You can help by commenting or suggesting your edit directly into the transcript. We'll review any changes before posting them. All comments are completely anonymous. For any comments that need a reply, consider emailing docs@inductiveautomation.com.
Version:
LESSON LIST
LESSON
Tag Read and Write Permissions
Description
Learn how to add read/write security to individual tags through the designer.
Video recorded using: Ignition 8.1
Transcript
(open in window)[00:00] In this lesson, we'll take a look at restricting read and write access to our tags. Now if you're making use of a visualization system like vision or perspective, then there are a couple of ways to prevent read and write access by implementing component restrictions. But those component restrictions are on a per project and per screen basis. What I want to do here is show you how to control, read and write access to individual tags independently from a project. The way you would do that is by applying restrictions directly on the tag. In the designer, if I edit a tag and we head down under the security section here, we notice that there are three properties. The easiest one to talk about is read only. If we don't want anyone to write to this tag ever from ignition, then set read only to true. You'll notice that the write permissions property disappeared. That's because we don't need it. We're not allowed to write to this tag anymore. Now, if I hit okay and I make sure my designer is set to read write mode, I can try writing to the value on this tag here.
[01:02] And we're greeted with a little error message because the tag is set to read only. So it doesn't matter how a write is attempted, be it from the designer or a script in a runtime somewhere, the tag will reject writes, and of course this translates to component bindings. So if I were to open this window here, I have some components and this little checkbox here has a tag binding configured to my writeable boolean one tag. And we can see from the project browser that the component doesn't have a little shield icon, implying that there isn't any sort of custom component security applied. So if I put my designer into preview mode and I try to write to the check box, we get the same error message. As an important side note, you may have noticed that I had to opt in to making the tag read only implying that by default, newly created tags are configured to allow writes. Now I have this writeable boolean two tag here that I would like to apply restrictions to. So I'm going to double click on writeable boolean two and go back to the security tab. We also have the read permissions and write permissions properties. You've probably guessed by the names, these properties determine the requirements for read and write access respectively to this tag.
[02:07] Now, based on the labels I put on this window here, I only want administrator users to be able to write to this writeable boolean two tag. So because I'm trying to control who can write to the tag, I'll make use of the write permissions. On the right hand side here we see an interface that might look familiar to you. If you've dabbled with identity providers and security levels before, our tags use a permission model that integrates with security levels. So you can apply restrictions based on security zones mapped to roles, or really any criteria you can come up with when configuring a security level. Again, I only want users with the administrator role to be able to write to this tag. So I'll go down under authenticated, I'll go down under roles. We have our administrator role, which I can check, and that will apply the restriction I'm looking for. Now if I drill down under the role, you'll see that I have access to some security zones. This allows us to get a little more specific with our roles in that we can require certain zones in addition to the role.
[03:05] So if I wanted my administrator users to only be able to have write access while they're in zone A, I would select zone A under administrator. Alternatively, say I don't care where the administrator is and I just want them to always have write access. And for my non-administrative users, I only want them to be able to write to this tag if they're in zone B. In that case, I would also want to check zone B under security zones here, however, we're not done. You may notice those radio buttons down below. By default, this interface requires that when our write comes through all of the checked security levels up above in the tree are met. So if I don't change the selection on these radio buttons here, my permission settings are saying that the write has to come from an administrator and they have to be in Zone B, which is similar to just selecting zone B directly under the administrator role. So if I only care if either one of those options are true, I'd want to select the second radio button stating that at least one of the security levels on the user has to match what I selected in the tree.
[04:05] Now I really don't care about the zone for this example, so I'll uncheck zone B, I'll leave administrator checked and I'll press okay, and because that was applied to the tag, I actually don't need to save my project. Those restrictions are in place right now. Now off to the side, I have a client running that I can use to demonstrate the restrictions we just applied. So you can see I'm logged in as Bob, who is an operator. So they are not an administrator. So if I try to write to this tag here, we can see that I get an insufficient write permissions error. So Bob doesn't have the administrator role. Now if I go back to my designer, we can see that the user I'm logged into is an administrator. So technically I should be able to write to this tag, which we can see has applied to the tag itself in the tag browser. And of course, because I'm in the designer logged in as an administrator user, I can freely write to these tags from the tag browser. So of course these read and write permissions are actually applied even when you are in the designer session. Lastly, you probably noticed that on our tags we now have some icons.
[05:03] These just signify that there are some custom security settings on these tags and that's it. Now you know how to apply, read and write restrictions to individual tags.