Skip to main content

Example Four: $SYSTEM.Security.Check

In this example you experiment with the $SYSTEM.Security.Check method. It can be used within code to check privileges and prevent unauthorized execution of code blocks.

The SecurityTutorial.AuthorizationExample class contains a method named ProtectedMethod. This method uses $SYSTEM.Security.Check to protect a code block. If the user attempting to execute the method has the ProtectedMethod:USE privilege, the method successfully returns the value of $Username. If the user does not have this privelege, the method returns an error.

ClassMethod ProtectedMethod() As %String
 if ($SYSTEM.Security.Check("ProtectedMethod","U"))
  Return $Username
  Return "Error: Insufficient Privileges"

Here are the steps for using the example:

  1. Create a new role named ProtectedMethodExample. Give the role %Development:USE and %DB_USER:RW.

  2. Create a new user and add the user to the ProtectedMethodExample role.

  3. Open the Terminal and use $SYSTEM.Security.Login to log in as the user created in the previous step. Attempt to execute the SecurityTutorial.AuthorizationExample ProtectedMethod method. Since the user does not yet have ProtectedMethod:USE, the method returns "Error: Insufficient Privileges".

    USER>Write $System.Security.Login("MyUser","MyUser")
    USER>Write $Username,!,$Roles
    USER>Write ##class(SecurityTutorial.AuthorizationExample).ProtectedMethod()
    Error: Insufficient Privileges
  4. Create a new resource named ProtectedMethod. Assign the resource no Public Permissions. Give the ProtectedMethodExample role ProtectedMethod:USE.

  5. While logged in as the user created above, member of the ProtectedMethodExample role, execute the ProtectedMethod of SecurityTutorial.AuthorizationExample. Now that the user has ProtectedMethod:USE, the method executes its true branch and returns the value of $Username.

    USER>Write ##class(SecurityTutorial.AuthorizationTests).ProtectedMethod()

To learn more about $SYSTEM.Security.Check, see Check the Privileges of a Process.

FeedbackOpens in a new tab