Managing Productions
Controlling Access to Management Portal Functions
|
|
This appendix describes how the Management Portal uses the predefined security roles and resources to control access to pages and options related to production management. It contains the following sections:
Important:
The upgrade procedures reset these predefined resources and roles; therefore, you should customize security only by configuring resources and roles that you create yourself.
InterSystems IRIS™ contains predefined roles which you can use to control access to the functions in the Management Portal. While these built-in roles may suit most environments, you can add additional roles to customize access to pages or functions.
The following sections describe the security structure prebuilt in InterSystems IRIS. You can use this information to determine how to assign your users to roles in your environment.
This section describes the predefined resources related to productions. The names of these resources all begin with the
%Ens_ prefix.
-
The
first subsection lists resources that protect a specific activity you can perform in InterSystems IRIS.
-
Note:
* In addition to the
%Ens_Portal resource, access to production-related functions in the Management Portal in any given namespace requires the Read permission on the default global database resource for that namespace. This check is enforced for access to
all Interoperability portal pages.
Note:
In many cases, InterSystems IRIS Interoperability default behavior uses a less granular resource (like
%Ens_Code) which protects multiple data sources including the data protected by a more specific resource (like
%Ens_BPL). The predefined roles and privileges use the less granular resource, but you can choose alternative roles with more selective privileges.
InterSystems IRIS also contains a set of predefined roles related to productions. Their names each begin with the
%EnsRole_ prefix. These are roles designed to reasonably secure your InterSystems IRIS instances in both development and live environments. The following descriptions contain an overview of the perceived job responsibilities of members of the role and how these roles relate to other roles.
Role for a trusted and skilled administrator. In a live or test system this is for the person able to stop, start, and configure productions; to stop and start individual configuration items; to look at all logs, messages, and queues; to purge data; to add default system settings; and so on. This administrator has almost unlimited ability to control the InterSystems IRIS Interoperability environment, but cannot change code components other than to deploy updates.
This role is intentionally distinct from InterSystems IRIS administrative roles and does not grant the user any non-production privileges.
The
%EnsRole_Administrator role is a member of the
%EnsRole_Operator role, and, therefore, also holds all the privileges of that role.
Role for a person developing business logic, data structures, or core InterSystems IRIS code. This includes writing code in Studio, writing DTL and BPL in either Studio or using the web interface, developing routing rules, and creating custom message schemas. In addition, this role allows a user to perform many administrative tasks, as the developer should have the ability to actively debug and test various options on development instances.
By default, members of the InterSystems IRIS Interoperability developer role have full programming power and as such, can modify DTL, BPL, and record maps. InterSystems IRIS provides separate resources for each type of code if you want to distinguish areas of development by creating custom roles.
The
%EnsRole_Developer role is a member of both the
%Developer and
%EnsRole_WebDeveloper roles. Therefore, a user assigned to this role can perform all InterSystems IRIS development tasks as well as the web developer tasks.
Role for a person with limited development abilities. In particular, this restricts a user to the development tasks in the Interoperability menus of the Management Portal, like BPL, DTL, defining rules, and creating record maps. The role does
not grant access to Studio or the terminal.
This role is a member of the
%EnsRole_RulesDeveloper and
%EnsRole_Operator role, so that a user that is a member of this role can perform debugging tasks in the Management Portal.
Role for a business analyst allowed to modify business rules dynamically. If you have developed a business process that requires such a function, you can allow a small number of people to modify the rules. This is not an administrative or development function.
%EnsRole_WebDeveloper is a member of this role.
Role for a generic user to view the InterSystems IRIS system monitor and the production monitor. Actions that would leave an audit trail if done from a user with
%EnsRole_Operator have no effective audit trail from this generic username and therefore access needs to be restricted to a subset that does not include any risk of seeing sensitive data.
Role for operation staff managing the day-to-day status of a particular production. Users assigned to this role have the Read permission on the current configuration to determine what settings and code are in effect, but do not have permissions to modify the configuration. Operations staff may start and stop interfaces, and may start and stop the production. They do not have access to the contents of messages, but may resend messages which cause issues. Operators may view queue and job information, and may inspect the settings for purges, alerts, credentials, and lookup tables.
Both
%EnsRole_Administrator and
%EnsRole_WebDeveloper are members of this role.
%EnsRole_AlertAdministrator
Role that allows user to control the subscription criteria used to select messages and to specify the users to receive the messages. This role provides access to the management portal page that controls Publish and Subscribe routing. For more information on Publish and Subscribe messages, see
“Defining Publish and Subscribe Message Routing”
.
The default InterSystems IRIS Interoperability security framework assigns permissions to the
predefined resources, thus creating privileges for each of these roles. You can choose to assign the users of your application to these InterSystems IRIS Interoperability roles or create your own roles, assigning them permissions to the InterSystems IRIS resources. If you upgrade your InterSystems IRIS instance, the procedures reset the default roles, so you should make your configuration modifications only on user-created roles.
The
next section shows the privileges assigned by default to each role.
These roles only cover functions in the Interoperability menus of the Management Portal. Users in your environment likely require additional InterSystems IRIS roles. For details, see
“Roles”
in the Security Administration Guide.
This section lists the default privileges that each role has for each resource.
The following table lists the role privileges for the activity resources. Only the Use permission is required for access, use this permission on the underlying resource to determine access to data as well.
The following table lists the role privileges for the code and data resources. Read and Write permissions are distinct for the resource; your application code should use these two permissions to determine access to the underlying data.
For reasons of space, this table does not include the information on all roles. Additional roles are described after the table.
Additional roles have the following privileges
-
The
%EnsRole_WebDeveloper role has the same privileges as
%EnsRole_Developer.
-
The
%EnsRole_RulesDeveloper role has only the following privileges:
Each Management Portal page has a default privilege requirement in the security framework shipped with InterSystems IRIS. You can view this requirement while in the columns view of the portal menu just beneath where you click
Go to navigate to the page. You only see this information if you click next to the menu item name and not directly on the label.
Several InterSystems IRIS Interoperability pages in the Management Portal use SQL queries to retrieve information; therefore, users must have privileges on the appropriate tables to view this information. This section shows how InterSystems IRIS assigns SELECT privileges to its predefined roles to provide the proper security.
The
%EnsRole_Administrator,
%EnsRole_Developer, and
%EnsRole_WebDeveloper roles hold the SELECT privilege on all of the following SQL tables:
-
-
-
-
-
-
-
-
-
EnsLib_EDI_ASTM.SearchTable
-
EnsLib_EDI_EDIFACT.Document
-
EnsLib_EDI_EDIFACT.SearchTable
-
-
EnsLib_EDI_X12.SearchTable
-
-
EnsLib_EDI.XML.SearchTable
-
-
-
-
EnsLib_Printing.PrintRequest
-
-
-
-
EnsLib_ebXML.MessageTracking
-
EnsLib_ebXML.MessageWithPayload
-
-
Ens_Enterprise_MsgBank.Log
-
Ens_Enterprise_MsgBank.MessageHeader
-
Ens_Enterprise_MsgBank.Node
-
-
-
-
-
-
The remaining roles have SELECT privileges on a subset of the SQL tables as shown in the following table.
InterSystems IRIS also grants EXECUTE privileges on the
Ens.IsASub stored procedure (used in certain searches of the Message Viewer) to
%EnsRole_Administrator,
%EnsRole_Developer, and
%EnsRole_WebDeveloper. If you define a custom role and want a user with the role to be able to perform searches on messages, you should grant this privilege to the role or user. To see if a specific role has this privilege in an interoperability-enabled namespace:
-
-
-
-
Select the namespace from the drop-down menu.
If the role has the Ens.IsASub privilege, Ens.IsASub is listed and marked as having
EXECUTE privilege. If the role does not have this privilege in the namespace, you can give it this privilege by doing the following on the
SQL Procedures tab:
-
-
Select the Ens schema from the drop-down menu.
-
-
-
You can also give this SQL procedure privilege directly to a user.
Note:
InterSystems IRIS automatically grants permissions to allow the specified roles to run SELECT statements as described in the previous tables. It grants these permissions for the tables generated for the built-in message types. If you define custom message types, you should grant the same permissions to these roles for the tables generated for these custom message types.
Content Date/Time: 2019-02-20 23:00:23