$Roles
MyUser
DevOnly
USER>Do ##class(SecurityTutorial.AuthorizationExample).HelloUser()
DO ##CLASS(SecurityTutorial.AuthorizationExample).HelloUser()
^
<PROTECT>
USER>
The problem is that the code is stored in the USER database. In order to execute the code, a user needs permissions to read the USER database. The DevOnly role does not grant these permissions. Enhancing DevOnly by adding the %DB_USER:READ privilege would allow a member of the DevOnly role to execute the code.