Default SQL Privileges of the Predefined Roles
Default SQL Privileges of the Predefined Roles
Several InterSystems IRIS Interoperability pages in the Management Portal use SQL queries to retrieve information; therefore, users must have privileges on the appropriate tables to view this information. This section shows how InterSystems IRIS assigns SELECT privileges to its predefined roles to provide the proper security.
The %EnsRole_Administrator, %EnsRole_Developer, and %EnsRole_WebDeveloper roles hold the SELECT privilege on all of the following SQL tables:
-
Ens.BusinessProcess
-
Ens.BusinessProcessBPL
-
Ens.MessageBody
-
Ens.MessageHeader
-
Ens.StreamContainer
-
Ens.StringContainer
-
EnsLib_DICOM.Document
-
EnsLib_EDI_ASTM.Document
-
EnsLib_EDI_ASTM.SearchTable
-
EnsLib_EDI_EDIFACT.Document
-
EnsLib_EDI_EDIFACT.SearchTable
-
EnsLib_EDI_X12.Document
-
EnsLib_EDI_X12.SearchTable
-
EnsLib_EDI_XML.Document
-
EnsLib_EDI.XML.SearchTable
-
EnsLib_HL7.Message
-
EnsLib_HL7.SearchTable
-
EnsLib_Printing.PrintJob
-
EnsLib_Printing.PrintRequest
-
EnsLib_SQL.Snapshot
-
EnsLib_XML.SearchTable
-
EnsLib_ebXML.Message
-
EnsLib_ebXML.MessageTracking
-
EnsLib_ebXML.MessageWithPayload
-
Ens_Config.Credentials
-
Ens_Enterprise_MsgBank.Log
-
Ens_Enterprise_MsgBank.MessageHeader
-
Ens_Enterprise_MsgBank.Node
-
Ens_Rule.Log
-
Ens_Rule.RuleLog
-
Ens_Util.Calendar
-
Ens_Util.IOLog
-
Ens_Util.Log
-
Ens_Util.Schedule
The remaining roles have SELECT privileges on a subset of the SQL tables as shown in the following table.
| SQL Table Name | %EnsRole _RulesDeveloper | %EnsRole _Monitor | %EnsRole _Operator |
|---|---|---|---|
| Ens.BusinessProcess | SELECT | ||
| Ens.BusinessProcessBPL | SELECT | ||
| Ens.MessageHeader | SELECT | ||
| Ens_Config.Credentials | SELECT | ||
| Ens_Enterprise_MsgBank.Log | SELECT | ||
| Ens_Enterprise_MsgBank.MessageHeader | SELECT | ||
| Ens_Enterprise_MsgBank.Node | SELECT | ||
| Ens_Rule.Log | SELECT | SELECT | |
| Ens_Rule.RuleLog | SELECT | SELECT | |
| Ens_Util.Calendar | SELECT | ||
| Ens_Util.Log | SELECT | SELECT | |
| Ens_Util.Schedule | SELECT |
InterSystems IRIS also grants privileges on two stored procedures:
-
EXECUTE privileges on the Ens_Config.Production_Extent stored procedure (used by the system to list and load productions) to %EnsRole_Administrator and %EnsRole_Developer
-
EXECUTE privileges on the Ens.IsASub stored procedure (used by the system in certain searches of the Message Viewer) to %EnsRole_Administrator, %EnsRole_Developer, and %EnsRole_WebDeveloper
If you define a custom role and want a user with the role to be able to perform searches on messages, you should grant EXECUTE privileges on the Ens.IsASub to the role or user. To see if a specific role has this privilege in an interoperability-enabled namespace:
-
Select System Administration, Security, and Roles.
-
Select the role.
-
Select the SQL Procedures tab.
-
Select the namespace from the drop-down menu.
If the role has the Ens.IsASub privilege, Ens.IsASub is listed and marked as having EXECUTE privilege. If the role does not have this privilege in the namespace, you can give it this privilege by doing the following on the SQL Procedures tab:
-
Click the Add Procedures ... button.
-
Select the Ens schema from the drop-down menu.
-
Select IsASub from the Available column.
-
Click the right arrow to add IsASub to the Selected column.
-
Click Apply and then Close.
You can also give this SQL procedure privilege directly to a user.
InterSystems IRIS automatically grants permissions to allow the specified roles to run SELECT statements as described in the previous tables. It grants these permissions for the tables generated for the built-in message types. If you define custom message types, you should grant the same permissions to these roles for the tables generated for these custom message types.
