Predefined User Accounts
Predefined User Accounts
Every instance of InterSystems IRIS automatically includes the following accounts:
|Admin||%Manager||Default administrator account. This account exists for all instances of all InterSystems products to support instance administration. InterSystems recommends that you change the password for this account from its initial value and disable the account prior to going into production.|
|CSPSystem||(None)||Default account representing the Web Gateway when it connects to InterSystems IRIS via Instance Authentication for Normal and Locked-down instances. InterSystems recommends that you change the password for this account from its initial value prior to going into production. This user account is used internally by HealthShare and should not be disabled.
If you change this user’s password for the instance, you must also change it for the web gateway.
|IAM||IAM_API||Default account required to obtain a license for InterSystems API Manager (IAM) from InterSystems IRIS. To use the IAM user, you must enable it and change its password; setting up the IAM user is part of setting up IAMOpens in a new tab generally.|
|SuperUser||%All||Default account with all privileges available. This account exists for all instances of all InterSystems products to provide complete access to all aspects of the product. InterSystems recommends that you change the password for this account from its initial value and disable the account prior to going into production.|
|UnknownUser||%All (Minimal security) or None (Normal or Locked-Down security)||Default account for a non-logged in user.|
|_PUBLIC||(None)||Set of privileges given to all users (not a login account).|
|_SYSTEM||%All||Default SQL account. This account exists for all instances of all InterSystems products to provide SQL access. InterSystems recommends that you disable this account for production systems.|
|_Ensemble||%All||Interoperability manager (not a login account). Only on InterSystems IRIS instances. This account is used internally by HealthShare and should not be disabled.|
This account is used by healthcare products for internal purposes. By default, it is disabled for InterSystems IRIS for Health™ and HealthShare® Health Connect, and must be enabled before using FHIR®-based IHE profiles with these products. For other HealthShare solutions, the account is enabled by default and must not be disabled.
There is also an account called a “privileged user account,” which is created during Normal and Locked Down installations and for which you supply a username and password.
It is not possible to delete the following accounts:
New installations of InterSystems IRIS use the same password for all the predefined accounts, as described in Initial User Account Passwords. The default password is a security vulnerability, particularly in a Minimal Security installation. To address this issue, disable the accounts or change their passwords. InterSystems recommends disabling the accounts after creating a unique account with the %All role, as InterSystems IRIS requires at least one enabled account with the %All role.
This is a critical concern with containerized instances in particular; see Authentication and passwordsOpens in a new tab for more information, including ways in which you can address the issue.
Additionally, there is a user account called %System, which is not visible and which exists for InterSystems IRIS to use internally. You cannot log into, edit, or delete this account. This account runs with the %All role. Certain routines, such as %ZSTART and %ZSTOP, are run as this user account; to run such a routine as a different user, call $SYSTEM.Security.Login().
While it is not recommended, you can delete predefined user accounts. However, there must be at least one account with the %All role in addition to %System.
Notes on Various Accounts
The UnknownUser Account
For certain applications, or certain parts of an application, unauthenticated users may have a legitimate reason to use InterSystems IRIS, such as for a retail system to display availability of products, prior to the user initiating a purchase. For this type of situation, InterSystems IRIS supports the UnknownUser account. When an unauthenticated user connects, a special name, UnknownUser, is assigned to $USERNAME and the roles defined for that user are assigned to $ROLES.
Unauthenticated access is not used when authentication fails. For example, suppose that a user attempts to connect to InterSystems IRIS via terminal and supplies a username and password that fails authentication. Here, the user is not connected to InterSystems IRIS, even if unauthenticated access is permitted; on the other hand, if unauthenticated access is permitted and that same user connects to InterSystems IRIS without supplying a username (such as by pressing the Enter key at the username prompt), then that user is connected as UnknownUser, the unauthenticated user. Similarly, if an ODBC client attempts to connect with null strings for username and password, that connection will be accepted if unauthenticated access is permitted for the service; if the same ODBC client provides a non-empty username and password values that fail authentication, that client is not connected even if unauthenticated access is permitted.
The _PUBLIC Account
The predefined user account, _PUBLIC, is a special account that does not exist for logins. Rather, it holds a set of roles. These roles are specified as the default roles for any user who connects to the system. This ensures a minimum set of roles for any user. For example, if you associate the %Operator role with the _PUBLIC user, then the value of $Roles for any user will always include %Operator.