Security.Users
persistent class Security.Users extends %Library.Persistent, %XML.Adaptor, %SYSTEM.Help
SQL Table Name: Security.Users
Define the security User database, and methods which manipulate them.The system includes a set of pre-defined System users.
User names have the following properties:
1) User names are not case sensitive.
2) Maximum length of a user name is 160 characters.
3) A user name cannot contain "*" or "@" 4) A user name cannot be the same as a role name.
All defined users have the following properties:
1) A user cannot have duplicate roles defined
2) At least one user must hold the %All role
3) All the roles granted to a user must exist in the roles database.
Note: The speed at which a single process can create several users at a time is limited by the PBKDF2 encryption method which hashes the password.
The table for this class should be manipulated only through object access, the published API's or through the System Management Portal. It should not be updated through direct SQL access.
Property Inventory
- AccountNeverExpires
- Attributes
- AutheEnabled
- ChangePassword
- Comment
- CreateDateTime
- CreateUsername
- EmailAddress
- Enabled
- EscalationRoles
- ExpirationDate
- Flags
- FullName
- HOTPKey
- HOTPKeyDisplay
- HOTPKeyGenerate
- InvalidLoginAttempts
- InvalidLoginDateTime
- InvalidLoginDevice
- InvalidLoginService
- InvalidLoginStatus
- LastModifiedDateTime
- LastModifiedInfo
- LastModifiedUsername
- LoginDateTime
- LoginDevice
- LoginService
- Name
- NameSpace
- Password
- PasswordChangedDateTime
- PasswordExternal
- PasswordHash
- PasswordHashAlgorithm
- PasswordHashWorkFactor
- PasswordNeverExpires
- PhoneNumber
- PhoneProvider
- Roles
- RolesAreAdmin
- Routine
- Salt
- SuperUser
Method Inventory
- AddEscalationRoles()
- AddRoles()
- Copy()
- Create()
- Delete()
- Exists()
- ExpireUserPasswords()
- Export()
- Get()
- GetResourceSet()
- GetRoleSet()
- Import()
- Modify()
- RemoveEscalationRoles()
- RemoveRoles()
- UnExpireUserPasswords()
Properties
0 - Account expires normally.
1 - Account will never expire.
Options are:
$$$AutheTwoFactorSMS - SMS Text authentication
$$$AutheTwoFactorPW - Time-based One-time Password
0 - Password change not required.
1 - Password change required before next login.
$H format in utc.
0 - Disable login.
1 - Enable login.
$H date value of when an account becomes disabled.
Bit 0 - User created via normal security mechanisms (InterSystems IRIS Password User).
Bit 1 - User created via LDAP.
Bit 2 - User created via Delegated Authentication.
This property is automatically generated when the user is created using the $System.Encryption.GenCryptRand() method.
1 - Generate a new Time-based One-time Password key when user is saved.
$H format in utc.
$H format in utc.
Includes domain if multiple domains are enabled in the format username@domain.
This is used with a salt function obtained from $System.Encryption.GenCryptRand. This property is set by the class when the PasswordExternal property is modified. Do not set this property directly.
To modify the password for a user using objects, get an instance of the object and modify the PasswordExternal property:
i '..Exists(Username,.User,.Status) q Status
s User.PasswordExternal=Password
s Status=User.%Save()
When using the Modify() class method to change a user's password, you can either set Properties("Password")=NewPassword, or Properties("ExternalPassword")=NewPassword.
$H format in utc.
This property is not stored in permanent storage. It is initially set to the value of $c(0). When it is modified, the Password property is updated to the PBKDF2 salted hashed value. MAXLEN is set to 129 which includes space for a $c(0) plus a 128 byte password, used during installation. ( $c(0)_Password )
0 - Password expires normally.
1 - Password never expires.
0 - Don't allow grant (default)
1 - Allow grant
Methods
Parameters:
Username - Name of the user to add roles to
Roles - Comma delimited list of roles
Parameters:
Username - Name of the user to add roles to
Roles - Comma delimited list of roles
Admin - SQL ADMIN OPTION, TRUE if this user can GRANT the Role to another user/role. Only applicable in SQL.
If you add the user to the %All role, the SuperUser property is set to 1.
Copy an existing User in the Security database to a new one.
Parameters:
Name - Name of the User to be copied.
NewName - Name of the user to be created.
NewFullName - Full name of the new user.
SQLSysPrivs - Copy SQL system privileges.
SQLObjPrivs - Copy SQL object privileges.
NewPassword - Password for the newly reated user.
Create a User in the Security database.
There are 2 ways to call this method and pass the parameters:
s x=##Class(Security.Users).Create(User,Roles,Password,FullName,...)
or
s x=##Class(Security.Users).Create(User,.Properties)
Where Properties are contained in an array subscripted by property name, passed by reference. See the Get() method for a description of the Properties array. Valid properties for the Create() method are described below, other values are ignored.
Parameters:
Name - Name of the user to create
UserRoles - List format of roles to assign to the user
Roles are in the format:
"Role1,Role2" For example:
s Roles="%Developer,%Operator"
s Roles="" would create a user with no roles
RolesAreAdmin - 0/1 Roles are created with GRANT privilege
Password - InterSystems IRIS Authentication password for the user in clear text.
FullName - Full name of the user
NameSpace - Namespace of the user for terminal access
Routine - Routine the user runs for terminal access. Routine="" means programmer mode.
ExpirationDate - ODBC date format of when the user account expires, or ""=no expiration
ChangePassword - 0/1, User cannot log in until the password is changed
Enabled - 0/1, account is disabled/enabled
Comment - Comment
Flags - Internal use only, pass 1 for this
Bit 0 - User created normally for InterSystems IRIS Authentication
Bit 1 - User created by LDAP authentication
Bit 2 - User created by User Defined authentication
PhoneNumber - Phone number for two-factor authentication PhoneProvider - Mobile phone service provider for two-factor authentication EmailAddress - Email address of the user.
HOTPKey - HOTP key used for Display Time-Based One-time Password
HOTPKeyDisplay - 0/1 - Display QR Code and key on next login
Attributes (byref) - Array of attributes to be associated with the user
Attribute(Name)=Value
AccountNeverExpires - 0/1, Account will never expire
PasswordNeverExpires - 0/1, Password will never expire
This method will delete a User from the security database.
Parameters:
Username - Username to delete
This method checks for the existence of a user in the security database.
Parameters:
Username - Name of the user to check existence of
Flag - Internal use only, must be 0 or not passed
Requires the %Admin_Secure:USE privilege to change the $USERNAME value.
Return values:
If Value of the method = 0 (User does not exist, or some error occured)
User = Null
Status = User "x" does not exist, or other error message
If Value of the method = 1 (User exists)
User = Object handle to user
ActualUserName = exact-case of user's name (used by SQL) Status = User "x" already exists
This does not affect LDAP or Delegated authentication accounts. It also does not affect users who have the PasswordNeverExpires flag set.
Parameters:
Names - Comma separated list of user names, "*" = All
Count - Return value of number of users expired.
This method requires %Admin_Secure:USE permission to run.
Parameters:
Filename - Output file name
NumExported (byref) - Returns number of records exported.
Usernames - Comma separated list of Usernames to export, "*" = All
Roles - Comma separated list of Roles, "*" = All. Export Users containing only these roles
SQLPrivileges - 1/0 flag. If 1, export all SQL Privileges from all namespace on this system that have been directly granted to this Role
NumSQLPrivilegesExported *byref) - Returns number of SQL Privileges and SQL Admin Privilege Set records exported
Gets a User's properties from the security database.
Parameters:
Username - Name of the user to get
Return values:
Properties - Array of properties
Properties("AccountNeverExpires") - 0=Expires normally, 1=Never expires
Properties("Attributes",Name) = $lb(Value1,Value2) - Attributes and values to associate with process
Properties("ChangePassword") - 0=Don't change, 1=Change before next login Properties("Comment") - Comment
Properties("EmailAddress") - Email Address
Properties("Enabled") - 0=Disabled, 1=Enabled
Properties("ExpirationDate") - Expiration date of account, ODBC date format
Properties("Flags") - Flags of the user
Properties("FullName") - Full name of the user
Properties("InvalidLoginAttempts") - Number of invalid login attempts since last success
Properties("InvalidLoginDateTime") - $h value of last invalid login attempt
Properties("InvalidLoginDevice") - Last device for invalid login attempt
Properties("InvalidLoginStatus") - Last error status for an invalid login attempt
Properties("InvalidLoginService") - Last service used for an invalid login attempt
Properties("LegacyPassword") - Legacy password for Cache Direct
Properties("LoginDateTime") - $h value for last valid login attempt
Properties("LoginDevice") - Last valid login device
Properties("LoginService") - Last valid login service
Properties("NameSpace") - Default Namespace for terminal login
properties("PasswordHashAlgorithm") - SHA algorithm used in PBKDF2 password hash
properties("PasswordHashWorkFactor") - Number of iterations used in PBKDF2 password hash
properties("PasswordNeverExpires") - 0=Expires normally, 1=Never expires
Properties("PhoneNumber") - Phone number for two-factor authentication
Properties("PhoneProvider") - Mobile phone service provider for two-factor authentication
Properties("Roles")- Comma-separated List format of roles
Roles are in the format:
"Role1,Role2"
For example:
s Properties("Roles")="%Developer,%Operator"
Properties("Routine") - Routine the user runs for terminal access. Routine="" means programmer mode.
Properties("Salt") - Salt used to generate password.
Properties("SuperUser") - 0=No, 1=Yes.
Gets a User's set of resource/permission pairs he would be granted if logged in.
Parameters:
Username - Name of the user to get
Roles - Comma delimited list of roles to return resources for
Resources - Comma delimited list of resource:permission pairs
Gets a User's set of roles he would be granted if logged in.
Parameters:
Username - Name of the user to get
Return value:
Roles - Comma delimited list of roles a user would be granted if logged in
Parameters:
FileName - Filename to import User records from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
Modifies a User's properties from the security database.
Parameters:
Username - Name of the user to modify
Properties - Array of properties to modify.
See the Get() method for a description of the Properties parameter.
To change a user's password, you can either set Properties("Password")=NewPassword, or Properties("ExternalPassword")=NewPassword.
If a specific property is not passed in the properties array, the value is not modified, except that if you add the user to the %All role, the SuperUser property is set to 1 and if you remove the user from the %All role, the SuperUser property is set to 0.
If a value is unchanged, it is not set to prevent the property modified state from being set.
Parameters:
Username - Name of the user to remove roles from
Roles - Comma delimited list of roles.
Parameters:
Username - Name of the user to remove roles from
Roles - Comma delimited list of roles.
This does not affect LDAP or Delegated authentication accounts. Parameters:
Names - Comma separated list of user names, "*" = All
Count - Return value of number of users updated.
This method requires %Admin_Secure:USE permission to run.
Queries
Names - Comma separated list of user names, "*" = All
Roles - Comma separated list of Role names, "*"=ALL
LastLoginOlderThan - Select users who haven't logged in in more than x days, "*"=ALL Flag - 0 - Use "Startswith" as the selection on the name.
Flag - 1 - Use "Contains" as the selection on the name.
Note: This query may change in future versions
Names - Comma separated list of user names, "*" = All
Roles - Comma separated list of Role names, "*"=ALL
LastLoginOlderThan - Select users who haven't logged in in more than x days, "*"=ALL Flag - 0 - Use "Startswith" as the selection on the name.
Flag - 1 - Use "Contains" as the selection on the name.
Note: This query may change in future versions
Indexes
Triggers
Inherited Members
Inherited Methods
- %%CLASSNAMELogicalToStorage()
- %%CLASSNAMEStorageToLogical()
- %AddToSaveSet()
- %AddToSyncSet()
- %BMEBuilt()
- %BuildIndicesAsync()
- %BuildIndicesAsyncResponse()
- %CheckConstraints()
- %CheckConstraintsForExtent()
- %ClassIsLatestVersion()
- %ClassName()
- %ComposeOid()
- %ConstructClone()
- %Delete()
- %DeleteExtent()
- %DeleteId()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Exists()
- %ExistsId()
- %Extends()
- %GUID()
- %GUIDSet()
- %GetLock()
- %GetParameter()
- %GetSwizzleObject()
- %Id()
- %InitExtentData()
- %InsertBatch()
- %IsA()
- %IsModified()
- %IsNull()
- %KillExtent()
- %KillExtentData()
- %LoadFromMemory()
- %LockExtent()
- %LockId()
- %New()
- %NormalizeObject()
- %ObjectIsNull()
- %ObjectModified()
- %Oid()
- %OnBeforeAddToSync()
- %OnDeleteFinally()
- %OnDetermineClass()
- %OnOpenFinally()
- %OnSaveFinally()
- %Open()
- %OpenId()
- %OriginalNamespace()
- %PackageName()
- %PhysicalAddress()
- %PurgeIndices()
- %Reload()
- %RemoveFromSaveSet()
- %ResolveConcurrencyConflict()
- %RollBack()
- %Save()
- %SaveDirect()
- %SaveIndices()
- %SerializeObject()
- %SetModified()
- %SortBegin()
- %SortEnd()
- %SyncObjectIn()
- %SyncTransport()
- %UnlockExtent()
- %UnlockId()
- %ValidateIndices()
- %ValidateObject()
- %ValidateTable()
- Help()
- XMLDTD()
- XMLExport()
- XMLExportToStream()
- XMLExportToString()
- XMLNew()
- XMLSchema()
- XMLSchemaNamespace()
- XMLSchemaType()
Storage
Storage Model: Storage (Security.Users)
^|$$$SecurityMapUsers|SYS("Security","UsersD")(ID) |
= | %%CLASSNAME
ChangePassword
Comment
Enabled
EventFlags
ExpirationDate
FullName
InvalidLoginAttempts
InvalidLoginDateTime
InvalidLoginDevice
InvalidLoginService
InvalidLoginStatus
LegacyPassword
LoginDateTime
LoginDevice
LoginService
Name
NameSpace
Password
PasswordChangedDateTime
Roles
Routine
SuperUser
Salt
Flags
Attributes
PhoneNumber
PhoneProvider
AccountNeverExpires
PasswordNeverExpires
EMSGroupEnabled
AutheEnabled
CreateDateTime
CreateUsername
LastModifiedDateTime
LastModifiedInfo
LastModifiedUsername
HOTPKey
HOTPKeyDisplay
EmailAddress
TOTPLastValidPasswords
PasswordHashAlgorithm
PasswordHashWorkFactor
Version
EscalationRoles
|