Example Three: %DB_USER Resource
In this example you experiment with different privileges on the USER database and a user's ability to use the data and code stored in the database.
Open the Terminal and while still logged in as the UnknownUser execute the CreateTestData method of SecurityTutorial.AuthorizationExample. This creates some data that we will use later in the example.
USER>Do ##class(SecurityTutorial.AuthorizationExample).CreateTestData() USER>Write ^TestData MyInitialDataCopy code to clipboard
Create a new role named UserDatabase. Give the role the following privileges:
Create a new user and add the user to the UserDatabase role.
Open the Terminal and use $SYSTEM.Security.Login to login as the user created in the previous step.
Execute the ReadTestData method of SecurityTutorial.AuthorizationTests. This method reads some data from the USER database and displays it. Since the user has %DB_USER:READ, the method successfully returns data.
USER>Do $System.Security.Login("MyUser","MyUser") USER>Write $Username,!,$Roles MyUser UserDatabase USER>Write ##class(SecurityTutorial.AuthorizationExample).ReadTestData() MyInitialDataCopy code to clipboard
Now attempt to execute the UpdateTestData method of SecurityTutorial.AuthorizationExample. This method writes some data to the USER database. Since the user does not have %DB_USER:WRITE, the method fails and generates a <PROTECT> error.
USER>Write $System.Security.Check("%DB_USER") READ USER>Do ##class(SecurityTutorial.AuthorizationExample).UpdateTestData() Set ^TestData = "MyUpdatedData" } ^ <PROTECT>zUpdateTestData+1^SecurityTutorial.AuthorizationExample.1 ^TestData,c:\intersystems\iris\mgr\user\ USER 2d1>Copy code to clipboard
Next, edit the UserDatabase role so that it has %DB_USER:READ,WRITE.
While logged in as the user created above and, execute the UpdateTestData method. The user now has write privileges on the USER database so the method succeeds.