Example Four: $SYSTEM.Security.Check
In this example you experiment with the $SYSTEM.Security.Check method. It can be used within code to check privileges and prevent unauthorized execution of code blocks.
The SecurityTutorial.AuthorizationExample class contains a method named ProtectedMethod. This method uses $SYSTEM.Security.Check to protect a code block. If the user attempting to execute the method has the ProtectedMethod:USE privilege, the method successfully returns the value of $Username. If the user does not have this privelege, the method returns an error.
ClassMethod ProtectedMethod() As %String
{
if ($SYSTEM.Security.Check("ProtectedMethod","U"))
{
Return $Username
}
Else
{
Return "Error: Insufficient Privileges"
}
}
Here are the steps for using the example:
-
Create a new role named ProtectedMethodExample. Give the role %Development:USE and %DB_USER:RW.
-
Create a new user and add the user to the ProtectedMethodExample role.
-
Open the Terminal and use $SYSTEM.Security.Login to log in as the user created in the previous step. Attempt to execute the SecurityTutorial.AuthorizationExample ProtectedMethod method. Since the user does not yet have ProtectedMethod:USE, the method returns "Error: Insufficient Privileges".
USER>Write $System.Security.Login("MyUser","MyUser")
1
USER>Write $Username,!,$Roles
MyUser
ProtectedMethodExample
USER>Write ##class(SecurityTutorial.AuthorizationExample).ProtectedMethod()
Error: Insufficient Privileges
USER>
-
Create a new resource named ProtectedMethod. Assign the resource no Public Permissions. Give the ProtectedMethodExample role ProtectedMethod:USE.
-
While logged in as the user created above, member of the ProtectedMethodExample role, execute the ProtectedMethod of SecurityTutorial.AuthorizationExample. Now that the user has ProtectedMethod:USE, the method executes its true branch and returns the value of $Username.
USER>Write ##class(SecurityTutorial.AuthorizationTests).ProtectedMethod()
MyUser
