Overview of the InterSystems Role-Based Authorization Model
Authorization is the process of determining which database assets a user can use, view, or change. Database assets include:
Databases — Physical files containing data or code.
Services — Tools for connecting to InterSystems IRIS, for example, client-server services, telnet.
Applications — InterSystems IRIS programs, for example, Web applications.
Administrative actions — Sets of tasks, for example, starting and stopping InterSystems IRIS or creating backups.
The InterSystems security system is role-based. This means that users receive their authorizations through their membership in roles. These roles grant their members sets of privileges which in turn grant permissions (USE, READ, or WRITE) on resources — the logical representation of database assets in the security system.
For example, an individual working in the Human Resources department needs to be able to view and update employee information stored in the EmployeeInfo database. To authorize these actions, the security administrator assigns the individual to the Human Resources role. This role grants its members certain privileges. Specifically, it grants them READ and WRITE permissions on the %DB_EmployeeInfo resource; the resource that represents the EmployeeInfo database in the security system.
The relationships among users, roles, permissions, resources, and assets can be summarized with the following:
Users are members of roles granting permissions on resources protecting assets.