[00:00] In this lesson, we'll take a look at restricting read and write access to our tags. Now, if you're making use of a visualization system like vision or perspective, then there are a couple of ways to prevent read and write access by implementing component restrictions. But those component restrictions are on a per project and per screen basis. What I want to do here is show you how to control read and write access to individual tags independently from a project. The way you would do that is by applying restrictions directly on the tag. In the Designer if I edit a tag, and we head down under the security section here, we noticed that there are three properties. The easiest one to talk about is Read Only, if we don't want anyone to write to this tag ever from ignition, then set Read Only to true. You'll notice that the Write Permission property disappeared. That's because we don't need it. We're not allowed to write to this tag anymore. Now if I hit Okay, and I make sure my designer is set to read/write mode here, I can try writing to the value on this tag here, and we're greeted with a little error message because the tag is set to readonly. So it doesn't matter who or how a write is attempted, be it from the designer or a script in a runtime somewhere, the tag will reject writes. And of course this translates to component bindings. So if I were to open this window here, I have some components laid down and this little check box here has a tag binding configured to my WriteableBoolen1 tag. And we can see from the project browser that the component doesn't have the little shield icon implying that there isn't any sort of custom component security applied. So if I put my designer into preview mode, I try to write to the checkbox. We get the same error message. As an important side note, you may have noticed that I had to opt in to making a tag read only implying that by default, newly created tags are configured to allow writes. Now I have this WriteableBoolen2 tag here. I would like to apply restriction to. So I'm going to double click on WriteableBoolen2. And I'm going to collapse most of these categories here, just so we can focus on security. We also have the Read Permissions and Write Permissions properties. You've probably guessed by the names. These properties determine the requirements for read and write access respectively to this tag. Now, based on the labels I put on this window here, I only want administrator users to be able to write to this WriteableBoolen2 tag. So, because I'm trying to control who can write to the tag, I'll head over to Write Permissions and I'll click the Edit button. We see an interface that might look familiar to you. If you've dabbled with identity providers and security levels before. Our tags use a permission model that integrates with security levels. So you can apply restrictions based on Security Zone, mapped roles, or really any criteria you can come up with when configuring a security level. Again, I only want users with the administrator role to be able to write to this tag. So I'll go down under authenticated. I'll go down under roles. We have our administrator role, which I can check, and that will apply the restriction I'm looking for. Now, if I drill down under the role, you'll see that I have access to some Security Zones. This allows us to get a little more specific with our roles in that we can require certain zones in addition to the role. So if I wanted my administrator users to only be able to have write access while they're in Zone A I would select Zone A under Administrator. Alternatively say, I don't care where the administrator is. I just want them to always have write access. And for my non-Administrator users, I only want them to be able to write to this tag, if they're in Zone B. In that case, I would also want to check the Zone B under Security Zones here. However, we're not done. You may notice those radio buttons down below. By default, this interface requires that when our write comes through all of the checked Security Levels up above in the tree are met. So if I don't change the selection on these radio buttons here, my permission settings are saying that the write has to come from an administrator and they have to be in Zone B, which is similar to just selecting Zone B directly under the Administrator role. So if I only care, if either one of those options are true, I'd want to select the second radio button stating that at least one of the security levels on the user has to match what I selected in the tree. Now, I really don't care about the zone for this example. So I'll uncheck Zone B, I'll leave Administrator checked, I'll press Commit. And we see my levels have been set on the Write Permission property. I'll hit Okay. And because that was applied to the tag, I actually don't need to save my project. Those restrictions are in place right now. Now off to the side, I have a client running that I can use to demonstrate the restrictions we just applied. So you can see I'm logged in as Bob, who is an operator, so they are not an administrator. So if I try to write to this tag here, we can see that I get a insufficient Write Permissions error. So Bob doesn't have the administrator role. Now, if I go back to my Designer, I enter preview mode here for vision. We can see that the user I'm logged into aside from being a cool guy is also an administrator. So technically I should be able to write to this tag, which we can see as applied to the tag itself in the tag browser. And of course, because I'm in the Designer, logged in as an administrator user, I can freely write to these tags from the tag browser. So of course, these read and write permissions are actually applied even when you are in a Designer session. Lastly, you probably noticed that our tags now have some icons. These just signify that there are some custom security settings on these tags and that's it. Now, you know how to apply, read and write restrictions to individual tags.