It is currently Fri Aug 29, 2014 2:19 am




Post new topic Reply to topic  [ 12 posts ] 
 Can security be applied at the project level? 
Author Message
General
General

Joined: Tue Feb 24, 2009 1:30 pm
Posts: 891
Location: Calgary
Post Can security be applied at the project level?
I am creating a number of projects. Each for a different geographical region. The client does not want users from one region (project) to be able to access/control information from another region (project).

This could easily be done if I could assign a security role to a project but I don't see anywhere that let's me do that.


Fri Feb 27, 2009 10:46 am
Profile WWW
Moderator
Moderator

Joined: Wed Apr 18, 2007 11:00 am
Posts: 645
Location: Sacramento Ca.
Post Re: Can security be applied at the project level?
Definitely! Make a few Authentication profiles and use the expert authentication query for them.

Assuming you are using a database driven authentication profile, go into the FactoryPMI gateway configuration page. Go to the authentication profiles. Click the edit icon for the one you want. At the bottom of the page, there is a section labeled 'Query Configuration (expert)'.

You can set this up any way you want, but if you added a 'location' column (with an area called East Stack) to the user table, your query would look like:
Code:
SELECT Username FROM USERS WHERE Username = '$username$' AND Password = '$password$' AND location = 'East Stack'

This will work for one project that is tied to the East Stack location. You cannot pass in the project name like you can the username and password, so you will need to set up another Auth. profile for each project that needs to use the location column. At least this way they all use the same table in the database.

_________________
Robert McKenzie
Inductive Automation
Technical Support


Fri Feb 27, 2009 12:39 pm
Profile WWW
Moderator
Moderator

Joined: Thu Mar 30, 2006 10:08 pm
Posts: 1190
Post Re: Can security be applied at the project level?
Another approach would be to assign users a Security Role that represents their location. This is independent of your choice of authentication type) You would then write a "Startup Script" (in Global Event Scripts), that runs fpmi.security.getRoles to check their permissions. You might log them off (same script module) if they aren't allowed to run the project in that location. This scheme allows users to be members of any number of locations.

_________________
Nathan Boeger, CISSP-ISSAP, CCNP Voice, VCP
Not Another Industrial Blog - My SCADA software blog
"Design Simplicity Cures Engineered Complexity"


Fri Feb 27, 2009 1:15 pm
Profile WWW
General
General

Joined: Tue Feb 24, 2009 1:30 pm
Posts: 891
Location: Calgary
Post Re: Can security be applied at the project level?
Sorry Robert, I'm running Hybrid and there is no 'Query Configuration (expert)'.

Nathan: I will look at doing that. I was hoping I wouldn't have to code it. :cry:


Fri Feb 27, 2009 2:02 pm
Profile WWW
Moderator
Moderator

Joined: Wed Apr 18, 2007 11:00 am
Posts: 645
Location: Sacramento Ca.
Post Re: Can security be applied at the project level?
It isn't a lot of coding. The script will probably look like:
Code:
if "East Stack" in fpmi.security.getRoles():
     pass
else:
     fpmi.security.logout()


I think you can use
Code:
if not "East Stack" in fpmi.security.getRoles():
     fpmi.security.logout()
but I can't check it at the moment.

_________________
Robert McKenzie
Inductive Automation
Technical Support


Fri Feb 27, 2009 3:12 pm
Profile WWW
Moderator
Moderator

Joined: Sun Apr 02, 2006 2:46 pm
Posts: 4053
Location: Sacramento, CA
Post Re: Can security be applied at the project level?
Assigning a list of roles that are allowed to launch a project is a feature request that we are definately going to implement, but the timeframe is roughly 6mo.

_________________
Carl Gould
Co-Director, Software Engineering
Inductive Automation


Fri Feb 27, 2009 6:01 pm
Profile WWW
General
General

Joined: Tue Feb 24, 2009 1:30 pm
Posts: 891
Location: Calgary
Post Re: Can security be applied at the project level?
Found a better way. (for Hybrid at least)

Create an Authentication Profile for each project. Cause, authentication is handled externally you don't have to worry about keeping passwords in sync. And you would have to assign user to multiple roles anyway for those users that require it. This keeps things nice and simple.

(I know Robert, thats what you tried to tell me at first. Sometimes it takes awhile to sink in)


Fri Mar 20, 2009 8:51 am
Profile WWW
Moderator
Moderator

Joined: Thu Mar 30, 2006 10:08 pm
Posts: 1190
Post Re: Can security be applied at the project level?
Glad that worked for you. Are you using the retargeting feature? It allows users to seamlessly link/jump to different FactoryPMI projects that can be hosted on other computers. The transition is seamless if their username/password matches on the new system, otherwise they are prompted to log on to the new system.

_________________
Nathan Boeger, CISSP-ISSAP, CCNP Voice, VCP
Not Another Industrial Blog - My SCADA software blog
"Design Simplicity Cures Engineered Complexity"


Fri Mar 20, 2009 6:02 pm
Profile WWW
General
General

Joined: Tue Feb 24, 2009 1:30 pm
Posts: 891
Location: Calgary
Post Re: Can security be applied at the project level?
Yes I am using retargeting. That's why external authentication will work so well.


Tue Mar 24, 2009 10:08 am
Profile WWW
Moderator
Moderator

Joined: Sun Apr 02, 2006 2:46 pm
Posts: 4053
Location: Sacramento, CA
Post Re: Can security be applied at the project level?
In Ignition, projects as a whole can specify a list of roles that are required to even log-in in the first place.

_________________
Carl Gould
Co-Director, Software Engineering
Inductive Automation


Thu Mar 04, 2010 10:30 am
Profile WWW
General
General

Joined: Tue Feb 24, 2009 1:30 pm
Posts: 891
Location: Calgary
Post Re: Can security be applied at the project level?
That's one I missed Carl. As that (FPMI) project hasn't gone to production yet, I'll have to try to convince the customer to upgrade to ignition.


Tue Jun 08, 2010 12:56 pm
Profile WWW
Moderator
Moderator

Joined: Sun Apr 02, 2006 2:46 pm
Posts: 4053
Location: Sacramento, CA
Post Re: Can security be applied at the project level?
Not a bad idea :)

_________________
Carl Gould
Co-Director, Software Engineering
Inductive Automation


Mon Jun 14, 2010 1:36 pm
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: