In this example you experiment with different privileges on the USER database and a user's ability to use the data and code stored in the database.
-
Open the Terminal and while still logged in as the UnknownUser execute the CreateTestData method of SecurityTutorial.AuthorizationExample. This creates some data that we will use later in the example.
USER>Do ##class(SecurityTutorial.AuthorizationExample).CreateTestData()
USER>Write ^TestData
MyInitialData
-
Create a new role named UserDatabase. Give the role the following privileges:
-
%DB_USER:READ.
-
%Development:USE.
-
Create a new user and add the user to the UserDatabase role.
-
Open the Terminal and use $SYSTEM.Security.Login to login as the user created in the previous step.
-
Execute the ReadTestData method of SecurityTutorial.AuthorizationTests. This method reads some data from the USER database and displays it. Since the user has %DB_USER:READ, the method successfully returns data.
USER>Do $System.Security.Login("MyUser","MyUser")
USER>Write $Username,!,$Roles
MyUser
UserDatabase
USER>Write ##class(SecurityTutorial.AuthorizationExample).ReadTestData()
MyInitialData
-
Now attempt to execute the UpdateTestData method of SecurityTutorial.AuthorizationExample. This method writes some data to the USER database. Since the user does not have %DB_USER:WRITE, the method fails and generates a <PROTECT> error.
USER>Write $System.Security.Check("%DB_USER")
READ
USER>Do ##class(SecurityTutorial.AuthorizationExample).UpdateTestData()
Set ^TestData = "MyUpdatedData" }
^
<PROTECT>zUpdateTestData+1^SecurityTutorial.AuthorizationExample.1 ^TestData,c:\intersystems\iris\mgr\user\
USER 2d1>
-
Next, edit the UserDatabase role so that it has %DB_USER:READ,WRITE.
-
While logged in as the user created above and, execute the UpdateTestData method. The user now has write privileges on the USER database so the method succeeds.
