$TXT Created by at KRNDEV.FO-OAKLAND.DOMAIN.EXT (KIDS) on Thursday, 02/12/26 at 06:31 ============================================================================= Run Date: APR 30, 2026 Designation: XU*8*759 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #663 Status: Released Compliance Date: MAY 31, 2026 ============================================================================= Associated patches: (v)XU*8*727 <<= must be installed BEFORE `XU*8*759' (v)XU*8*771 <<= must be installed BEFORE `XU*8*759' (v)XU*8*799 <<= must be installed BEFORE `XU*8*759' Subject: REMOTE APPLICATION ENHANCEMENT Category: - Routine - Enhancement (Mandatory) - Other - Data Dictionary Description: ============ Kernel Patch XU*8.0*759 establishes better control and security for remote applications, ensuring that they are approved and authorized by the VistA Office Review Board (VORB) and managed by Identity and Access Management (IAM) Service. This patch exposes application programming interfaces (APIs), for IAM restricted use, to add, update, disable and query entries and their endpoints in the REMOTE APPLICATION (#8994.5) file. The patch adds new fields --CAN ADD USERS (#.04) and DISABLED (#.05) -- to the REMOTE APPLICATION (#8994.5) file. The data value in these fields are checked, during sign-on, to determine whether a remote application is enabled or disabled as a whole, and whether the remote application is authorized to add users to the system. CAN ADD USERS (#.04) If set to YES, the user will be dynamically created (if not known on the remote site) and restricted to the context option associated with the remote application. If set to NO, then visiting users not known to the remote site will not be created and access will be denied. DISABLED (#.05) If set to YES, a user attempting to connect via an authenticating site using a remote application connection will be denied access. If set to NO, a user attempting to connect via an authenticating site using a remote application connection will be allowed access provided valid login has been achieved (either a known user to the remote site or CAN ADD USERS = "YES") The patch adds six new Remote Procedure Calls (RPCs) that in aggregate allow IAM to remotely control various aspects of Remote Application entries. The XUS IAM RA ADD OR REPLACE RPC allows IAM to add or update a Remote Application entry. The XUS IAM RA CAN ADD RPC allows IAM to enable or disable the ability of a Remote Application to add remotely authenticated users as visitors. The XUS IAM RA CONTEXT ADD allows IAM to add context options to a site to coincide with a Remote Application entry. The XUS IAM RA CONTEXT QUERY allows IAM to determine whether a context exists on a remote system and, if so, its definition. The XUS IAM RA ENABLE allows IAM to enable or disable a remote application in entirety. The XUS IAM RA QUERY allows IAM to determine whether a remote application exists on a remote system and, if so, its definition. The new XUS IAM RA CONTROL [XUS IAM RA CONTROL] option aggregates these six RPCs into one context option. Although this patch supports IAM authority of remote application access and authorization, it does NOT implement any features to prevent local site management of REMOTE APPLICATION (#8994.5) file entries. This is intended to accommodate systems that are not under centralized management and to ensure any local communication issues between Master Patient Index (MPI) and the local site can be addressed. NOTE: A future patch is planned to implement automation that notifies IAM service when modifications are made to the REMOTE APPLICATION (#8994.5) file. EHRM Impact Statement: ---------------------- This patch should have no EHRM impact, and can be installed at all sites, including EHRM converted sites. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- REMOTE APPLICATION (8994.5) CAN ADD USER (.04) NEW REMOTE APPLICATION (8994.5) DISABLED (.05) NEW Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- XUS IAM RA CONTROL BROKER NEW Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- XUS IAM RA ADD OR REPLACE NEW XUS IAM RA CAN ADD NEW XUS IAM RA CONTEXT ADD NEW XUS IAM RA CONTEXT QUERY NEW XUS IAM RA ENABLE NEW XUS IAM RA QUERY NEW Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: 1. INC25607735 - IAM Remote Application File APIs Problem: -------- IAM needs to manage the REMOTE APPLICATION (#8994.5) file entries for all VistA systems, which VistA does not currently support. This limitation requires the developers to separately create patches to add and register their entries. Resolution: ----------- Kernel Patch XU*8.0*759 provides the following Kernel API(s) to the IAM Service with remote procedures to add, modify, disable and query REMOTE APPLICATION (#8994.5) file entries: XUS IAM RA ADD OR REPLACE XUS IAM RA CAN ADD XUS IAM RA CONTEXT ADD XUS IAM RA CONTEXT QUERY XUS IAM RA ENABLE XUS IAM RA QUERY To implement these features, the following routines were added or changed: Routine Name: XUESSO1 Description of Changes: Refactored code to check "CAN ADD USERS" field (#.04) of REMOTE APPLICATION (8994.5) before adding a new user if the visiting user has not been matched to an existing user. This will prevent access to an unknown (to the remote site) user but will allow access to a known user or if CAN ADD USERS is set to true or blank. Routine Name: XUESSO2 Description of Changes: Refactored code to check "CAN ADD USERS" setting during Broker Security Enhancement sign-on to authorize or deny access to visiting user. Routine Name: XUREMAP Description of Changes: New routine Routine Name: XUREMAP1 Description of Changes: New routine Routine Name: XUSBSE1 Description of Changes: Refactored intrinsic function BSEUSER(...) to check "ENABLED" setting during Broker Security Enhancement sign-on to authorize or deny access to visiting user. The behavior of RPC--XUS SIGNON SETUP--is impacted by this update. Test Sites: Change Order #: --------------------------------------- Pittsburgh VAMC CHG0706363 Phoenix VAMC CHG0702898 Iron Mountain VAMC CHG0702760 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. Documentation describing the new functionality is not included in this release. Patch Installation: ------------------- Pre/Post Installation Overview: This patch has no Pre/Post Installation instructions. Pre-Installation Instructions: This patch may be installed with users on the system, although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. Installation Instructions: 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch or build name. XU*8.0*759 NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build XU*8.0*759 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build (including Routines) R Routines Only Backup Type: B// iv. When prompted "Do you wish to secure your build? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO Post-Installation Instructions: N/A Back-Out/Roll Back Plan: ------------------------ Step 1 - Install the Backup a. Use MailMan [XMUSER] menu to locate the PackMan message containing the backup build. The subject of the PackMan message begins with "Backup of XU*8.0*759". b. At the Enter message action prompt, enter XTRACT KIDS c. At the Select PackMan function prompt, enter INSTALL/CHECK MESSAGE d. If prompted OK to continue with Load?, enter YES e. If prompted Want to Continue with Load?, enter YES f. Use KIDS [XPD MAIN] menu to install the backup KIDS distribution using the Install Package(s) [XPD INSTALL BUILD] option. g. At the Select INSTALL NAME prompt, enter XU*8.0*759b h. At the Want KIDS to Rebuild Menu Trees Upon Completion of Install prompt, enter NO i. At the Want KIDS to INHIBIT LOGONs during the install prompt, enter NO j. At the Want to DISABLE Scheduled Options, Menu Options, and Protocols prompt, enter NO Step 2 - Remove the New Field Entries a. Use Programmer Mode [XUPROGMODE] for the following steps: b. At the programmer prompt, enter D P^DI to enter FileMan c. At the Select OPTION prompt, enter MODIFY FILE ATTRIBUTES d. At the Do you want to use the screen-mode version prompt, enter NO e. At the Modify what File prompt, enter REMOTE APPLICATION f. At the Select FIELD prompt, enter CAN ADD USERS g. At the LABEL: CAN ADD USERS prompt, enter @ h. At the SURE YOU WANT TO DELETE THE ENTIRE 'CAN ADD USERS' FIELD prompt, enter YES i. At the OK TO DELETE 'CAN ADD USERS' FIELDS IN THE EXISTING ENTRIES prompt, enter YES j. At the Select FIELD prompt, enter DISABLED k. At the LABEL: DISABLED prompt, enter @ l. At the SURE YOU WANT TO DELETE THE ENTIRE 'DISABLED' FIELD prompt, enter YES m. At the OK TO DELETE 'DISABLED' FIELDS IN THE EXISTING ENTRIES prompt, enter YES If further rollback/backout assistance is needed, please log a SNOW ticket with the group SPM.HEALTH.HISM.APP.VADKERNEL.TRIAGE Routine Information: ==================== The second line of each of these routines now looks like: ;;8.0;KERNEL;**[Patch List]**;Jul 10, 1995;Build 40 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XUESSO1 Before:B100368166 After:B106736265 **165,183,196,245,254,269,337, 395,466,523,655,659,771,759** Routine Name: XUESSO2 Before:B156935866 After:B169188911 **655,659,630,701,731,771,779, 799,759** Routine Name: XUREMAP Before: n/a After: B66939864 **759** Routine Name: XUREMAP1 Before: n/a After:B129433351 **759** Routine Name: XUSBSE1 Before:B155615152 After:B161909226 **404,439,523,595,522,638,659, 630,727,759** Routine list of preceding patches: 727, 799 ============================================================================= User Information: Entered By : Date Entered : OCT 25, 2021 Completed By: Date Completed: APR 27, 2026 Released By : Date Released : APR 30, 2026 ============================================================================= Packman Mail Message: ===================== $END TXT