Example Three: %DB_USER Resource
In this example you experiment with different privileges on the USER database and a user's ability to use the data and code stored in the database.
-
Open the Terminal and while still logged in as the UnknownUser execute the CreateTestData method of SecurityTutorial.AuthorizationExample. This creates some data that we will use later in the example.
USER>Do ##class(SecurityTutorial.AuthorizationExample).CreateTestData() USER>Write ^TestData MyInitialData
-
Create a new role named UserDatabase. Give the role the following privileges:
-
%DB_USER:READ.
-
%Development:USE.
-
-
Create a new user and add the user to the UserDatabase role.
-
Open the Terminal and use $SYSTEM.Security.Login to login as the user created in the previous step.
-
Execute the ReadTestData method of SecurityTutorial.AuthorizationTests. This method reads some data from the USER database and displays it. Since the user has %DB_USER:READ, the method successfully returns data.
USER>Do $System.Security.Login("MyUser","MyUser") USER>Write $Username,!,$Roles MyUser UserDatabase USER>Write ##class(SecurityTutorial.AuthorizationExample).ReadTestData() MyInitialData
-
Now attempt to execute the UpdateTestData method of SecurityTutorial.AuthorizationExample. This method writes some data to the USER database. Since the user does not have %DB_USER:WRITE, the method fails and generates a <PROTECT> error.
USER>Write $System.Security.Check("%DB_USER") READ USER>Do ##class(SecurityTutorial.AuthorizationExample).UpdateTestData() Set ^TestData = "MyUpdatedData" } ^ <PROTECT>zUpdateTestData+1^SecurityTutorial.AuthorizationExample.1 ^TestData,c:\intersystems\iris\mgr\user\ USER 2d1>
-
Next, edit the UserDatabase role so that it has %DB_USER:READ,WRITE.
-
While logged in as the user created above and, execute the UpdateTestData method. The user now has write privileges on the USER database so the method succeeds.