Roles for Ensemble menu accessing

Question

Question

Marcos Costa · Jul 13, 2020

#Access control #System Administration #Ensemble

I'm trying to setup a new accesss role for the company support team to use the message viewer and production config page to trace the errors that eventually could occurr on the production integrations.

I've already assign the following privileges:

%EnsRole_Administrator role
%DB_* roles related to the native and custmon namespaces
SELECT GRANT to all tables on the namespaces we need to provide access

Now, although I can access the message viewer and production config page directly by using the link, I need then ENSEMBLE MENU to show up, so the users can navigate to the message viewer and production config pages using the menu links, but when I log in with the support user and try t access the Ensemble menu the portal shows a message informing that the namespace doesn't have support for ensemble.

When I perform the search by "message" term the message viewer is listed, but when I click on the link instead of sending me to the message viewer page it redirects to the home page.

I've tested all the roles that comes with the product by default but no effect. I need to know the right roles or resources to use in order to do this.

Anyone with experience on configuring roles for that kind of purpose that can help? Thanks in advance.

Discussion (10)3

Log in or sign up to continue

Eduard Lebedyuk Jul 13, 2020 to Marcos Costa

Well, I'm out of ideas.

Check that this global contains all references to Ensemble namespaces (under restricted user):

zw ^%SYS("Ensemble","InstalledNamespace")

Contact the WRC?

0 0

score 1 · Answer 1 · 2020-07-13T12:04:00-04:00

User needs USE permissions on the %Ens_MessageHeader resource to view Message Viewer page.

You can add custom role granting Use on the resource or add %EnsRole_Operator role to the user (note that it does add a lot more).

You can see it in the Management Portal:

score 0 · Answer 2 · 2020-07-13T13:10:27-04:00

@Eduard Lebedyuk, thanks for the tip, but I did assign the %EnsRole_Operator role and the problem remains the same.

Here is the list of the roles already assigned until now:

%DB_%DEFAULT, %DB_CACHE, %DB_CACHEAUDIT, %DB_CACHELIB, %DB_CACHESYS, %DB_CACHETEMP, %DB_ENSEMBLE, %DB_ENSLIB, %DB_HSDAUTOMATION, %DB_HSDINTEGRATION, %DB_HSDSERVICE, %EnsRole_Administrator, %EnsRole_Operator, SUSTENTACAO

SUSTENTACAO is the custom role that others are associated with and grants the user the privileges.

score 0 · Answer 3 · 2020-07-13T13:18:00-04:00

Have you logged out the user? Old session retains old permissions.

Can the user open Message Viewer by a direct URL in browser?

score 0 · Answer 4 · 2020-07-13T13:35:57-04:00

Yes, I did.

I can open the message viewer using the URL, the issue here is the ensemble menu.

Below is the portal message:

All the HSD* namespaces actually have ensemble support enabled, but when using the limited privileges user it shows that message.

score 0 · Answer 5 · 2020-07-13T14:25:00-04:00

Does the two resultsets also output a limited list of namespaces (under limited user):

Do ##class(%SYS.Namespace).ListAll(.NspAllList,0)
Do ##class(%CSP.Portal.Utils).%GetNamespaceList(.NspList)
Zw NspAllList. NspList

score 0 · Answer 6 · 2020-07-13T14:39:56-04:00

Below is the output:

NspAllList("%SYS")=""
NspAllList("@@f:\intersystems\mgr\hsdservice\")=""
NspAllList("@@f:\intersystems\mgr\hslib\")=""
NspAllList("@@f:\intersystems\mgr\mprllib\")=""
NspAllList("DOCBOOK")=""
NspAllList("ENSDEMO")=""
NspAllList("ENSEMBLE")=""
NspAllList("HSCUSTOM")=""
NspAllList("HSDAUTOMATION")=""
NspAllList("HSDINTEGRATION")=""
NspAllList("HSDSERVICE")=""
NspAllList("HSLIB")=""
NspAllList("HSSYS")=""
NspAllList("SAMPLES")=""
NspAllList("USER")=""
NspList("%SYS")=$lb(1,0)
NspList("DOCBOOK")=$lb(1,0)
NspList("ENSEMBLE")=$lb(1,0)
NspList("HSDAUTOMATION")=$lb(1,0)
NspList("HSDINTEGRATION")=$lb(1,0)
NspList("HSDSERVICE")=$lb(1,0)
NspList("SAMPLES")=$lb(1,0)
NspList("USER")=$lb(1,0)

score 0 · Answer 7 · 2020-07-14T08:15:49-04:00

The output shows all namespaces either:

^%SYS("Ensemble","InstalledNamespace","ENSDEMO")=""
^%SYS("Ensemble","InstalledNamespace","ENSEMBLE")=""
^%SYS("Ensemble","InstalledNamespace","HSCUSTOM")=""
^%SYS("Ensemble","InstalledNamespace","HSDAUTOMATION")=""
^%SYS("Ensemble","InstalledNamespace","HSDINTEGRATION")=""
^%SYS("Ensemble","InstalledNamespace","HSDSERVICE")=""
^%SYS("Ensemble","InstalledNamespace","HSLIB")="/csp/hslib"
^%SYS("Ensemble","InstalledNamespace","HSSYS")=""

score 0 · Answer 8 · 2020-07-14T01:28:06-04:00

Kamal Suri Jul 14, 2020 to Eduard Lebedyuk

Check if /csp/healthshare/hsdintegration csp application is Enabled or not.

0 0

score 0 · Answer 9 · 2020-07-14T08:24:07-04:00

@Kamal Suri, thanks for your reply. The option is enabled, the problem occurs only if logged with the restricted user.