Advisory for IRISSECURITY in InterSystems IRIS 2025.2

InterSystems IRIS 2025.2 introduces the IRISSECURITY database, the new home for security data. Unlike IRISSYS, the previous home for security data, IRISSECURITY can be encrypted, which secures your sensitive data at rest. In a future version, IRISSECURITY will be mirrorable.

This version also introduces the %SecurityAdministrator role for general security administration tasks.

The changes described here affect both continuous delivery (CD) and extended maintenance (EM) release tracks. That is, starting with versions 2025.2 (CD, releasing on 23 July, 2025) and 2026.1 (EM), InterSystems IRIS will include the IRISSECURITY database, and all security data is automatically moved from IRISSYS to IRISSECURITY when you upgrade.

While InterSystems IRIS 2025.2 is expected to release on 23 July 2025, we are holding off on the public release of InterSystems IRIS for Health and HealthShare Health Connect 2025.2 while we complete work on a remediation plan for a known mirroring issue that impacts OAuth configuration data.

IRISSECURITY makes several potentially breaking changes to how users interact with security data:

• Users can no longer directly access security globals and must instead use the APIs provided by the various security classes.
• OAuth2 globals can no longer be mapped to a different database.
• Users can no longer arbitrarily query security tables, even when SQL security is disabled.
• System databases now use predefined resources that cannot be changed. On Unix, if you created and assigned a new resource to a system database in a previous version, it will be replaced by the predefined resource when you upgrade. On Windows, you must change the resource back to the default. If you attempt to upgrade on Windows while databases have non-default resources, the upgrade will halt (the instance is not modified) and display an error message "Database must have a resource label of..."

The following sections go into detail about these changes and what you should do instead if you depended on the original behavior, but in general, before you upgrade, you should verify and test that your applications and macros:

• Use the provided security APIs to administer security (as opposed to direct global access).
• Have the necessary permissions (%DB_IRISSYS:R and Admin_Secure:U) for using those APIs.

Previously, when security globals were stored in the IRISSYS database, users could access security data with the following privileges:

• %DB_IRISSYS:R: Read security globals both directly and through security APIs. 
• %DB_IRISSYS:RW: Read and write security globals. 
• %DB_IRISSYS:RW and Admin_Secure:U: Administer security through security APIs. 

In InterSystems IRIS 2025.2:

• Users can no longer access security globals directly.
• Both %DB_IRISSYS:R and %Admin_Secure:U are the minimum privileges needed to both access security data (through the provided security APIs) and administer security through the various security classes.
• For general security administration, you can use the new %SecurityAdministrator role.
• Read-only access to security data (previously available through %DB_IRISSYS:R) has been removed.

In InterSystems IRIS 2025.2, the following security globals have been moved from IRISSYS to the ^SECURITY global located in IRISSECURITY:

• ^SYS("SECURITY")
• ^OAuth2.*
• ^PKI.*
• ^SYS.TokenAuthD

For details, see the Developer Community advisory.

Previously, you could map OAuth2 globals to a different database, which allowed OAuth2 configurations to be mirrored.   In InterSystems IRIS 2025.2, OAuth2 globals can no longer be mapped, and IRISSECURITY cannot be mirrored. If you depended on this behavior for mirroring, you can use any of the following workarounds: 

• Manually make changes to both the primary and failover.
• Export the settings from the primary and then import them to the failover (requires %All). 

To export OAuth2 configuration data:
> set items = $name(^|"^^:ds:IRISSECURITY"|SECURITY("OAuth2"))_".gbl"
> set filename = "/home/oauth2data.gbl"
> do $SYSTEM.OBJ.Export(items,filename)

To import OAuth2 configuration data:
> do $SYSTEM.OBJ.Import(filename)

Previously, SQL security was controlled by the CPF parameter DBMSSecurity. When DBMSSecurity was disabled, users with SQL privileges could arbitrarily query all tables in the database. In InterSystems IRIS 2025.2:

• The DBMSSecurity CPF parameter has been replaced with a system-wide SQL security property.

  To set it with the Management Portal: System Administration > Security > System Security > System-wide Security Parameters > Enable SQL security

  To set it with SetOption: do ##class(%SYSTEM.SQL.Util).SetOption("SQLSecurity", 1)

  To set it with Security.System.Modify: set properties("SQLSecurity")=1 and do ##class(Security.System).Modify(,.properties)

• Security tables can now only be queried through the Detail and List APIs, which require both %DB_IRISSYS:R and %Admin_Secure:U even when SQL security is disabled. 

For example, to get a list of roles, you can no longer directly query the Security.Roles table. Instead, you should use the Security.Roles_List() query:
> SELECT Name, Description FROM Security.Roles_List()

To encrypt IRISSECURITY, use the following procedure:

1. Create a new encryption key. Go to System Administration > Encryption > Create New Encryption Key File and specify the following:
   
   • Key File – The name of the encryption key. 
   • Administrator Name – The name of the administrator. 
   • Password – The password for the key file. 
2. Activate the encryption key. Go to System Administration > Encryption > Database Encryption and select Activate Key, specifying the Key File, Administrator Name, and Password from step 1. 
3. ​​​Go to System Administration > Encryption > Database Encryption and select Configure Startup Settings.
4. From the Key Activation at Startup dropdown menu, select a key activation method. InterSystems highly recommends Interactive key activation.
5. From the Encrypt IRISSECURITY Database dropdown, select Yes. 
6. Restart your system to encrypt IRISSECURITY.

In previous versions of InterSystems IRIS, the procedure for managing a web application’s access to additional percent classes involved writing to security globals. You can accomplish this in InterSystems IRIS 2025.2 through the Management Portal or the ^SECURITY routine.
To create a percent-class access rule with the Management Portal:

1. Go to System Administration > Security > Web Applications. 
2. Select your web application.
3. In the Percent Class Access tab, set the following options: 
   
   • Type – Controls whether the rule applies to the application’s access to just the specified percent class (AllowClass) or all classes that contain the specified prefix (AllowPrefix). 
   • Class name – The percent class or prefix to give the application access to. 
   • Allow access – Whether to give the application access to the specified percent class or package.
   • Add this same access to ALL applications – Whether to apply the rule for all applications. 

To create a percent-class access rule with the ^SECURITY routine:

1. From the %SYS namespace, run the ^SECURITY routine:
   %SYS> do ^SECURITY
2. Choose options 5, 1, 8, and 1 to enter the class access rule prompt.
3. Follow the prompts, specifying the following:
   
   • Application? – The name of the application.
   • Allow type? – Whether the rule applies to the application's ability to access a particular class (AllowClass) or all classes that contain the specified prefix (AllowPrefix). 
   • Class or package name? – The class or prefix to give the application access to. 
   • Allow access? – Whether to give the application access to the specified class or package.