Managing InterSystems IRIS on Windows
Managing an InterSystems IRIS® data platform instance on the Microsoft Windows platform is straightforward. You can perform most tasks using the Management Portal and the InterSystems IRIS launcher (also known as the cube). You can also control an InterSystems IRIS instance from a command prompt.
This topic uses install-dir to refer to the InterSystems IRIS installation directory—you can find the default directory in the Default Installation Directory section of the Installation Guide.
Do not use Windows file compression on InterSystems IRIS IRIS.DAT database files. (Files are compressed by right-clicking a file or folder in Windows Explorer and selecting Properties, then Advanced, then Compress contents to save disk space; once compressed a folder name or filename is rendered in blue in Windows Explorer.) If you compress a IRIS.DAT file, the instance to which it belongs will fail to start, with misleading errors.
Managing Access to the InterSystems IRIS Instance
This section discusses the following topics related to managing access to InterSystems IRIS:
The InterSystems Service
All InterSystems IRIS jobs and process run from the InterSystems service, InterSystems IRIS Controller for <instance-name>. The permissions the InterSystems service has are determined by its associated Windows user account. When this is the local SYSTEM account, InterSystems IRIS has broad access to all files and permissions on the Windows system. To maintain a more secure and restrictive environment, you should select a Windows account for the InterSystems service that only has the needed privileges and access. See Windows User Accounts for more information.
In Normal and Locked Down installations, InterSystems IRIS creates two local user groups that grant access to the instance. When you specify a Windows user account for the InterSystems Service other than the default local SYSTEM account, InterSystems IRIS adds that Windows user account to each group. These groups are:
-
IRISServices, which grants the privileges to start, stop, and control the InterSystems IRIS instance.
-
IRIS_Instance_instancename, which grants access to the installation tree—the directory in which InterSystems IRIS is installed and all its subdirectories.
Regarding these groups and their privileges:
-
When the IRISServices group is created, it is granted the Replace a process level token and Adjust memory quotas for a process privileges. Do not remove these privileges.
-
The IRISServices and IRIS_Instance_instancename groups may not grant all the permissions that InterSystems IRIS requires to perform certain actions. To ensure InterSystems IRIS has the needed access to all instance, journal, and log files that are outside the installation tree, grant the IRIS_Instance_instancename group full access to these files and the directories containing them. You may also grant this group additional permissions if necessary.
Typically you select the Windows account for InterSystems IRIS Controller for <instance-name> during installation, as described in the Windows User Accounts. To change the service account after installation, see Changing the InterSystems Service Account below.
Restricting Access to the Installation Tree
By default, any authenticated Windows users can access the installation tree, which may be undesirable. To remove the Windows access control entry (ACE) for authenticated users:
-
On some Windows platforms, for example Windows 10, it may be necessary to first remove inherited permissions. To do so, use the following command
icacls <install-dir> /inheritance:d
-
Then remove the ACE for authenticated users as follows:
icacls <install-dir> /remove "NT AUTHORITY\Authenticated Users" /t
The /t flag recursively applies the permission change to all subdirectories and files in the instillation tree.
-
Finally, use the following command to confirm there are no references to “Authenticated Users”:
icacls <install-dir>
This command lists access permissions on the install directory.
Now only users that are administrators or in the IRIS_Instance_instancename group should have access to the installation tree.
If you do not do this, any user who can log in to the host Windows system can easily modify files, change settings, or disable the InterSystems IRIS instance entirely.
In some cases, you may want to give another Windows account access to the installation tree, in addition to the account used by the InterSystems IRIS Controller for <instance-name> service. This could, for example, include accounts running automated tasks, or accounts that log in to the Windows server directly to access InterSystems IRIS (through a local Terminal session or by invoking a custom callin executable). You can give any such account the needed access by adding it to the IRIS_Instance_instancename group.
Changing the InterSystems Service Account
Enter the following in the command line to change the Windows user account used for InterSystems IRIS Controller for <instance-name>, the InterSystems service:
<install-dir>\bin\IRISinstall.exe setserviceusername <instance-name> <username> <password>
This command changes the Windows user account to the one you specify. It also adds the user to the IRISServices and IRIS_Instance_instancename groups, creating these groups if necessary. After running this command and restarting an InterSystems IRIS instance, the instance runs under the newly specified Windows user account.
InterSystems IRIS launcher
The primary InterSystems IRIS interface on Microsoft Windows platforms is the InterSystems IRIS launcher. From the InterSystems IRIS launcher, you can start all of the InterSystems IRIS configuration and management tools. You can also invoke each Launcher command from a shortcut or command line.
Correspondingly, you can initiate many of the InterSystems IRIS tools from the Windows program menu by pointing to IRIS folder and then to the Start InterSystems IRIS for the appropriate InterSystems IRIS instance name.
When you start InterSystems IRIS on a Windows-based system, the InterSystems IRIS launcher appears in the system tray of the taskbar.
When you click the InterSystems IRIS launcher, a menu appears with commands to use the ObjectScript utilities and programming environments.
The following table describes the commands available from the InterSystems IRIS launcher menu.
InterSystems IRIS launcher Command | Description |
---|---|
Getting Started | Displays links to tutorials, release notes, documentation, and other related information. |
Start InterSystems IRIS |
Starts the default instance specified in the square brackets after the menu item, for example [ii2081]. If the InterSystems IRIS server is already started, this option appears dimmed—it is unavailable.
Note:
For information about how to prevent an instance from starting automatically, see Memory and Startup Settings. |
Stop InterSystems | Shuts down or restarts the local InterSystems IRIS instance. If the InterSystems IRIS server is stopped, this option appears dimmed—it is unavailable. |
Terminal | Invokes the command line interpreter for InterSystems IRIS. See Using the ObjectScript Shell for more information. |
Management Portal | Performs common system management tasks. Creates databases and namespaces, and adjusts all InterSystems IRIS configuration settings. Displays classes, globals, and routines, and functions for managing each. Displays tables and views, perform queries and SQL management functions. See Using the Management Portal. |
Documentation | Displays InterSystems IRIS online documentation. |
Preferred Server [server name] | Shows a list of remote servers and maintains server connections by using the Add/Edit command on the submenu. The preferred server appears in brackets and has a check mark next to it in the server list. See Define a Remote Server Connection |
About | Displays InterSystems IRIS version and build information. |
Exit | Removes the InterSystems IRIS launcher icon from the system tray; this does not stop InterSystems IRIS. The Launcher reappears when the instance is rebooted. |
Starting InterSystems IRIS
To start InterSystems IRIS, run the startup procedure at the system level. This procedure runs using either the default configuration file or a configuration file you specify.
If you have any trouble starting InterSystems IRIS, view the messages.log file as described in Monitoring Log Files.
To start InterSystems IRIS on the Windows platform, select Start InterSystems IRIS from the InterSystems IRIS launcher. This starts the InterSystems IRIS instance using the specified configuration file. When InterSystems IRIS is not running, the InterSystems IRIS launcher icon appears dimmed.
If the InterSystems IRIS launcher is not in the system tray, from the Windows program menu select the IRIS folder and Start InterSystems IRIS for that instance. To return the Launcher to the system tray, go to the install-dir/bin directory and double-click the iristray.exe file.
Alternatively, you can enter these commands from the install-dir/bin directory in the Open box of the Run command on the Start menu. For example, to start the instance named MyIris from the MyIris\bin directory, enter the following command:
c:\MyIris\bin\iris start iris
These methods of starting InterSystems IRIS call the iris start command. See Controlling InterSystems IRIS from the Command Prompt for more options and information on the iris command.
Stopping InterSystems IRIS
Normally you leave your InterSystems IRIS system running. However, if your operating system requires a restart, stop InterSystems IRIS before you shut down your system. The maintenance tasks, such as backups and database repair utilities, do not require you to stop InterSystems IRIS.
From the InterSystems IRIS launcher menu click Stop InterSystems to shut down or restart the local InterSystems IRIS instance. By default, this option shuts down (or restarts) InterSystems IRIS immediately, using the default shutdown routine. However, it also provides options for setting a timer for a delayed shutdown, for running a user-defined shutdown routine, for broadcasting a warning message to users on the server, and for shutting down without failing over. You can run this same process from the Windows program menu. Select the IRIS folder and Stop InterSystems IRIS for that instance name. You cannot cancel a shutdown once the countdown reaches 0 and the shutdown procedures have started.
InterSystems recommends that you run Stop InterSystems IRIS to shut down InterSystems IRIS to ensure that it closes properly.
These methods of stopping InterSystems IRIS call the iris stop command. See Controlling InterSystems IRIS Instances for more options and information on the iris command.
To prevent unintentional execution of the Stop InterSystems command, you can remove the command from the InterSystems IRIS launcher by deleting the irisstop.exe file from the install-dir/bin directory of the corresponding InterSystems IRIS instance. You can also remove the Stop InterSystems shortcut from the appropriate InterSystems IRIS instance from the Start menu. Point to Programs and the InterSystems IRIS instance name, then right-click Stop InterSystems and click Delete.
Help Information from the Command Prompt
You can control an InterSystems IRIS instance from the Windows command prompt by running the iris.exe program in the install-dir\bin directory. For information about the iris command, see Controlling InterSystems IRIS Instances.
To display the most current help information for this command, invoke iris help from the install-dir\bin directory. For example:
C:\MyIris\bin>iris help
The iris help command will display the most current help information in the terminal. You can also save help information to a file in the intsall-dir\bin directory by adding >outputfilename to the iris help command. For example:
C:\MyIris\bin>iris help>helpinformation
Connecting to InterSystems IRIS on the Command Line
You can log in to an InterSystems IRIS instance on the command line using the iris terminal command. See Connecting to an InterSystems IRIS Instance for more information on iris terminal.