Class Reference
IRIS for UNIX 2024.1.2
 InterSystems: The power behind what matters   
Documentation  Search
  [USER] >  [%SYSTEM] >  [SQL] >  [Security]
Private  Storage   

abstract class %SYSTEM.SQL.Security extends %SYSTEM.Help

Inventory

Parameters Properties Methods Queries Indices ForeignKeys Triggers
11


Summary

Methods
CheckPrivilege CheckPrivilegeWithGrant GrantPrivilege GrantPrivilegeWithGrant
Help RevokePrivilege RoleExists UserExists


Methods

• classmethod CheckPrivilege(Username As %String, ObjectType As %Integer, Object As %String, Action As %String, Namespace As %String = "") as %Boolean
Check if user has SQL privilege for a particular action. This does not check grant privileges.

Parameters:
Username
Name of the user to check. Required.
ObjectType
Required. Specifies the type to check the privilege of. ObjectTypes are 1 (table), 3 (view), 5 (schema), 6 (ml configuration), 9 (procedure).
Object
Required. The name the object to check the privilege of.
For example, ObjectType and Object could be "1" and "Sample.Person", or "9" and "SQLUser.My_Procedure".
Action
Comma delimited string of actions letters to check privileges for. Actions are one or more of the letters "a,s,i,u,d,r,e,l" (in any order) which stands for ALTER,SELECT,INSERT,UPDATE,DELETE,REFERENCES,EXECUTE,USE (for ML Configurations). Privilege "e" is only allowed for Procedures. Privilege "l" is only allowed for ML Configurations. CheckPrivilege will only return 1 if the user has privileges on all Actions specified. Required.
Namespace
Namespace object resides in (optional) default is current namespace

Returns:

  • 1 - if the Username does have the privilege
  • 0 - if the Username does not have the privilege
  • %Status - if CheckPrivilege call is reporting an error

    • Notes:

  • If Username is a user with the %All role, CheckPrivilege will return 1 even if the Object does not exist.
  • If the user calling CheckPrivilege is not the same as Username, the calling user must hold the %Admin_Secure:"U" privilege.

    Example:

    • Do $SYSTEM.SQL.Security.CheckPrivilege("Miranda",3,"SQLUser.Person","s","PRODUCT")
    • • classmethod CheckPrivilegeWithGrant(Username As %String, ObjectType As %Integer, Object As %String, Action As %String, Namespace As %String = "") as %Boolean
    Check if user has SQL grant privilege for a particular action.

    Parameters:
    Username
    Name of the user to check. Required.
    ObjectType
    Required. Specifies the type to check the grant privilege of. ObjectTypes are 1 (table), 3 (view), 5 (schema), 6 (ml configuration), 9 (procedure).
    Object
    Required. The name the object to check the grant privilege of.
    For example, ObjectType and Object could be "1" and "Sample.Person", or "9" and "SQLUser.My_Procedure".
    Action
    Comma delimited string of actions letters to check grant privileges for. Actions are one or more of the letters "a,s,i,u,d,r,e,l" (in any order) which stands for ALTER,SELECT,INSERT,UPDATE,DELETE,REFERENCES,EXECUTE,USE (for ML Configurations). Privilege "e" is only allowed for Procedures. Privilege "l" is only allowed for ML Configurations. CheckPrivilegeWithGrant will only return 1 if the user has grant privileges on all Actions specified. Required.
    Namespace
    Namespace object resides in (optional) default is current namespace

    Returns:

  • 1 - if the Username does have the privilege
  • 0 - if the Username does not have the privilege
  • %Status - if CheckPrivilegeWithGrant call is reporting an error

    • Notes:

  • If Username is a user with the %All role, CheckPrivilegeWithGrant will return 1 even if the Object does not exist.
  • If the user calling CheckPrivilegeWithGrant is not the same as Username, the calling user must hold the %Admin_Secure:"U" privilege.

    Example:

    • Do $SYSTEM.SQL.Security.CheckPrivilegeWithGrant($username,1,"HHR.ProductionValues","s,i,u,d","USER")
    • • classmethod GrantPrivilege(ObjPriv As %String, ObjList As %String, Type As %String, User As %String) as %Status
    GrantPrivilege lets you grant an ObjPriv to a User via this call instead of using the SQL GRANT statement. This does not include grant privileges.

    $SYSTEM.SQL.Security.GrantPrivilege(ObjPriv,ObjList,Type,User)

    Parameters:

    ObjPriv
    Comma delimited string of actions to grant. * for all actions:
    • Alter
    • Select
    • Insert
    • Update
    • Delete
    • References
    • Execute
    • Use
    • or any combination
    ObjList
    * for all objects, else a comma delimited list of SQL object names (tables, views, procedures, schemas)
    Type
    Table, View, Schema, Stored Procedures, or ML Configuration
    User
    Comma delimited list of users
    • classmethod GrantPrivilegeWithGrant(ObjPriv As %String, ObjList As %String, Type As %String, User As %String) as %Status
    GrantPrivilegeWithGrant lets you grant an ObjPriv, WITH GRANT OPTION, to a User

    $SYSTEM.SQL.Security.GrantPrivilegeWithGrant(ObjPriv,ObjList,Type,User)

    Parameters:

    ObjPriv
    Comma delimited string of actions to grant. * for all actions:
    • Alter
    • Select
    • Insert
    • Update
    • Delete
    • References
    • Execute
    • Use
    • or any combination
    ObjList
    * for all objects, else a comma delimited list of SQL object names (tables, views, procedures, schemas)
    Type
    Table, View, Schema, Stored Procedure, or ML Configuration
    User
    Comma delimited list of users
    • classmethod RevokePrivilege(ObjPriv As %String, ObjList As %String, Type As %String, User As %String, wGrant As %Integer = 0, Cascade As %Integer = 0, AsGrantor As %String = "") as %Status
    RevokePrivilege lets you revoke an ObjPriv from a User via this call instead of using the SQL REVOKE statement

    $SYSTEM.SQL.Security.RevokePrivilege(ObjPriv,ObjList,Type,User,wGrant,Cascade,AsGrantor)

    Parameters:

    ObjPriv
    Comma delimited string of actions to grant. * for all actions:
    • Alter
    • Select
    • Insert
    • Update
    • Delete
    • References
    • Execute
    • Use
    • or any combination
    ObjList
    * for all objects, else a comma delimited list of SQL object names (tables, views, procedures, schemas)
    Type
    Table, View, Schema, ML Configuration, or Stored Procedures
    User
    Comma delimited list of users
    wGrant
    0/1 for WITH GRANT OPTION
    Cascade
    0/1 cascade revoke?
    AsGrantor
    Alternate User to remove privileges for. AsGrantor can be a user name, a comma-separated list of user names, or "*".
    • classmethod RoleExists(rolename As %Library.String = "") as %Library.Boolean [ SQLProc = ]
    This entry point can be used to determine if a role exists.

    Parameters:
    rolename
    Name of the role to check.

    Examples:

    • Write $SYSTEM.SQL.Security.RoleExists("SalesManager") // Writes a 1 if role SalesManager exists
    This method can also be called as a Stored Procedure named %SYSTEM_SQL.Security_RoleExists(rolename)
    • classmethod UserExists(username As %Library.String = "") as %Library.Boolean [ SQLProc = ]
    This entry point can be used to determine if a user exists.

    Parameters:
    username
    Name of the user to check.

    Examples:

    • Write $SYSTEM.SQL.Security.UserExists("Robert") // Writes a 1 if user Robert exists
    This method can also be called as a Stored Procedure named %SYSTEM_SQL.Security_UserExists(username)

    Copyright (c) 2025 by InterSystems Corporation. Cambridge, Massachusetts, U.S.A. All rights reserved. Confidential property of InterSystems Corporation.