Example One: %Developer and %Operator Roles
This example demonstrates an authorization difference between the %Developer and %Operator roles.
Both roles are pre-defined in InterSystems IRIS. They provide their members with different sets of privileges:
%Developer — Members of this role can access a number of development related tools including the Terminal, Studio, Telnet, and the Debugger. In particular, %Developer has the %Development:USE privilege. Holders of this privilege can access the Terminal.
%Operator — Members of this role can perform a number of operator related tasks including mounting and unmounting databases, starting and stopping InterSystems IRIS, and performing integrity checks. This role does not grant its members the %Development:USE privilege.
Complete the following steps:
Create two new InterSystems IRIS users: OpUser (password “OpUser”) and DevUser (password “DevUser”). Assign OpUser to the %Operator role and assign DevUser to the %Developer role.
Next, open the Terminal and use $SYSTEM.Security.Login to login as DevUser. Note that the method requires the user name and password as arguments. Then write the values of $Username and $Roles to confirm the login.
USER>Write $System.Security.Login("DevUser","DevUser") 1 USER>Write $Username DevUser USER>Write $Roles %Developer USER>
Open a new Terminal and use $SYSTEM.Security.Login to attempt to login as OpUser. Since this user does not have %Development:USE, the user cannot access the Terminal. The login fails and the Terminal closes. Before closing, the Terminal displays an error like the following:
USER>Do $System.Security.Login("OpUser","OpUser") Access Denied
This example and the following assume that you have installed InterSystems IRIS using Minimal security and that the %Service_Console service allows unauthenticated access.
The example described above assumes a Windows environment. Unix® users can do the same example using the Terminal, however the relevant service is called %Service_Terminal.
For a comparison of the privileges granted by all of the predefined roles see Predefined Roles.