Security.System
persistent class Security.System extends %Library.Persistent, %SYSTEM.Help, %XML.Adaptor
SQL Table Name: Security.System
Manipulate the System security settings.The table for this class should be manipulated only through object access, the published API's or through the System Management Portal. It should not be updated through direct SQL access.
Property Inventory
- AuditEnabled
- AuditEncrypt
- AuditFlags
- AutheEnabled
- ConfigurationSecurityEnabled
- DBEncDefaultKeyID
- DBEncIRISTemp
- DBEncJournal
- DBEncJournalKeyID
- DefaultSecurityDomain
- DefaultSignatureHash
- EscalateAuthTimeout
- EscalateLoginTimeout
- InactiveLimit
- InvalidLoginAction
- InvalidLoginLimit
- JWTIssuer
- JWTSigAlg
- LoginCookieTimeout
- PasswordExpirationDays
- PasswordHashAlgorithm
- PasswordHashWorkFactor
- PasswordPattern
- PasswordValidationRoutine
- PercentGlobalWrite
- PrivateJWKS
- PublicJWKS
- RequiredRole
- SMTPPassword
- SMTPServer
- SMTPUsername
- SSLECPServer
- SSLTelnetServer
- SecurityDomains
- TwoFactorFrom
- TwoFactorPWIssuer
- TwoFactorTimeout
Method Inventory
- Exists()
- Export()
- ExportAll()
- Get()
- GetInstallationSecuritySetting()
- GetProperties()
- Import()
- ImportAll()
- Modify()
Properties
property AuditEnabled as Security.Datatype.BooleanYN [ InitialExpression = 0 ];
Enable auditing.
Setting this to property to 1 will turn on the audit subsystem, and cause audit records to be written to the audit file. Installing with "Minimal" security will cause auditing to be off (0). Installing with "Normal" or "Locked Down" security will cause auditing to be turned on.
Setting this to property to 1 will turn on the audit subsystem, and cause audit records to be written to the audit file. Installing with "Minimal" security will cause auditing to be off (0). Installing with "Normal" or "Locked Down" security will cause auditing to be turned on.
Property methods: AuditEnabledDisplayToLogical(), AuditEnabledGet(), AuditEnabledGetStored(), AuditEnabledIsValid(), AuditEnabledLogicalToDisplay(), AuditEnabledLogicalToOdbc(), AuditEnabledLogicalToXSD(), AuditEnabledNormalize(), AuditEnabledOdbcToLogical(), AuditEnabledSet(), AuditEnabledXSDToLogical()
property AuditEncrypt as Security.Datatype.BooleanYN (XMLPROJECTION = "NONE") [ InitialExpression = 0 ];
Encrypt audit file.
Setting this property to 1 will cause the audit database to be encrypted. In order to encrypt the audit database, a valid database encryption key must be loaded on the system. Note that if encryption is enabled, the existing audit database and any data it contains will be deleted as soon as the property is modified. If encryption is changed from enabled to disabled, the existing audit database and any data it contains will also be deleted. By default, this property is set to 0 during installation.
Setting this property to 1 will cause the audit database to be encrypted. In order to encrypt the audit database, a valid database encryption key must be loaded on the system. Note that if encryption is enabled, the existing audit database and any data it contains will be deleted as soon as the property is modified. If encryption is changed from enabled to disabled, the existing audit database and any data it contains will also be deleted. By default, this property is set to 0 during installation.
Property methods: AuditEncryptDisplayToLogical(), AuditEncryptGet(), AuditEncryptGetStored(), AuditEncryptIsValid(), AuditEncryptLogicalToDisplay(), AuditEncryptLogicalToOdbc(), AuditEncryptLogicalToXSD(), AuditEncryptNormalize(), AuditEncryptOdbcToLogical(), AuditEncryptSet(), AuditEncryptXSDToLogical()
property AuditFlags as %Integer [ InitialExpression = 0 ];
Flags to govern audit behavior.
Bit 0 - Freeze system on audit write failure.
If the freeze system bit is turned on, any failure to write to the audit file will cause the system to freeze by setting the WDSTOP bit. Failures could include a file full, disk full, or disk write error condition. To fix this condition, you must force the system down, and either free up disk space, or replace the audit IRIS.DAT file with a new, smaller one. If you enable this parameter, make sure that you have lots of disk space allocated for the audit database. You probably also do not want to set a max size on the audit database either (i.e. leave the max database size set to its default of 0.)
Bit 0 - Freeze system on audit write failure.
If the freeze system bit is turned on, any failure to write to the audit file will cause the system to freeze by setting the WDSTOP bit. Failures could include a file full, disk full, or disk write error condition. To fix this condition, you must force the system down, and either free up disk space, or replace the audit IRIS.DAT file with a new, smaller one. If you enable this parameter, make sure that you have lots of disk space allocated for the audit database. You probably also do not want to set a max size on the audit database either (i.e. leave the max database size set to its default of 0.)
Property methods: AuditFlagsDisplayToLogical(), AuditFlagsGet(), AuditFlagsGetStored(), AuditFlagsIsValid(), AuditFlagsLogicalToDisplay(), AuditFlagsNormalize(), AuditFlagsSet(), AuditFlagsXSDToLogical()
property AutheEnabled as Security.Datatype.Authentication;
Authentication and CSP Session options enabled for the system.
Bit 0 = AutheK5CCache
Bit 1 = AutheK5Prompt
Bit 2 = AutheK5API
Bit 3 = AutheK5KeyTab
Bit 4 = AutheOS
Bit 5 - AuthePassword
Bit 6 = AutheUnauthenticated
Bit 7 = AutheKB
Bit 8 = AutheKBEncryption
Bit 9 = AutheKBIntegrity
Bit 10 = AutheSystem
Bit 11 = AutheLDAP
Bit 12 = AutheLDAPCache
Bit 13 = AutheDelegated
Bit 14 = LoginToken
Bit 15-19 reserved
Bit 20 = TwoFactorSMS
Bit 21 = TwoFactorPW
Bit 22-24 reserved
Bit 25 = MutualTLS
Depending on the installation security options selected, these different authentication and CSP Session options may be either enabled or disabled. These options govern at the system wide level what authentication and CSP session options are available for the system. If an authentication or CSP session option is disabled at the system level, it will also be disabled for all the services and CSP applications. If the authentication or CSP Session option is enabled at the system level, it may be individually enabled or disabled for each service and CSP application on the system, if the service or CSP application supports that method. See the Security.Services class for enabling/disabling authentication for each individual service, and the Security.Applications class for CSP applications. Note that these bits correspond to the same bit numbers in the Security.Services and Security.Applications class.
Bit 0 = AutheK5CCache
Bit 1 = AutheK5Prompt
Bit 2 = AutheK5API
Bit 3 = AutheK5KeyTab
Bit 4 = AutheOS
Bit 5 - AuthePassword
Bit 6 = AutheUnauthenticated
Bit 7 = AutheKB
Bit 8 = AutheKBEncryption
Bit 9 = AutheKBIntegrity
Bit 10 = AutheSystem
Bit 11 = AutheLDAP
Bit 12 = AutheLDAPCache
Bit 13 = AutheDelegated
Bit 14 = LoginToken
Bit 15-19 reserved
Bit 20 = TwoFactorSMS
Bit 21 = TwoFactorPW
Bit 22-24 reserved
Bit 25 = MutualTLS
Depending on the installation security options selected, these different authentication and CSP Session options may be either enabled or disabled. These options govern at the system wide level what authentication and CSP session options are available for the system. If an authentication or CSP session option is disabled at the system level, it will also be disabled for all the services and CSP applications. If the authentication or CSP Session option is enabled at the system level, it may be individually enabled or disabled for each service and CSP application on the system, if the service or CSP application supports that method. See the Security.Services class for enabling/disabling authentication for each individual service, and the Security.Applications class for CSP applications. Note that these bits correspond to the same bit numbers in the Security.Services and Security.Applications class.
Property methods: AutheEnabledDisplayToLogical(), AutheEnabledGet(), AutheEnabledGetStored(), AutheEnabledIsValid(), AutheEnabledLogicalToDisplay(), AutheEnabledLogicalToOdbc(), AutheEnabledNormalize(), AutheEnabledSet(), AutheEnabledXSDToLogical()
property ConfigurationSecurityEnabled as Security.Datatype.BooleanYN [ InitialExpression = 0 ];
Configuration security enabled.
If configuration security is enabled, then if the system detects that the .CPF configuration file has been changed externally (outside of the Management Portal), the system will inform the user that the configuration has changed, and will prompt for a username/password when it next starts up. The username entered must own the %Admin_Manage:Use resource in order for the new configuration to start. If they do not, or the authentication fails, the previous good configuration is used to start the system, and the new configuration changes which were not activated are written to a backup file. By default, this property is set to 0 during installation.
If configuration security is enabled, then if the system detects that the .CPF configuration file has been changed externally (outside of the Management Portal), the system will inform the user that the configuration has changed, and will prompt for a username/password when it next starts up. The username entered must own the %Admin_Manage:Use resource in order for the new configuration to start. If they do not, or the authentication fails, the previous good configuration is used to start the system, and the new configuration changes which were not activated are written to a backup file. By default, this property is set to 0 during installation.
Property methods: ConfigurationSecurityEnabledDisplayToLogical(), ConfigurationSecurityEnabledGet(), ConfigurationSecurityEnabledGetStored(), ConfigurationSecurityEnabledIsValid(), ConfigurationSecurityEnabledLogicalToDisplay(), ConfigurationSecurityEnabledLogicalToOdbc(), ConfigurationSecurityEnabledLogicalToXSD(), ConfigurationSecurityEnabledNormalize(), ConfigurationSecurityEnabledOdbcToLogical(), ConfigurationSecurityEnabledSet(), ConfigurationSecurityEnabledXSDToLogical()
property DBEncDefaultKeyID as %String (MAXLEN = 64, XMLPROJECTION = "NONE");
Database encryption key ID to use for new encrypted databases.
Property methods: DBEncDefaultKeyIDDisplayToLogical(), DBEncDefaultKeyIDGet(), DBEncDefaultKeyIDGetStored(), DBEncDefaultKeyIDIsValid(), DBEncDefaultKeyIDLogicalToDisplay(), DBEncDefaultKeyIDLogicalToOdbc(), DBEncDefaultKeyIDNormalize(), DBEncDefaultKeyIDSet()
property DBEncIRISTemp as Security.Datatype.BooleanYN (XMLPROJECTION = "NONE") [ InitialExpression = 0 ];
Encrypt IRISTemp database.
If the encrypt IRISTemp database property is enabled, the next time the system is restarted the IRISTemp database will be recreated as encrypted. In order to encrypt the IRISTemp database, a valid database encryption key must be loaded on the system. If this parameter is changed from enabled to disabled, the next time the system restarts the database will be created unencrypted. By default, this property is set to 0 during installation.
If the encrypt IRISTemp database property is enabled, the next time the system is restarted the IRISTemp database will be recreated as encrypted. In order to encrypt the IRISTemp database, a valid database encryption key must be loaded on the system. If this parameter is changed from enabled to disabled, the next time the system restarts the database will be created unencrypted. By default, this property is set to 0 during installation.
Property methods: DBEncIRISTempDisplayToLogical(), DBEncIRISTempGet(), DBEncIRISTempGetStored(), DBEncIRISTempIsValid(), DBEncIRISTempLogicalToDisplay(), DBEncIRISTempLogicalToOdbc(), DBEncIRISTempLogicalToXSD(), DBEncIRISTempNormalize(), DBEncIRISTempOdbcToLogical(), DBEncIRISTempSet(), DBEncIRISTempXSDToLogical()
property DBEncJournal as Security.Datatype.BooleanYN (XMLPROJECTION = "NONE") [ InitialExpression = 0 ];
Encrypt Journal files.
If the encrypt journal files property is enabled, the journal file will be switched, and the new journal file will be created as encrypted. In order to encrypt the journal file, a valid database encryption key must be loaded on the system. If this parameter is changed from enabled to disabled, the journal file is switched, and the new journal file will be created unencrypted. By default, this property is set to 0 during installation.
If the encrypt journal files property is enabled, the journal file will be switched, and the new journal file will be created as encrypted. In order to encrypt the journal file, a valid database encryption key must be loaded on the system. If this parameter is changed from enabled to disabled, the journal file is switched, and the new journal file will be created unencrypted. By default, this property is set to 0 during installation.
Property methods: DBEncJournalDisplayToLogical(), DBEncJournalGet(), DBEncJournalGetStored(), DBEncJournalIsValid(), DBEncJournalLogicalToDisplay(), DBEncJournalLogicalToOdbc(), DBEncJournalLogicalToXSD(), DBEncJournalNormalize(), DBEncJournalOdbcToLogical(), DBEncJournalSet(), DBEncJournalXSDToLogical()
property DBEncJournalKeyID as %String (MAXLEN = 64, XMLPROJECTION = "NONE");
Database encryption key ID to use for encrypting journal files.
Property methods: DBEncJournalKeyIDDisplayToLogical(), DBEncJournalKeyIDGet(), DBEncJournalKeyIDGetStored(), DBEncJournalKeyIDIsValid(), DBEncJournalKeyIDLogicalToDisplay(), DBEncJournalKeyIDLogicalToOdbc(), DBEncJournalKeyIDNormalize(), DBEncJournalKeyIDSet()
property DefaultSecurityDomain as %String (MAXLEN = 128, MINLEN = 1);
Default domain system belongs to.
This property is the default kerberos security domain which the system will use for kerberos authentication. During installation, the system will attempt to set this property to the correct value. If you decide to use kerberos authentication, you may need to modify this value.
This property is the default kerberos security domain which the system will use for kerberos authentication. During installation, the system will attempt to set this property to the correct value. If you decide to use kerberos authentication, you may need to modify this value.
Property methods: DefaultSecurityDomainDisplayToLogical(), DefaultSecurityDomainGet(), DefaultSecurityDomainGetStored(), DefaultSecurityDomainIsValid(), DefaultSecurityDomainLogicalToDisplay(), DefaultSecurityDomainLogicalToOdbc(), DefaultSecurityDomainNormalize(), DefaultSecurityDomainSet()
property DefaultSignatureHash as %String (VALUELIST = ",SHA1,SHA256,SHA384,SHA512,", XMLPROJECTION = "NONE") [ InitialExpression = "SHA256" ];
The default hashing algorithm to use for digital signatures if no hashing
algorithm is explicitely specified which is the usual case.
This default is used for creating signatures based on RSA keys or HMAC and
the default is set during signature creation.
The valid values for DefaultSignatureHash are SHA1, SHA256, SHA384 and SHA512. Previously the default was SHA1, but is now changed to SHA256 in accord with the NIST recommendation.
The valid values for DefaultSignatureHash are SHA1, SHA256, SHA384 and SHA512. Previously the default was SHA1, but is now changed to SHA256 in accord with the NIST recommendation.
- The default digest method is used as the DigestMethod for each referenced element to sign. %XML.Security.Signature.DigestMethodAlgorithm defaults based on the value of DefaultSignatureHash SHA1: $$$SOAPWSsha1 ("http://www.w3.org/2000/09/xmldsig#sha1") SHA256: $$$SOAPWSsha256 ("http://www.w3.org/2001/04/xmlenc#sha256") SHA384: $$$SOAPWSsha384 ("http://www.w3.org/2001/04/xmldsig-more#sha384") SHA512: $$$SOAPWSsha512 ("http://www.w3.org/2001/04/xmlenc#sha512") - Signature based based on RSA keys is created by %XML.Security.Signature:CreateX509. %XML.Security.Signature.SignatureMethod.Algorithm defaults based on the value of DefaultSignatureHash This is the signing algorithm to be used. SHA1: $$$SOAPWSrsasha1 ("http://www.w3.org/2000/09/xmldsig#rsa-sha1") SHA256: $$$SOAPWSrsasha256 ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") SHA384: $$$SOAPWSrsasha384 ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384") SHA512: $$$SOAPWSrsasha512 ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512") - Signature based based on HMAC is created by %XML.Security.Signature:Create. %XML.Security.Signature.SignatureMethod.Algorithm defaults based on the value of DefaultSignatureHash This is the signing algorithm to be used. SHA1: $$$SOAPWShmacsha1 ("http://www.w3.org/2000/09/xmldsig#hmac-sha1") SHA256: $$$SOAPWShmacsha256 ("http://www.w3.org/2001/04/xmldsig-more#hmac-sha256") SHA384: $$$SOAPWShmacsha384 ("http://www.w3.org/2001/04/xmldsig-more#hmac-sha384") SHA512: $$$SOAPWShmacsha512 ("http://www.w3.org/2001/04/xmldsig-more#hmac-sha512")Property methods: DefaultSignatureHashDisplayToLogical(), DefaultSignatureHashGet(), DefaultSignatureHashGetStored(), DefaultSignatureHashIsValid(), DefaultSignatureHashLogicalToDisplay(), DefaultSignatureHashLogicalToOdbc(), DefaultSignatureHashNormalize(), DefaultSignatureHashSet()
property EscalateAuthTimeout as %Integer (MINVAL = 0) [ InitialExpression = 0 , Required ];
The Authentication timeout for Escalated logins.
For interactive processes, when the user is logging in to an Escalation Role (via $system.Security.EscalateLogin()), the user will not be asked to authenticate if the user has previously logged in within the Authentication timeout. A value of '0' indicates that the user should always be prompted to authenticate. A value greater than zero indicates the number of seconds for which the previous login is considered valid. This timeout only applies to escalated logins.
For interactive processes, when the user is logging in to an Escalation Role (via $system.Security.EscalateLogin()), the user will not be asked to authenticate if the user has previously logged in within the Authentication timeout. A value of '0' indicates that the user should always be prompted to authenticate. A value greater than zero indicates the number of seconds for which the previous login is considered valid. This timeout only applies to escalated logins.
Property methods: EscalateAuthTimeoutDisplayToLogical(), EscalateAuthTimeoutGet(), EscalateAuthTimeoutGetStored(), EscalateAuthTimeoutIsValid(), EscalateAuthTimeoutLogicalToDisplay(), EscalateAuthTimeoutNormalize(), EscalateAuthTimeoutSet(), EscalateAuthTimeoutXSDToLogical()
property EscalateLoginTimeout as %Integer (MINVAL = 0) [ InitialExpression = 300 , Required ];
The timeout for Escalated logins.
For interactive processes, if the user is in the escalated shell ($System.Security.EscalateLogin()) and is inactive for longer than this number of seconds, the screen will be locked, and the user will need to re-authenticate before continuing.
For interactive processes, if the user is in the escalated shell ($System.Security.EscalateLogin()) and is inactive for longer than this number of seconds, the screen will be locked, and the user will need to re-authenticate before continuing.
Property methods: EscalateLoginTimeoutDisplayToLogical(), EscalateLoginTimeoutGet(), EscalateLoginTimeoutGetStored(), EscalateLoginTimeoutIsValid(), EscalateLoginTimeoutLogicalToDisplay(), EscalateLoginTimeoutNormalize(), EscalateLoginTimeoutSet(), EscalateLoginTimeoutXSDToLogical()
property InactiveLimit as %Integer (MINVAL = 0) [ InitialExpression = 90 , Required ];
Inactive login limit.
This property is the number of days a InterSystems IRIS security user account can be inactive before it is disabled. Setting this property to 0 will disable account inactivation.
This property is the number of days a InterSystems IRIS security user account can be inactive before it is disabled. Setting this property to 0 will disable account inactivation.
Property methods: InactiveLimitDisplayToLogical(), InactiveLimitGet(), InactiveLimitGetStored(), InactiveLimitIsValid(), InactiveLimitLogicalToDisplay(), InactiveLimitNormalize(), InactiveLimitSet(), InactiveLimitXSDToLogical()
property InvalidLoginAction as %Integer (MAXVAL = 1, MINVAL = 0) [ InitialExpression = 0 ];
Action to take when the InvalidLoginLimit is reached for a user.
Bit 0 - Disable user account
Bit 0 - Disable user account
Property methods: InvalidLoginActionDisplayToLogical(), InvalidLoginActionGet(), InvalidLoginActionGetStored(), InvalidLoginActionIsValid(), InvalidLoginActionLogicalToDisplay(), InvalidLoginActionNormalize(), InvalidLoginActionSet(), InvalidLoginActionXSDToLogical()
property InvalidLoginLimit as %Integer (MINVAL = 0) [ InitialExpression = 5 , Required ];
Invalid login limit.
This property is the number of consecutive times a user can attempt to log into a InterSystems IRIS security account and fail. Once this limit is reached, the process attempting to log in will start to "hang" for longer periods of time before an access denied message is returned to the user. Setting this property to 0 will disable this feature.
This property is the number of consecutive times a user can attempt to log into a InterSystems IRIS security account and fail. Once this limit is reached, the process attempting to log in will start to "hang" for longer periods of time before an access denied message is returned to the user. Setting this property to 0 will disable this feature.
Property methods: InvalidLoginLimitDisplayToLogical(), InvalidLoginLimitGet(), InvalidLoginLimitGetStored(), InvalidLoginLimitIsValid(), InvalidLoginLimitLogicalToDisplay(), InvalidLoginLimitNormalize(), InvalidLoginLimitSet(), InvalidLoginLimitXSDToLogical()
property JWTIssuer as %String (MAXLEN = 1024);
Property methods: JWTIssuerDisplayToLogical(), JWTIssuerGet(), JWTIssuerGetStored(), JWTIssuerIsValid(), JWTIssuerLogicalToDisplay(), JWTIssuerLogicalToOdbc(), JWTIssuerNormalize(), JWTIssuerSet()
property JWTSigAlg as %String (VALUELIST = ",RS256,RS384,RS512,ES256,ES384,ES512") [ InitialExpression = "ES256" ];
Property methods: JWTSigAlgDisplayToLogical(), JWTSigAlgGet(), JWTSigAlgGetStored(), JWTSigAlgIsValid(), JWTSigAlgLogicalToDisplay(), JWTSigAlgLogicalToOdbc(), JWTSigAlgNormalize(), JWTSigAlgSet()
property LoginCookieTimeout as %Integer [ InitialExpression = 0 ];
Property methods: LoginCookieTimeoutDisplayToLogical(), LoginCookieTimeoutGet(), LoginCookieTimeoutGetStored(), LoginCookieTimeoutIsValid(), LoginCookieTimeoutLogicalToDisplay(), LoginCookieTimeoutNormalize(), LoginCookieTimeoutSet(), LoginCookieTimeoutXSDToLogical()
property PasswordExpirationDays as %Integer [ InitialExpression = 0 , Required ];
Password expiration period.
This property governs how long a password for a user can be used before it expires. Once a password expires, the user must change their password before they can log in the next time. If this property is set to 0, passwords will not expire on the system.
This property governs how long a password for a user can be used before it expires. Once a password expires, the user must change their password before they can log in the next time. If this property is set to 0, passwords will not expire on the system.
Property methods: PasswordExpirationDaysDisplayToLogical(), PasswordExpirationDaysGet(), PasswordExpirationDaysGetStored(), PasswordExpirationDaysIsValid(), PasswordExpirationDaysLogicalToDisplay(), PasswordExpirationDaysNormalize(), PasswordExpirationDaysSet(), PasswordExpirationDaysXSDToLogical()
property PasswordHashAlgorithm as Security.Datatype.PBKDF2Alg [ InitialExpression = "SHA512" , Required ];
Target hash algorithm for storing PBKDF2 password hashes. More secure hashes increase the result's resistance to attack. If a user logs in via password, and their hash was calculated using a different algorithm, it will be re-calculated and re-stored appropriately. This allows frictionless migration to new PBKDF2 standards as users log in over time.
Property methods: PasswordHashAlgorithmDisplayToLogical(), PasswordHashAlgorithmGet(), PasswordHashAlgorithmGetStored(), PasswordHashAlgorithmIsValid(), PasswordHashAlgorithmLogicalToBitLength(), PasswordHashAlgorithmLogicalToDisplay(), PasswordHashAlgorithmLogicalToOdbc(), PasswordHashAlgorithmNormalize(), PasswordHashAlgorithmSet()
property PasswordHashWorkFactor as %Integer (MINVAL = 10000) [ InitialExpression = 10000 , Required ];
Target work factor for storing PBKDF2 password hashes. Higher values increase the result's resistance to attack, as well as CPU count required to authenticate passwords. If a user logs in via password, and the work factor of their hash does not match this value, it will be re-calculated and re-stored appropriately. This allows frictionless migration to new PBKDF2 standards as users log in over time.
Property methods: PasswordHashWorkFactorDisplayToLogical(), PasswordHashWorkFactorGet(), PasswordHashWorkFactorGetStored(), PasswordHashWorkFactorIsValid(), PasswordHashWorkFactorLogicalToDisplay(), PasswordHashWorkFactorNormalize(), PasswordHashWorkFactorSet(), PasswordHashWorkFactorXSDToLogical()
property PasswordPattern as %String (MAXLEN = 64) [ InitialExpression = "3.128ANP" ];
Password Pattern.
When a user is created in the InterSystems IRIS security database, or a user changes their password, the password is pattern matched against the pattern stored in this property to determine if it matches. If it matches, then the password is allowed. By default, the password must be between 3 and 32 characters, with alphanumerics and punctuations. A security setting of "locked down" selected during install requires it to be a minimum of 8 characters long. The Password pattern may be set to null meaning no pattern match on the password.
When a user is created in the InterSystems IRIS security database, or a user changes their password, the password is pattern matched against the pattern stored in this property to determine if it matches. If it matches, then the password is allowed. By default, the password must be between 3 and 32 characters, with alphanumerics and punctuations. A security setting of "locked down" selected during install requires it to be a minimum of 8 characters long. The Password pattern may be set to null meaning no pattern match on the password.
Property methods: PasswordPatternDisplayToLogical(), PasswordPatternGet(), PasswordPatternGetStored(), PasswordPatternIsValid(), PasswordPatternLogicalToDisplay(), PasswordPatternLogicalToOdbc(), PasswordPatternNormalize(), PasswordPatternSet()
property PasswordValidationRoutine as %String (MAXLEN = 128);
Password validation routine.
When a user is created in the InterSystems IRIS security database, or a user changes their password, the specified routine is called to validate the password. A tag reference may also be included in the property. The routine should be provided by the user, and must exist in the %SYS namespace (it may be mapped to a different database however.) The routine will take 2 parameters, a Username and new password, and should return a %Status code of $$$OK for successful password validation, or an error code formatted into a %Status variable. The username passed into the function will be in all lowercase, and will contain the domain name if multiple domains are enabled for the system.
Here is an example of a password validation routine. Enter CHECK^PASSWORD into this property to call it:
When a user is created in the InterSystems IRIS security database, or a user changes their password, the specified routine is called to validate the password. A tag reference may also be included in the property. The routine should be provided by the user, and must exist in the %SYS namespace (it may be mapped to a different database however.) The routine will take 2 parameters, a Username and new password, and should return a %Status code of $$$OK for successful password validation, or an error code formatted into a %Status variable. The username passed into the function will be in all lowercase, and will contain the domain name if multiple domains are enabled for the system.
Here is an example of a password validation routine. Enter CHECK^PASSWORD into this property to call it:
PASSWORD ; Validate a user's password #include %occInclude CHECK(Username,Password) PUBLIC { ; See if the password was previously used. If it was, return an error. ; Allow the user to change it to the same one as current. ; Store the list of previously used passwords for the user as a hashed value. s PasswordHash=$System.Encryption.SHA1Hash(Password) i $d(^PASSWORDLIST(Username,PasswordHash)){ i ^PASSWORDLIST(Username,"Current")'=PasswordHash { q $$$ERROR($$$GeneralError,"Password was previously used") } } s ^PASSWORDLIST(Username,PasswordHash)=$h s ^PASSWORDLIST(Username,"Current")=PasswordHash q $$$OK }
Property methods: PasswordValidationRoutineDisplayToLogical(), PasswordValidationRoutineGet(), PasswordValidationRoutineGetStored(), PasswordValidationRoutineIsValid(), PasswordValidationRoutineLogicalToDisplay(), PasswordValidationRoutineLogicalToOdbc(), PasswordValidationRoutineNormalize(), PasswordValidationRoutineSet()
property PercentGlobalWrite as %Integer [ InitialExpression = 0 ];
Allow writing to % globals.
When this property is set to 1, any user on the system is allowed to write to any "%" global (like ^%IS) mapped to the IRISSYS database. When this property is set to 0, only users with write access to the %DB_IRISSYS resource can write to "%" globals. During intallation this is set to 1 for "Minimal" security, 0 for "Normal" and "Locked Down" security.
When this property is set to 1, any user on the system is allowed to write to any "%" global (like ^%IS) mapped to the IRISSYS database. When this property is set to 0, only users with write access to the %DB_IRISSYS resource can write to "%" globals. During intallation this is set to 1 for "Minimal" security, 0 for "Normal" and "Locked Down" security.
Property methods: PercentGlobalWriteDisplayToLogical(), PercentGlobalWriteGet(), PercentGlobalWriteGetStored(), PercentGlobalWriteIsValid(), PercentGlobalWriteLogicalToDisplay(), PercentGlobalWriteNormalize(), PercentGlobalWriteSet(), PercentGlobalWriteXSDToLogical()
property PrivateJWKS as %String (MAXLEN = 2048);
Property methods: PrivateJWKSDisplayToLogical(), PrivateJWKSGet(), PrivateJWKSGetStored(), PrivateJWKSIsValid(), PrivateJWKSLogicalToDisplay(), PrivateJWKSLogicalToOdbc(), PrivateJWKSNormalize(), PrivateJWKSSet()
property PublicJWKS as %String (MAXLEN = 2048);
Property methods: PublicJWKSDisplayToLogical(), PublicJWKSGet(), PublicJWKSGetStored(), PublicJWKSIsValid(), PublicJWKSLogicalToDisplay(), PublicJWKSLogicalToOdbc(), PublicJWKSNormalize(), PublicJWKSSet()
property RequiredRole as %String (MAXLEN = 64);
Required role to log into system.
Setting this value to a valid role will require any user logging into the system to own this role as part of their login roles. If the user does not own this role, they will receive an "Access denied" message when they try to log in. This is usually used when the system is configured for LDAP or User defined authentication to restrict unauthorized users from accessing a system. When using LDAP or user defined authentication, user roles are assigned from the LDAP database or the user defined security database. For example, if this property is set to "ACCOUNTSPAYABLE", then the user logging in must be assigned the ACCOUNTSPAYABLE role on the LDAP server, or from the user defined database. Leave as "" if not required. Note that if the user logging in is assigned the "%All" role from the LDAP server or user defined database, then that will override any role entered here.
Setting this value to a valid role will require any user logging into the system to own this role as part of their login roles. If the user does not own this role, they will receive an "Access denied" message when they try to log in. This is usually used when the system is configured for LDAP or User defined authentication to restrict unauthorized users from accessing a system. When using LDAP or user defined authentication, user roles are assigned from the LDAP database or the user defined security database. For example, if this property is set to "ACCOUNTSPAYABLE", then the user logging in must be assigned the ACCOUNTSPAYABLE role on the LDAP server, or from the user defined database. Leave as "" if not required. Note that if the user logging in is assigned the "%All" role from the LDAP server or user defined database, then that will override any role entered here.
Property methods: RequiredRoleDisplayToLogical(), RequiredRoleGet(), RequiredRoleGetStored(), RequiredRoleIsValid(), RequiredRoleLogicalToDisplay(), RequiredRoleLogicalToOdbc(), RequiredRoleNormalize(), RequiredRoleSet()
property SMTPPassword as %String;
Password for sending email
Property methods: SMTPPasswordDisplayToLogical(), SMTPPasswordGet(), SMTPPasswordGetStored(), SMTPPasswordIsValid(), SMTPPasswordLogicalToDisplay(), SMTPPasswordLogicalToOdbc(), SMTPPasswordNormalize(), SMTPPasswordSet()
property SMTPServer as %String;
Server DNS name for sending email
Property methods: SMTPServerDisplayToLogical(), SMTPServerGet(), SMTPServerGetStored(), SMTPServerIsValid(), SMTPServerLogicalToDisplay(), SMTPServerLogicalToOdbc(), SMTPServerNormalize(), SMTPServerSet()
property SMTPUsername as %String;
Username for sending email
Property methods: SMTPUsernameDisplayToLogical(), SMTPUsernameGet(), SMTPUsernameGetStored(), SMTPUsernameIsValid(), SMTPUsernameLogicalToDisplay(), SMTPUsernameLogicalToOdbc(), SMTPUsernameNormalize(), SMTPUsernameSet()
property SSLECPServer as %Integer (MAXVAL = 2, MINVAL = 0) [ InitialExpression = 0 ];
Use SSL/TLS for ECP Server connections.
0 = None
1 = Accept
2 = Require
0 = None
1 = Accept
2 = Require
Property methods: SSLECPServerDisplayToLogical(), SSLECPServerGet(), SSLECPServerGetStored(), SSLECPServerIsValid(), SSLECPServerLogicalToDisplay(), SSLECPServerNormalize(), SSLECPServerSet(), SSLECPServerXSDToLogical()
property SSLTelnetServer as %Integer (MAXVAL = 2, MINVAL = 0) [ InitialExpression = 0 ];
Use SSL/TLS for Telnet Server connections (Windows only.)
0 = None
1 = Accept
2 = Require
0 = None
1 = Accept
2 = Require
Property methods: SSLTelnetServerDisplayToLogical(), SSLTelnetServerGet(), SSLTelnetServerGetStored(), SSLTelnetServerIsValid(), SSLTelnetServerLogicalToDisplay(), SSLTelnetServerNormalize(), SSLTelnetServerSet(), SSLTelnetServerXSDToLogical()
property SecurityDomains as Security.Datatype.BooleanYN [ InitialExpression = 0 ];
Allow multiple security domains.
This property should only be set to 1 if you are using kerberos, and wish to allow cross domain realm authentication. Turning it on will cause all usernames to include the domain from which they are logging in. Thus a $username such as "Steve" will then be displayed and used as Steve@domainname.com.
This property should only be set to 1 if you are using kerberos, and wish to allow cross domain realm authentication. Turning it on will cause all usernames to include the domain from which they are logging in. Thus a $username such as "Steve" will then be displayed and used as Steve@domainname.com.
Property methods: SecurityDomainsDisplayToLogical(), SecurityDomainsGet(), SecurityDomainsGetStored(), SecurityDomainsIsValid(), SecurityDomainsLogicalToDisplay(), SecurityDomainsLogicalToOdbc(), SecurityDomainsLogicalToXSD(), SecurityDomainsNormalize(), SecurityDomainsOdbcToLogical(), SecurityDomainsSet(), SecurityDomainsXSDToLogical()
property TwoFactorFrom as %String;
"From:" field for two-factor security token messages
Property methods: TwoFactorFromDisplayToLogical(), TwoFactorFromGet(), TwoFactorFromGetStored(), TwoFactorFromIsValid(), TwoFactorFromLogicalToDisplay(), TwoFactorFromLogicalToOdbc(), TwoFactorFromNormalize(), TwoFactorFromSet()
property TwoFactorPWIssuer as %String (MAXLEN = 256) [ InitialExpression = $p($zv," ",1)_"-"_$zu(110)_"-"_$p($zu(86),"*",2) ];
Property methods: TwoFactorPWIssuerDisplayToLogical(), TwoFactorPWIssuerGet(), TwoFactorPWIssuerGetStored(), TwoFactorPWIssuerIsValid(), TwoFactorPWIssuerLogicalToDisplay(), TwoFactorPWIssuerLogicalToOdbc(), TwoFactorPWIssuerNormalize(), TwoFactorPWIssuerSet()
property TwoFactorTimeout as %Integer [ InitialExpression = 180 ];
Timeout for receiving security token in two-factor authentication, in seconds
Property methods: TwoFactorTimeoutDisplayToLogical(), TwoFactorTimeoutGet(), TwoFactorTimeoutGetStored(), TwoFactorTimeoutIsValid(), TwoFactorTimeoutLogicalToDisplay(), TwoFactorTimeoutNormalize(), TwoFactorTimeoutSet(), TwoFactorTimeoutXSDToLogical()
Methods
classmethod Exists(Name As %String = $$$SystemSecurityName, ByRef System As %ObjectHandle, ByRef Status As %Status) as %Boolean
System security configuration exists.
Used to get a handle to the Security.System object.
Parameters:
Name - Always "SYSTEM".
Return values:
If Value of the method = 0 (System config does not exist, or some error occured)
System = Null
Status = System does not exist, or other error message
If Value of the method = 1 (System config exists)
System = Object handle to System config
Status = $$$OK
Used to get a handle to the Security.System object.
Parameters:
Name - Always "SYSTEM".
Return values:
If Value of the method = 0 (System config does not exist, or some error occured)
System = Null
Status = System does not exist, or other error message
If Value of the method = 1 (System config exists)
System = Object handle to System config
Status = $$$OK
classmethod Export(FileName As %String = "SystemExport.xml", ByRef NumExported As %Integer) as %Status
This method exports the System security record to a file in xml format.
Parameters:
Filename - Output file name
NumExported (byref) - Returns number of records exported.
Parameters:
Filename - Output file name
NumExported (byref) - Returns number of records exported.
classmethod ExportAll(FileName As %String = "SecurityExport.xml", ByRef NumExported As %String, Flags As %Integer = -1) as %Status
Export All Security records to an xml file.
Parameters:
FileName - Output file name
NumExported (byref) - Returns number of records exported for each type of security record:
Parameters:
FileName - Output file name
NumExported (byref) - Returns number of records exported for each type of security record:
- NumExported("System")
- NumExported("Event")
- NumExported("Service")
- NumExported("Resource")
- NumExported("Role")
- NumExported("User")
- NumExported("Application")
- NumExported("SSLConfig")
- NumExported("PhoneProvider")
- NumExported("X509Credentials")
- NumExported("OpenAMIdentityService")
- NumExported("SQLPrivileges")
- NumExported("X509Users")
- NumExported("DocDB")
- NumExported("LDAPConfig")
- NumExported("KMIPConfig")
- Bit 0 - System
- Bit 1 - Events
- Bit 2 - Services
- Bit 4 - Resources
- Bit 5 - Roles
- Bit 6 - Users
- Bit 7 - Applications
- Bit 8 - SSL Configs
- Bit 9 - PhoneProvider
- Bit 10 - X509Credential
- Bit 11 - OpenAMIdentityService
- Bit 12 - SQL privileges
- Bit 13 - X509Users
- Bit 14 - DocDBs
- Bit 15 - LDAPConfig
- Bit 16 - KMIPServer
- Bit 17 - Servers
To export records for multiple areas, sum the values for the relevant areas. For example, to export both roles and applications, specify a value of 160 (32 for roles plus 128 for applications); to export roles, users, and applications, specify a value of 224 (32 for roles, plus 64 for users, plus 128 for applications).
Get the system security properties.
Parameters:
Name - Name of system parameter record, currently always "SYSTEM"
Properties (byref) - Array of system properties
Parameters:
Name - Name of system parameter record, currently always "SYSTEM"
Properties (byref) - Array of system properties
Return the Security settings which the instance was initially installed with.
Security Setting - (by ref) Contains the security setting installed, one of these possible values:
"None" - Minimal settings selected
"Normal" - Normal settings selected
"Locked Down" - Locked down setting selected
"Unknown" - Cannot determine settings. This would only be the case if the system was initially installed as 2010.2 or earlier, and the settings cannot be determined by examining the security database.
Security Setting - (by ref) Contains the security setting installed, one of these possible values:
"None" - Minimal settings selected
"Normal" - Normal settings selected
"Locked Down" - Locked down setting selected
"Unknown" - Cannot determine settings. This would only be the case if the system was initially installed as 2010.2 or earlier, and the settings cannot be determined by examining the security database.
classmethod GetProperties(System As %ObjectHandle, ByRef Properties As %String) as %Status
Get the system security properties.
classmethod Import(FileName As %String = "SystemExport.xml", ByRef NumImported As %Integer, Flags As %Integer = 0) as %Status
Import System security record from an xml file.
Parameters:
FileName - Filename to import System security record from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
Parameters:
FileName - Filename to import System security record from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
classmethod ImportAll(FileName As %String = "SecurityExport.xml", ByRef NumImported As %String, Type As %Integer = -1, Flags As %Integer = 0) as %Status
Import All Security records from an xml file.
Parameters:
FileName - Filename to import security records from
NumImported (byref) - Returns number of records imported for each type of security record:
NumImported("System")
NumImported("Event")
NumImported("Service")
NumImported("Resource")
NumImported("Role")
NumImported("User")
NumImported("Application")
NumImported("SSLConfig")
NumImported("PhoneProvider")
NumImported("X509Credentials")
NumImported("OpenAMIdentityService")
NumImported("SQLPrivileges")
NumImported("X509Users")
NumImported("DocDB")
NumImported("LDAPConfig")
NumImported("KMIPServer")
NumImported("Server")
Type - What type of records to import from the file, -1 = ALL
Bit 0 - System
Bit 1 - Events
Bit 2 - Services
Bit 4 - Resources
Bit 5 - Roles
Bit 6 - Users
Bit 7 - Applications
Bit 8 - SSL Configs
Bit 9 - PhoneProvider
Bit 10 - X509Credential
Bit 11 - OpenAMIdentityService
Bit 12 - SQL privileges
Bit 13 - X509Users
Bit 14 - DocDBs
Bit 15 - LDAPConfigs
Bit 16 - KMIPServer
Bit 17 - Servers
Flags - Control import
Bit 0 - Do not import records, just return counts
Note: On failure, no records will be imported
Parameters:
FileName - Filename to import security records from
NumImported (byref) - Returns number of records imported for each type of security record:
NumImported("System")
NumImported("Event")
NumImported("Service")
NumImported("Resource")
NumImported("Role")
NumImported("User")
NumImported("Application")
NumImported("SSLConfig")
NumImported("PhoneProvider")
NumImported("X509Credentials")
NumImported("OpenAMIdentityService")
NumImported("SQLPrivileges")
NumImported("X509Users")
NumImported("DocDB")
NumImported("LDAPConfig")
NumImported("KMIPServer")
NumImported("Server")
Type - What type of records to import from the file, -1 = ALL
Bit 0 - System
Bit 1 - Events
Bit 2 - Services
Bit 4 - Resources
Bit 5 - Roles
Bit 6 - Users
Bit 7 - Applications
Bit 8 - SSL Configs
Bit 9 - PhoneProvider
Bit 10 - X509Credential
Bit 11 - OpenAMIdentityService
Bit 12 - SQL privileges
Bit 13 - X509Users
Bit 14 - DocDBs
Bit 15 - LDAPConfigs
Bit 16 - KMIPServer
Bit 17 - Servers
Flags - Control import
Bit 0 - Do not import records, just return counts
Note: On failure, no records will be imported
Modify the system security properties.
Modifies the system security properties from the security database.
Parameters:
Name - Name of system parameter record, currently always "SYSTEM"
Properties - Array of properties to modify.
See the Get() method for a description of the Properties parameter.
If a specific property is not passed in the properties array, then the property is not modified.
Modifies the system security properties from the security database.
Parameters:
Name - Name of system parameter record, currently always "SYSTEM"
Properties - Array of properties to modify.
See the Get() method for a description of the Properties parameter.
If a specific property is not passed in the properties array, then the property is not modified.
Inherited Members
Inherited Methods
- %%CLASSNAMELogicalToStorage()
- %%CLASSNAMEStorageToLogical()
- %AddToSaveSet()
- %AddToSyncSet()
- %BMEBuilt()
- %BuildIndicesAsync()
- %BuildIndicesAsyncResponse()
- %CheckConstraints()
- %CheckConstraintsForExtent()
- %ClassIsLatestVersion()
- %ClassName()
- %ComposeOid()
- %ConstructClone()
- %Delete()
- %DeleteExtent()
- %DeleteId()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Exists()
- %ExistsId()
- %Extends()
- %GUID()
- %GUIDSet()
- %GetLock()
- %GetParameter()
- %GetSwizzleObject()
- %Id()
- %InsertBatch()
- %IsA()
- %IsModified()
- %IsNull()
- %KillExtent()
- %KillExtentData()
- %LoadFromMemory()
- %LockExtent()
- %LockId()
- %New()
- %NormalizeObject()
- %ObjectIsNull()
- %ObjectModified()
- %Oid()
- %OnBeforeAddToSync()
- %OnDeleteFinally()
- %OnDetermineClass()
- %OnOpenFinally()
- %OnSaveFinally()
- %Open()
- %OpenId()
- %OriginalNamespace()
- %PackageName()
- %PhysicalAddress()
- %PurgeIndices()
- %Reload()
- %RemoveFromSaveSet()
- %ResolveConcurrencyConflict()
- %RollBack()
- %Save()
- %SaveDirect()
- %SaveIndices()
- %SerializeObject()
- %SetModified()
- %SortBegin()
- %SortEnd()
- %SyncObjectIn()
- %SyncTransport()
- %UnlockExtent()
- %UnlockId()
- %ValidateIndices()
- %ValidateObject()
- %ValidateTable()
- Help()
- XMLDTD()
- XMLExport()
- XMLExportToStream()
- XMLExportToString()
- XMLNew()
- XMLSchema()
- XMLSchemaNamespace()
- XMLSchemaType()
Storage
Storage Model: Storage (Security.System)
^|$$$SecurityMapSystem|SYS("Security","SystemD")(ID) |
= | %%CLASSNAME
AuditEnabled
ConfigurationSecurityEnabled
DBEncAlgorithm
DBEncIRISTemp
DBEncKeyLength
DBEncStartConfigFile
DBEncStartKeyFile
DBEncStartMode
DBEncStartPassphrase
DBEncStartRequired
DBEncStartUsername
DefaultSecurityDomain
Description
InactiveLimit
InvalidLoginLimit
KeyEncKeyIterations
KeyEncKeyLength
KeyEncKeySaltLength
PasswordPattern
PercentGlobalWrite
SecurityDomains
AuditFlags
DBEncJournal
AutheEnabled
LDAPBaseDN
LDAPDomainName
LDAPFlags
LDAPHostNames
LDAPSearchPassword
LDAPSearchUsername
LDAPUniqueDNIdentifier
LDAPAttributeComment
LDAPAttributeFullName
LDAPAttributeNameSpace
LDAPAttributeRoles
LDAPAttributeRoutine
LDAPClientTimeout
LDAPServerTimeout
LDAPCACertFile
RequiredRole
LDAPAttributes
AuditEncrypt
BypassSecurity
PasswordValidationRoutine
PasswordExpirationDays
InvalidLoginAction
SSLSuperServer
SMTPPassword
SMTPServer
SMTPUsername
TwoFactorTimeout
TwoFactorFrom
TwoFactorEnabled
LoginCookieTimeout
DefaultSignatureHash
TwoFactorPWIssuer
DBEncDefaultKeyID
DBEncJournalKeyID
LDAPGroupId
LDAPInstanceId
DBEncStartKMIPServer
SSLECPServer
SSLTelnetServer
PasswordHashAlgorithm
PasswordHashWorkFactor
Version
VersionSystem
PrivateJWKS
PublicJWKS
JWTSigAlg
JWTIssuer
EscalateLoginTimeout
EscalateAuthTimeout
|