Reference Type: Controlled Subscription, Category: Signon/Security, Integration Agreement: 4677
Released with Kernel Patch XU*8.0*361, this extrinsic function is a non-interactive API to create an Application Proxy User to support J2EE middle-tier applications. The Application Proxy User represents an application and not an end-user.
CAUTION: If the user running this extrinsic function does not hold the XUMGR security key, it returns an error upon the filing of the Application Proxy as the User Class.
The Application Proxy User is a special category of user account that gets created in the NEW PERSON file (#200) and can execute authorized RPCs. The Application Proxy User created must adhere to the following criteria:
Many VistA data interactions by human end-users must be represented with accurate and unambiguous user identity information, so that VistA audit mechanisms function as intended. Application Proxy user accounts do not identify the user and should be avoided, especially where the interaction is with PHI/PII data (regulated by federal law). The use of Application Proxy user accounts should be limited to background processes and machine-to-machine interactions.
Permission to use the $$CREATE^XUSAP API should be done early in the development process; as use of Application Proxy user accounts are reviewed by VA management due to security concerns.
(required) This is the name of the Application Proxy User. This name must be unique and should be namespaced.
(optional) This is the VA FileMan Access code. It cannot
be an at-sign ("@").
(optional) This is the name of a single option name (e.g., XUS FATKAAT PROXY LOGON) or an array of options, such as XUOPT("XMUSER")=1. Applications can only access the Remote Procedure Calls (RPCs) contained in the options provided in this input parameter. RPCs are tied to "B"-type options.
The following example shows a successful creation of an Application Proxy User:
>IF $$CREATE^XUSAP("VPR,APPLICATION PROXY","","VPR APPLICATION PROXY")>0 W !,"Proxy Created" Proxy Created
The following is an example of an Application Proxy user account that is provisioned correctly:
NAME: DATE ENTERED: SEP 01, 2011 CREATOR: XUUSER,ONE SECONDARY MENU OPTIONS: VPR APPLICATION PROXY TIMESTAMP: 62335,62903 User Class: APPLICATION PROXY ISPRIMARY: Yes
The Proxy User List option [XUSAP PROXY LIST] lists the current Application Proxy user accounts, as shown below
PROXY USER LIST JAN 28,2016 09:44 PAGE 1 NAME User Class IsPrimary Active -------------------------------------------------------------------------------- XOBVTESTER,APPLICATION PROXY APPLICATION PROXY Yes ANRVAPPLICATION,PROXY USER APPLICATION PROXY Yes VPFS,APPLICATION PROXY APPLICATION PROXY Yes RADIOLOGY,OUTSIDE SERVICE APPLICATION PROXY Yes LRLAB,HL APPLICATION PROXY Yes LRLAB,POC APPLICATION PROXY Yes TASKMAN,PROXY USER APPLICATION PROXY Yes CLINICAL,DEVICE PROXY SERVICE APPLICATION PROXY Yes NHIN,APPLICATION PROXY APPLICATION PROXY Yes EDPTRACKING,PROXY APPLICATION PROXY Yes KAAJEE,PROXY APPLICATION PROXY Yes VPR,APPLICATION PROXY APPLICATION PROXY Yes AUTHORIZER,IB REG APPLICATION PROXY Yes HOWDY,BOT APPLICATION PROXY Yes LRLAB,TASKMAN APPLICATION PROXY Yes VIABAPPLICATIONPROXY,VIAB APPLICATION PROXY Yes
CAUTION:CAUTION: Some of the listed Application Proxy user accounts do not follow the rules for namespacing. There are other serious infractions in current applications using Application Proxy user accounts, which puts the VA in the position of violating federal privacy laws by accessing PHI/PII information. VA Handbook 6500 Appendix F lists VA System Security Controls that are applicable to Application Proxy user accounts as well as human end-users. An Application Proxy should never be used to circumvent VA System Security Controls.
an example of an Application Proxy user account that is not provisioned correctly:
NAME: TASKMAN,PROXY USER FILE MANAGER ACCESS CODE: # DATE ENTERED: JUN 9,2009 CREATOR: LABTECH,FORTYEIGHT NAME COMPONENTS: 200 SIGNATURE BLOCK PRINTED NAME: PROXY USER TASKMAN TIMESTAMP: 62362,53550 User Class: APPLICATION PROXY ISPRIMARY: Yes
If provisioned correctly, the name “TASKMAN,PROXY USER” would be identified by the Kernel (XU) namespace, such as “XUTASKMAN,PROXY USER”. This particular Application Proxy does not require access to any menu options or RPCs, so it does not contain a SECONDARY MENU OPTION.
Here's another example of an Application Proxy user account that is not provisioned correctly:
NAME: CLINICAL,DEVICE PROXY SERVICE CREATOR: XUUSER,ONE ISPRIMARY: Y SECONDARY MENU OPTIONS: MD GUI MANAGER SECONDARY MENU OPTIONS: MD GUI USER TIMESTAMP: 61907,71682 User Class: APPLICATION PROXY DATE ENTERED: JUN 30,2010
In this example, the SECONDARY MENU OPTIONs are in the Clinical Procedures (MD) namespace, so that if provisioned correctly, “CLINICAL,DEVICE PROXY SERVICE” would be more appropriately named “MDCLINICAL,DEVICE PROXY SERVICE”.
September 15, 2011