The following lists the available services, what each controls, and what kind of service it is:
%Service_Bindings — SQL or objects; use of Studio [resource-based]
%Service_CacheDirect — A proprietary mechanism for connecting to other InterSystems products [resource-based]
%Service_CallIn — The CallIn interface [resource-based]
%Service_ComPort — COMM ports attached to a Windows system [resource-based]
%Service_Console — The local Terminal from a Windows console (analogous to %Service_Terminal for macOS, UNIX®, and Linux) [resource-based]
%Service_DataCheck — The DataCheck utility [basic]
%Service_DocDB — Document database applications [resource-based]
%Service_ECP — Enterprise Cache Protocol (ECP) [basic]
%Service_Login — Use of $SYSTEM.Security.Login [resource-based]
%Service_Mirror — InterSystems IRIS database mirroring [basic]
%Service_Monitor — SNMP and remote monitor commands [basic]
%Service_Shadow — Access to this instance from shadow destinations (for use only with existing configurations) [basic]
%Service_Sharding — Access to this instance as a shard server [basic]
%Service_Telnet — Telnet sessions on a Windows server and remote Windows Terminal sessions [resource-based]
%Service_Terminal — The Terminal from a macOS, UNIX®, and Linux console (analogous to %Service_Console for Windows) [resource-based]
%Service_WebGateway — Web application pages [resource-based]
%Service_Weblink — WebLink, which is available as a legacy service [basic]
Notes on Individual Services
For the %Service_Bindings service, there are three resources that manage access: the %Service_Native resource, the %Service_Object resource and the %Service_SQL resource. Once a user has authenticated, these resources control whether data is accessible to the user through the Native SDKs, as objects, or through SQL respectively. (If a user has table-level SQL privileges on data, then InterSystems IRIS automatically grants an authenticated user the %Service_SQL:Use privilege for the duration of the connection.)
This service also controls access to Studio. For more information about Studio and security, see Integration with InterSystems Security.
%Service_Console and %Service_Terminal
These two services both provide console or terminal-style access to InterSystems IRIS. This functionality is analogous for both Windows and non-Windows systems; %Service_Console provides this functionality for Windows and %Service_Terminal provides this functionality for UNIX®, Linux, and Mac.
Terminal or console access is one of the most sensitive aspects of InterSystems security. If an attacker gains access to InterSystems IRIS in one of these ways, it can be possible to read or destroy sensitive data.
A resource does not govern the use of ECP. Rather, you either enable or disable the service (this makes ECP what is called a “basic service”). This means that all the instances in an ECP configuration, such as a distributed cache cluster, need to be within the secured InterSystems IRIS perimeter.
For details on how privileges work within an ECP-based configuration, see Distributed Cache Cluster Security.
This service controls the ability to explicitly invoke the Login method of the %SYSTEM.SecurityOpens in a new tab class. Calls to this method are of the form:
Set Success = $SYSTEM.Security.Login(username, password)
where username is the user being logged in and password is that user’s password.
This service manages connections that serve up web pages. Specifically, it manages connections between the Web Gateway processes running on the Web Server and the InterSystems IRIS server. You will not interact with this service directly within a Web Application; instead, the authentication mechanisms are configured within the relevant Web Application definition.
Under the following circumstances, there is no access to the server via the Web Gateway:
There are authentication mechanisms enabled for the service
The Web Gateway has no valid authentication information for any of the enabled authentication mechanisms
Unauthenticated access is disabled for the service
Hence, if you disable unauthenticated access through this service (that is, the Unauthenticated authentication mechanism is disabled), you must ensure that the Web Gateway has the information it needs to authenticate to the InterSystems IRIS server. For example, for Instance Authentication (password) access, this is a valid username-password pair; for Kerberos access, this is a valid service principal name and key table location. To specify authentication information for the Web Gateway, use its management interface; for a standard installation, the URL has the following form, using the <baseURL> for your instance:
%Service_WebGateway controls only the background authentication between the Web Gateway processes running on the Web Server and the InterSystems IRIS instance. As a result, authentication mechanisms for Web Applications are configured and managed within the relevant Web Application definition, not by editing the allowed authentication methods of %Service_WebGateway itself.
Because %Service_WebGateway regulates the use of the Portal and its subapplications, disabling %Service_WebGateway does not disable any system applications, so that there can always be access to the Portal. For more information on system applications, see Built-In Applications.
If you inadvertently lock yourself out of the Portal, you can use emergency access emergency access mode to reach the Portal and correct the problem; this is described in Emergency Access.