Skip to main content

Security.System

Class Security.System Extends (%Persistent, %SYSTEM.Help, %XML.Adaptor) [ Inheritance = right, System = 4 ]

Manipulate the System security settings.

The table for this class should be manipulated only through object access, the published API's or through the System Management Portal. It should not be updated through direct SQL access.

Parameters

SOURCECONTROL

Parameter SOURCECONTROL [ Internal ] = {"Revision path: $Id: //iris/2024.3.0/databases/sys/cls/Security/System.xml#2 $"_$c(13,10)_"Last Change:   $DateTime: 2024/10/18 10:38:24 $"_$c(13,10)_"Changelist #:  $Change: 7293289 $"};

EMSSERVICE

Parameter EMSSERVICE [ Internal ] = "Security";

VERSION

Parameter VERSION [ Internal ] = 4;

VERSIONSYSTEM

Parameter VERSIONSYSTEM [ Internal ] = 2024.3;

Properties

AuditEnabled

Property AuditEnabled As Security.Datatype.BooleanYN [ InitialExpression = 0 ];

Enable auditing.
Setting this to property to 1 will turn on the audit subsystem, and cause audit records to be written to the audit file. Installing with "Minimal" security will cause auditing to be off (0). Installing with "Normal" or "Locked Down" security will cause auditing to be turned on.

AuditEncrypt

Property AuditEncrypt As Security.Datatype.BooleanYN(XMLPROJECTION = "NONE") [ InitialExpression = 0 ];

Encrypt audit file.
Setting this property to 1 will cause the audit database to be encrypted. In order to encrypt the audit database, a valid database encryption key must be loaded on the system. Note that if encryption is enabled, the existing audit database and any data it contains will be deleted as soon as the property is modified. If encryption is changed from enabled to disabled, the existing audit database and any data it contains will also be deleted. By default, this property is set to 0 during installation.

AuditFlags

Property AuditFlags As %Integer [ InitialExpression = 0 ];

Flags to govern audit behavior.
Bit 0 - Freeze system on audit write failure.
If the freeze system bit is turned on, any failure to write to the audit file will cause the system to freeze by setting the WDSTOP bit. Failures could include a file full, disk full, or disk write error condition. To fix this condition, you must force the system down, and either free up disk space, or replace the audit IRIS.DAT file with a new, smaller one. If you enable this parameter, make sure that you have lots of disk space allocated for the audit database. You probably also do not want to set a max size on the audit database either (i.e. leave the max database size set to its default of 0.)

AutheEnabled

Property AutheEnabled As Security.Datatype.Authentication;

Authentication and CSP Session options enabled for the system.
Bit 0 = AutheK5CCache
Bit 1 = AutheK5Prompt
Bit 2 = AutheK5API
Bit 3 = AutheK5KeyTab
Bit 4 = AutheOS
Bit 5 - AuthePassword
Bit 6 = AutheUnauthenticated
Bit 7 = AutheKB
Bit 8 = AutheKBEncryption
Bit 9 = AutheKBIntegrity
Bit 10 = AutheSystem
Bit 11 = AutheLDAP
Bit 12 = AutheLDAPCache
Bit 13 = AutheDelegated
Bit 14 = LoginToken
Bit 15-19 reserved
Bit 20 = TwoFactorSMS
Bit 21 = TwoFactorPW
Bit 22-24 reserved
Bit 25 = MutualTLS
Depending on the installation security options selected, these different authentication and CSP Session options may be either enabled or disabled. These options govern at the system wide level what authentication and CSP session options are available for the system. If an authentication or CSP session option is disabled at the system level, it will also be disabled for all the services and CSP applications. If the authentication or CSP Session option is enabled at the system level, it may be individually enabled or disabled for each service and CSP application on the system, if the service or CSP application supports that method. See the Security.Services class for enabling/disabling authentication for each individual service, and the Security.Applications class for CSP applications. Note that these bits correspond to the same bit numbers in the Security.Services and Security.Applications class.

BypassSecurity

Property BypassSecurity As Security.Datatype.BooleanYN(XMLPROJECTION = "NONE") [ InitialExpression = 0, Internal ];

No longer used DEPRECATED

ConfigurationSecurityEnabled

Property ConfigurationSecurityEnabled As Security.Datatype.BooleanYN [ InitialExpression = 0 ];

Configuration security enabled.
If configuration security is enabled, then if the system detects that the .CPF configuration file has been changed externally (outside of the Management Portal), the system will inform the user that the configuration has changed, and will prompt for a username/password when it next starts up. The username entered must own the %Admin_Manage:Use resource in order for the new configuration to start. If they do not, or the authentication fails, the previous good configuration is used to start the system, and the new configuration changes which were not activated are written to a backup file. By default, this property is set to 0 during installation.

DBEncAlgorithm

Property DBEncAlgorithm As %Integer(XMLPROJECTION = "NONE") [ InitialExpression = 1, Internal ];

DBEncIRISTemp

Property DBEncIRISTemp As Security.Datatype.BooleanYN(XMLPROJECTION = "NONE") [ InitialExpression = 0 ];

Encrypt IRISTemp database.
If the encrypt IRISTemp database property is enabled, the next time the system is restarted the IRISTemp database will be recreated as encrypted. In order to encrypt the IRISTemp database, a valid database encryption key must be loaded on the system. If this parameter is changed from enabled to disabled, the next time the system restarts the database will be created unencrypted. By default, this property is set to 0 during installation.

DBEncDefaultKeyID

Property DBEncDefaultKeyID As %String(MAXLEN = 64, XMLPROJECTION = "NONE");

Database encryption key ID to use for new encrypted databases.

DBEncJournalKeyID

Property DBEncJournalKeyID As %String(MAXLEN = 64, XMLPROJECTION = "NONE");

Database encryption key ID to use for encrypting journal files.

DBEncJournal

Property DBEncJournal As Security.Datatype.BooleanYN(XMLPROJECTION = "NONE") [ InitialExpression = 0 ];

Encrypt Journal files.
If the encrypt journal files property is enabled, the journal file will be switched, and the new journal file will be created as encrypted. In order to encrypt the journal file, a valid database encryption key must be loaded on the system. If this parameter is changed from enabled to disabled, the journal file is switched, and the new journal file will be created unencrypted. By default, this property is set to 0 during installation.

DBEncKeyLength

Property DBEncKeyLength As %Integer(XMLPROJECTION = "NONE") [ InitialExpression = 16, Internal ];

Default length (in bytes) for new database encryption keys

DBEncStartConfigFile

Property DBEncStartConfigFile As %String(MAXLEN = 256, XMLPROJECTION = "NONE") [ Internal ];

Not used

DBEncStartMode

Property DBEncStartMode As %Integer(XMLPROJECTION = "NONE") [ InitialExpression = 0, Internal ];

Properties for database encryption key activation at startup Mode: 1=Interactive with key file, 2=Unattended with key file, 3=Unattended with KMIP server

DBEncStartKeyFile

Property DBEncStartKeyFile As %String(MAXLEN = 256, XMLPROJECTION = "NONE") [ Internal ];

Key file name (modes 1 and 2)

DBEncStartUsername

Property DBEncStartUsername As %String(MAXLEN = 128, XMLPROJECTION = "NONE") [ Internal ];

Stored username and password (mode 2)

DBEncStartPassphrase

Property DBEncStartPassphrase As %Binary(MAXLEN = 256, XMLPROJECTION = "NONE") [ Internal ];

DBEncStartKMIPServer

Property DBEncStartKMIPServer As %String(MAXLEN = 256, XMLPROJECTION = "NONE") [ Internal ];

KMIPServer instance name (mode 3)

DBEncStartRequired

Property DBEncStartRequired As Security.Datatype.BooleanYN(XMLPROJECTION = "NONE") [ InitialExpression = 0, Internal ];

Whether or not successful key activation is required for Cache to start

DefaultSecurityDomain

Property DefaultSecurityDomain As %String(MAXLEN = 128, MINLEN = 1);

Default domain system belongs to.
This property is the default kerberos security domain which the system will use for kerberos authentication. During installation, the system will attempt to set this property to the correct value. If you decide to use kerberos authentication, you may need to modify this value.

DefaultSignatureHash

Property DefaultSignatureHash As %String(VALUELIST = ",SHA1,SHA256,SHA384,SHA512,", XMLPROJECTION = "NONE") [ InitialExpression = "SHA256" ];

The default hashing algorithm to use for digital signatures if no hashing algorithm is explicitely specified which is the usual case. This default is used for creating signatures based on RSA keys or HMAC and the default is set during signature creation.
The valid values for DefaultSignatureHash are SHA1, SHA256, SHA384 and SHA512. Previously the default was SHA1, but is now changed to SHA256 in accord with the NIST recommendation.

Description

Property Description As %String [ InitialExpression = "System security parameters", Internal, Required ];

Description of the system parameters.

EscalateAuthTimeout

Property EscalateAuthTimeout As %Integer(MINVAL = 0) [ InitialExpression = 0, Required ];

The Authentication timeout for Escalated logins.
For interactive processes, when the user is logging in to an Escalation Role (via $system.Security.EscalateLogin()), the user will not be asked to authenticate if the user has previously logged in within the Authentication timeout. A value of '0' indicates that the user should always be prompted to authenticate. A value greater than zero indicates the number of seconds for which the previous login is considered valid. This timeout only applies to escalated logins.

EscalateLoginTimeout

Property EscalateLoginTimeout As %Integer(MINVAL = 0) [ InitialExpression = 300, Required ];

The timeout for Escalated logins.
For interactive processes, if the user is in the escalated shell ($System.Security.EscalateLogin()) and is inactive for longer than this number of seconds, the screen will be locked, and the user will need to re-authenticate before continuing.

InactiveLimit

Property InactiveLimit As %Integer(MINVAL = 0) [ InitialExpression = 90, Required ];

Inactive login limit.
This property is the number of days a InterSystems IRIS security user account can be inactive before it is disabled. Setting this property to 0 will disable account inactivation.

InvalidLoginLimit

Property InvalidLoginLimit As %Integer(MINVAL = 0) [ InitialExpression = 5, Required ];

Invalid login limit.
This property is the number of consecutive times a user can attempt to log into a InterSystems IRIS security account and fail. Once this limit is reached, the process attempting to log in will start to "hang" for longer periods of time before an access denied message is returned to the user. Setting this property to 0 will disable this feature.

InvalidLoginAction

Property InvalidLoginAction As %Integer(MAXVAL = 1, MINVAL = 0) [ InitialExpression = 0 ];

Action to take when the InvalidLoginLimit is reached for a user.
Bit 0 - Disable user account

KeyEncKeyIterations

Property KeyEncKeyIterations As %Integer(XMLPROJECTION = "NONE") [ InitialExpression = 65536, Internal ];

KeyEncKeyLength

Property KeyEncKeyLength As %Integer(XMLPROJECTION = "NONE") [ InitialExpression = 16, Internal ];

KeyEncKeySaltLength

Property KeyEncKeySaltLength As %Integer(XMLPROJECTION = "NONE") [ InitialExpression = 64, Internal ];

LDAPAttributes

Property LDAPAttributes As list Of %String(MAXLEN = 64, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class List of additional LDAP attributes to return from LDAP Server.
This property contains a list of additional LDAP User attributes for which you want values returned when a user authenticates himself via LDAP. For example, you may want to return a user's mail address from the LDAP server. You would set one of the list values to "mail" which is an LDAP attribute for a user. The values for the set of attributes are written to the user's authentication record, and may be retrieved by using the Security.Users class, Attributes property.

LDAPAttributeComment

Property LDAPAttributeComment As %String(MAXLEN = 64, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class LDAP attribute name where the "Comment" field is retrieved.

LDAPAttributeFullName

Property LDAPAttributeFullName As %String(MAXLEN = 64, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class LDAP attribute name where the "FullName" field is retrieved.

LDAPAttributeNameSpace

Property LDAPAttributeNameSpace As %String(MAXLEN = 64, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class LDAP attribute name where the "NameSpace" field is retrieved.

LDAPAttributeRoutine

Property LDAPAttributeRoutine As %String(MAXLEN = 64, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class LDAP attribute name where the "Routine" field is retrieved.

LDAPAttributeRoles

Property LDAPAttributeRoles As %String(MAXLEN = 64, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class LDAP attribute name where the "Roles" field is retrieved.

LDAPBaseDN

Property LDAPBaseDN As %String(MAXLEN = 128, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPCACertFile

Property LDAPCACertFile As %String(MAXLEN = 256, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPClientTimeout

Property LDAPClientTimeout As %Integer(XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPHostNames

Property LDAPHostNames As %String(MAXLEN = 128, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPDomainName

Property LDAPDomainName As %String(MAXLEN = 128, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPFlags

Property LDAPFlags As %Integer(XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPInstanceId

Property LDAPInstanceId As %String(MAXLEN = 256, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPGroupId

Property LDAPGroupId As %String(MAXLEN = 256, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPSearchPassword

Property LDAPSearchPassword As Security.Datatype.Password(MAXLEN = 64, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPSearchUsername

Property LDAPSearchUsername As %String(MAXLEN = 256, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPServerTimeout

Property LDAPServerTimeout As %Integer(XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LDAPUniqueDNIdentifier

Property LDAPUniqueDNIdentifier As %String(MAXLEN = 128, XMLPROJECTION = "NONE") [ Deprecated, Internal ];

Deprecated, See Security.LDAPConfigs class

LoginCookieTimeout

Property LoginCookieTimeout As %Integer [ InitialExpression = 0 ];

Name

Property Name As %String [ InitialExpression = {$$$SystemSecurityName}, Internal, Required ];

By default "SYSTEM".
It must not be modified.

PasswordExpirationDays

Property PasswordExpirationDays As %Integer [ InitialExpression = 0, Required ];

Password expiration period.
This property governs how long a password for a user can be used before it expires. Once a password expires, the user must change their password before they can log in the next time. If this property is set to 0, passwords will not expire on the system.

PasswordHashWorkFactor

Property PasswordHashWorkFactor As %Integer(MINVAL = 10000) [ InitialExpression = 10000, Required ];

Target work factor for storing PBKDF2 password hashes. Higher values increase the result's resistance to attack, as well as CPU count required to authenticate passwords. If a user logs in via password, and the work factor of their hash does not match this value, it will be re-calculated and re-stored appropriately. This allows frictionless migration to new PBKDF2 standards as users log in over time.

PasswordHashAlgorithm

Property PasswordHashAlgorithm As Security.Datatype.PBKDF2Alg [ InitialExpression = "SHA512", Required ];

Target hash algorithm for storing PBKDF2 password hashes. More secure hashes increase the result's resistance to attack. If a user logs in via password, and their hash was calculated using a different algorithm, it will be re-calculated and re-stored appropriately. This allows frictionless migration to new PBKDF2 standards as users log in over time.

PasswordPattern

Property PasswordPattern As %String(MAXLEN = 64) [ InitialExpression = "3.128ANP" ];

Password Pattern.
When a user is created in the InterSystems IRIS security database, or a user changes their password, the password is pattern matched against the pattern stored in this property to determine if it matches. If it matches, then the password is allowed. By default, the password must be between 3 and 32 characters, with alphanumerics and punctuations. A security setting of "locked down" selected during install requires it to be a minimum of 8 characters long. The Password pattern may be set to null meaning no pattern match on the password.

PasswordValidationRoutine

Property PasswordValidationRoutine As %String(MAXLEN = 128);

Password validation routine.
When a user is created in the InterSystems IRIS security database, or a user changes their password, the specified routine is called to validate the password. A tag reference may also be included in the property. The routine should be provided by the user, and must exist in the %SYS namespace (it may be mapped to a different database however.) The routine will take 2 parameters, a Username and new password, and should return a %Status code of $$$OK for successful password validation, or an error code formatted into a %Status variable. The username passed into the function will be in all lowercase, and will contain the domain name if multiple domains are enabled for the system.

Here is an example of a password validation routine. Enter CHECK^PASSWORD into this property to call it:

PASSWORD ; Validate a user's password #include %occInclude CHECK(Username,Password) PUBLIC { ; See if the password was previously used. If it was, return an error. ; Allow the user to change it to the same one as current. ; Store the list of previously used passwords for the user as a hashed value. s PasswordHash=$System.Encryption.SHA1Hash(Password) i $d(^PASSWORDLIST(Username,PasswordHash)){ i ^PASSWORDLIST(Username,"Current")'=PasswordHash { q $$$ERROR($$$GeneralError,"Password was previously used") } } s ^PASSWORDLIST(Username,PasswordHash)=$h s ^PASSWORDLIST(Username,"Current")=PasswordHash q $$$OK }

PercentGlobalWrite

Property PercentGlobalWrite As %Integer [ InitialExpression = 0 ];

Allow writing to % globals.
When this property is set to 1, any user on the system is allowed to write to any "%" global (like ^%IS) mapped to the IRISSYS database. When this property is set to 0, only users with write access to the %DB_IRISSYS resource can write to "%" globals. During intallation this is set to 1 for "Minimal" security, 0 for "Normal" and "Locked Down" security.

RequiredRole

Property RequiredRole As %String(MAXLEN = 64);

Required role to log into system.
Setting this value to a valid role will require any user logging into the system to own this role as part of their login roles. If the user does not own this role, they will receive an "Access denied" message when they try to log in. This is usually used when the system is configured for LDAP or User defined authentication to restrict unauthorized users from accessing a system. When using LDAP or user defined authentication, user roles are assigned from the LDAP database or the user defined security database. For example, if this property is set to "ACCOUNTSPAYABLE", then the user logging in must be assigned the ACCOUNTSPAYABLE role on the LDAP server, or from the user defined database. Leave as "" if not required. Note that if the user logging in is assigned the "%All" role from the LDAP server or user defined database, then that will override any role entered here.

SecurityDomains

Property SecurityDomains As Security.Datatype.BooleanYN [ InitialExpression = 0 ];

Allow multiple security domains.
This property should only be set to 1 if you are using kerberos, and wish to allow cross domain realm authentication. Turning it on will cause all usernames to include the domain from which they are logging in. Thus a $username such as "Steve" will then be displayed and used as Steve@domainname.com.

SSLSuperServer

Property SSLSuperServer As %Integer(MAXVAL = 2, MINVAL = 0) [ Deprecated, InitialExpression = 0, Internal ];

Use SSL/TLS for SuperServer connections.
0 = None
1 = Accept
2 = Require

SSLTelnetServer

Property SSLTelnetServer As %Integer(MAXVAL = 2, MINVAL = 0) [ InitialExpression = 0 ];

Use SSL/TLS for Telnet Server connections (Windows only.)
0 = None
1 = Accept
2 = Require

SSLECPServer

Property SSLECPServer As %Integer(MAXVAL = 2, MINVAL = 0) [ InitialExpression = 0 ];

Use SSL/TLS for ECP Server connections.
0 = None
1 = Accept
2 = Require

SMTPPassword

Property SMTPPassword As %String;

Password for sending email

SMTPServer

Property SMTPServer As %String;

Server DNS name for sending email

SMTPUsername

Property SMTPUsername As %String;

Username for sending email

TwoFactorEnabled

Property TwoFactorEnabled As Security.Datatype.BooleanYN [ InitialExpression = 0, Internal ];

Enable two-factor authentication system-wide
No longer used, moved to AutheEnabled property.

TwoFactorFrom

Property TwoFactorFrom As %String;

"From:" field for two-factor security token messages

TwoFactorPWIssuer

Property TwoFactorPWIssuer As %String(MAXLEN = 256) [ InitialExpression = {$p($zv," ",1)_"-"_$zu(110)_"-"_$p($zu(86),"*",2)} ];

TwoFactorTimeout

Property TwoFactorTimeout As %Integer [ InitialExpression = 180 ];

Timeout for receiving security token in two-factor authentication, in seconds

Version

Property Version As %Decimal(SCALE = 1) [ Internal ];

Version number of the record.
Used for Export/Import.

VersionSystem

Property VersionSystem As %Decimal(SCALE = 2) [ Internal ];

Version number of Security Tables.

PrivateJWKS

Property PrivateJWKS As %String(MAXLEN = 2048);

PublicJWKS

Property PublicJWKS As %String(MAXLEN = 2048);

JWTSigAlg

Property JWTSigAlg As %String(VALUELIST = ",RS256,RS384,RS512,ES256,ES384,ES512") [ InitialExpression = "ES256" ];

JWTIssuer

Property JWTIssuer As %String(MAXLEN = 1024);

Methods

CheckSecurityTables

ClassMethod CheckSecurityTables(Install = 1, samplesInstall = 1) As %Status [ Internal ]

Check the security tables and update or initialize if necessary.

ConvertSQLIndicesToIRIS

ClassMethod ConvertSQLIndicesToIRIS() [ Internal ]

This converts the SQL role indices from Cache to IRIS.
Previous conversions in the code above were partially incomplete. This is the correct conversion, and fixes any issues with previous conversions.

Convert

ClassMethod Convert(FileName As %String, InFile As %String) As %Status [ Internal ]

Convert a VMS undefined record type file to stream.

DeleteInstallationInfo

ClassMethod DeleteInstallationInfo() As %Status [ Internal ]

Delete the installation username information file.

Exists

ClassMethod Exists(Name As %String = {$$$SystemSecurityName}, ByRef System As %ObjectHandle, ByRef Status As %Status) As %Boolean

System security configuration exists.
Used to get a handle to the Security.System object.
Parameters:
Name - Always "SYSTEM".
Return values:
If Value of the method = 0 (System config does not exist, or some error occured)
System = Null
Status = System does not exist, or other error message

If Value of the method = 1 (System config exists)
System = Object handle to System config
Status = $$$OK

Export

ClassMethod Export(FileName As %String = "SystemExport.xml", ByRef NumExported As %Integer) As %Status

This method exports the System security record to a file in xml format.
Parameters:
Filename - Output file name
NumExported (byref) - Returns number of records exported.

ExportAll

ClassMethod ExportAll(FileName As %String = "SecurityExport.xml", ByRef NumExported As %String, Flags As %Integer = -1) As %Status

Export All Security records to an xml file.
Parameters:
FileName - Output file name
NumExported (byref) - Returns number of records exported for each type of security record:

  • NumExported("System")
  • NumExported("Event")
  • NumExported("Service")
  • NumExported("Resource")
  • NumExported("Role")
  • NumExported("User")
  • NumExported("Application")
  • NumExported("SSLConfig")
  • NumExported("PhoneProvider")
  • NumExported("X509Credentials")
  • NumExported("OpenAMIdentityService")
  • NumExported("SQLPrivileges")
  • NumExported("X509Users")
  • NumExported("DocDB")
  • NumExported("LDAPConfig")
  • NumExported("KMIPConfig") Flags - What type of records to export to the file, -1 = ALL
  • Bit 0 - System
  • Bit 1 - Events
  • Bit 2 - Services
  • Bit 4 - Resources
  • Bit 5 - Roles
  • Bit 6 - Users
  • Bit 7 - Applications
  • Bit 8 - SSL Configs
  • Bit 9 - PhoneProvider
  • Bit 10 - X509Credential
  • Bit 11 - OpenAMIdentityService
  • Bit 12 - SQL privileges
  • Bit 13 - X509Users
  • Bit 14 - DocDBs
  • Bit 15 - LDAPConfig
  • Bit 16 - KMIPServer
  • Bit 17 - Servers To export records for a particular area, specify a value of Flags that is 2 to the number of the relevant bit. For example, to export only a list of all roles (Bit 5), specify 32 (2**5, that is, 2 to the 5th power) as the value of Flags; for all applications (Bit 7), specify a value of 128 (2**7).

To export records for multiple areas, sum the values for the relevant areas. For example, to export both roles and applications, specify a value of 160 (32 for roles plus 128 for applications); to export roles, users, and applications, specify a value of 224 (32 for roles, plus 64 for users, plus 128 for applications).

Get

ClassMethod Get(Name As %String = {$$$SystemSecurityName}, ByRef Properties As %String) As %Status

Get the system security properties.
Parameters:
Name - Name of system parameter record, currently always "SYSTEM"
Properties (byref) - Array of system properties

GetProperties

ClassMethod GetProperties(System As %ObjectHandle, ByRef Properties As %String) As %Status

Get the system security properties.

GetInstallationInfo

ClassMethod GetInstallationInfo(ByRef Info As %String) As %Status [ Internal ]

Get the information passed in by the installer.
Return values:
Info (by ref) - Array of installation information subscripted as follows:
"InstallUsername" - Username of the installer
"DomainNameFQ" - Fully qualified domain name
"InitialSecuritySettings" - Minimal, Normal, or LockedDown

GetInstallationSecuritySetting

ClassMethod GetInstallationSecuritySetting(ByRef SecuritySetting As %String) As %Status

Return the Security settings which the instance was initially installed with.
Security Setting - (by ref) Contains the security setting installed, one of these possible values:
"None" - Minimal settings selected
"Normal" - Normal settings selected
"Locked Down" - Locked down setting selected
"Unknown" - Cannot determine settings. This would only be the case if the system was initially installed as 2010.2 or earlier, and the settings cannot be determined by examining the security database.

Import

ClassMethod Import(FileName As %String = "SystemExport.xml", ByRef NumImported As %Integer, Flags As %Integer = 0) As %Status

Import System security record from an xml file.
Parameters:
FileName - Filename to import System security record from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported

ImportAll

ClassMethod ImportAll(FileName As %String = "SecurityExport.xml", ByRef NumImported As %String, Type As %Integer = -1, Flags As %Integer = 0) As %Status

Import All Security records from an xml file.
Parameters:
FileName - Filename to import security records from
NumImported (byref) - Returns number of records imported for each type of security record:
NumImported("System")
NumImported("Event")
NumImported("Service")
NumImported("Resource")
NumImported("Role")
NumImported("User")
NumImported("Application")
NumImported("SSLConfig")
NumImported("PhoneProvider")
NumImported("X509Credentials")
NumImported("OpenAMIdentityService")
NumImported("SQLPrivileges")
NumImported("X509Users")
NumImported("DocDB")
NumImported("LDAPConfig")
NumImported("KMIPServer")
NumImported("Server")
Type - What type of records to import from the file, -1 = ALL
Bit 0 - System
Bit 1 - Events
Bit 2 - Services
Bit 4 - Resources
Bit 5 - Roles
Bit 6 - Users
Bit 7 - Applications
Bit 8 - SSL Configs
Bit 9 - PhoneProvider
Bit 10 - X509Credential
Bit 11 - OpenAMIdentityService
Bit 12 - SQL privileges
Bit 13 - X509Users
Bit 14 - DocDBs
Bit 15 - LDAPConfigs
Bit 16 - KMIPServer
Bit 17 - Servers
Flags - Control import
Bit 0 - Do not import records, just return counts
Note: On failure, no records will be imported

InitCapMatrix

ClassMethod InitCapMatrix(Startup As %Integer = 0) As %Status [ Internal ]

Initialize the capabilities matrix.

IsAuditingEnabled

ClassMethod IsAuditingEnabled() As %Boolean [ Internal ]

Determine if auditing is enabled.

Modify

ClassMethod Modify(Name As %String = {$$$SystemSecurityName}, ByRef Properties As %String) As %Status

Modify the system security properties.
Modifies the system security properties from the security database.
Parameters:
Name - Name of system parameter record, currently always "SYSTEM"
Properties - Array of properties to modify.
See the Get() method for a description of the Properties parameter.
If a specific property is not passed in the properties array, then the property is not modified.

ModifyOne

ClassMethod ModifyOne(ByRef Properties As %String) As %Status [ Internal ]

Start

ClassMethod Start() As %Status [ Internal ]

Start the security system.

StartEMS

ClassMethod StartEMS() As %Status [ Internal ]

Initialize an EMS client when a system parameter changes

%OnAfterSave

Method %OnAfterSave(insert As %Boolean) As %Status [ Internal, Private ]

This callback method is invoked by the %Save method to provide notification that the object is being saved. It is called after the object's data has been successfully written to disk.

insert will be set to 1 if this object is being saved for the first time.

If this method returns an error then the call to %Save will fail.

%OnAddToSaveSet

Method %OnAddToSaveSet(depth As %Integer = 3, insert As %Integer = 0, callcount As %Integer = 0) As %Status [ Private, ServerOnly = 1 ]

This callback method is invoked when the current object is added to the SaveSet, either because %Save() was invoked on this object or on an object that references this object. %OnAddToSaveSet can modify the current object. It can also add other objects to the current SaveSet by invoking %AddToSaveSet or remove objects by calling %RemoveFromSaveSet.

If this method returns an error status then %Save() will fail and the transaction will be rolled back.

%OnBeforeSave

Method %OnBeforeSave(insert As %Boolean) As %Status [ Internal, Private ]

This callback method is invoked by the %Save method to provide notification that the object is being saved. It is called before any data is written to disk.

insert will be set to 1 if this object is being saved for the first time.

If this method returns an error then the call to %Save will fail.

%OnDelete

ClassMethod %OnDelete(oid As %ObjectIdentity) As %Status [ Internal ]

This callback method is invoked by the %Delete method to provide notification that the object specified by oid is being deleted.

If this method returns an error then the object will not be deleted. [Previously private]

%OnValidateObject

Method %OnValidateObject() As %Status [ Internal, Private, ProcedureBlock = 1 ]

This callback method is invoked by the %ValidateObject method to provide notification that the current object is being validated.

If this method returns an error then %ValidateObject will fail.

ListExecute

ClassMethod ListExecute(ByRef qHandle As %Binary) As %Status [ Internal ]

Note: This query may change in future versions

ListFetch

ClassMethod ListFetch(ByRef qHandle As %Binary, ByRef Row As %List, ByRef AtEnd As %Integer = 0) As %Status [ Internal, PlaceAfter = ListExecute ]

ListClose

ClassMethod ListClose(ByRef qHandle As %Binary) As %Status [ Internal, PlaceAfter = ListExecute ]

EMSNew

ClassMethod EMSNew(init As %String) As Security.System [ Internal ]

Handles %New for EMS 'full' upload test.