Intersystems IRIS currently supports role-based access control (RBAC) through the use of resources and roles. However, this functionality is not consistently implemented across all features. In some cases, access is granted based on a hardcoded %All
role. This means that access to certain resources or data is granted only if a user is assigned the %All
role, which is all-powerful and provides unrestricted access. This undermines the principle of least privilege, as users may be granted access to more resources than they need, potentially exposing sensitive data or functionality.
Additionally, there are instances where resource and role assignment mechanisms do not work as intended, which compromises the effectiveness of RBAC. In an era where security threats are increasingly sophisticated and data privacy regulations like HIPAA and GDPR are paramount, ensuring that access controls are strictly role-based is more important than ever.
The rise of health APIs and other sensitive data exchanges further underscores the need for fine-grained RBAC. As healthcare, financial, and other regulated industries handle more interconnected data, it is essential that only authorized personnel have access to specific resources or information.
Enhancing Intersystems IRIS to ensure all access is strictly role-based, with no exceptions for hardcoded permissions like %All
, would help ensure better compliance with security principles and regulations, offering administrators full control over user access while adhering to the principle of least privilege.
Thank you for submitting the idea. The status has been changed to "Needs review".
Stay tuned!