Security in Scripting

Securing Event Handlers

Security can be added to any of the event handlers in Ignition. You can set up security in an event script for a component using the system.security.getRoles() function, and use this function in any script in Ignition that runs in a Client.  This example uses an event handler to build a navigation and security script. 

1. In Designer, right click on your component and select Scripting. The Component Scripting window will open.  
2. Select the action > actionPerformed Event Handler. Under the Navigation tab, select Open and Center to set the location and position of the component on the Client window.
3. Under Action Qualifiers, click on the Security button, and start to build your security script.
4. Check the Required Roles checkbox, and select from the list of role(s) that you want to have access to your button. When you close the list of Required Roles, Ignition will build the script for you based on the role(s) you selected. 
5. Click on the Script Editor tab, and you'll notice that the code is well documented, it contains the roles you specified, and includes an error message. The error message will popup when a user in a role, other than the role(s) specified, accesses the button.  

Here is what the script looks like in Ignition.

Here is the code you can copy to ensure the user invoking the script has sufficient privileges.  This script identifies the "Administrator" role.

if u'Administrator'in system.security.getRoles():
	#This part of the script will run if the user has the correct privileges. For example:"
	print "this script will run if the user has a the administrator role."
else:
	system.gui.errorBox('Insufficient security privileges.')

Special Security Qualifiers

Event handlers often execute logic that must be secured. The various script builders all have special security qualifiers that can be enabled. These qualifiers get translated into the generated script by accessing the user's current roles via scripting.

Example

if 'Administrator' in system.security.getRoles():
	productCode = event.source.productCode
	qty = event.source.parent.getComponent("QuantityBox").intValue
	query = "UPDATE my_secure_table SET quantity=? WHERE product=?"
	system.db.runPrepUpdate(query, [qty, productCode])
else:
	system.gui.errorBox('Insufficient security privileges.')

See also: Script Builders, system.security.getRoles

Setting the Client to Read-Only 

There are times when it is best to open a Client in a Read-Only mode to eliminate the possibility that a Client will affect a device or database. The Client event startup script that sets the Client mode to Read-Only is an easy way to accomplish this. Similar to the buttons in the Designer, this function can be used to set Disconnected, Read-Only, and Read/Write modes in any script in Ignition that runs in a Client. This function can be called in any Client scoped script, but is most commonly used in the Startup script.

Setting up the Client Event Startup Script

1. From the Designer, go to Project Browser > Client Event Scripts.
   The Client Event Scripts window is displayed.
    
2. In the Startup script, enter this code: system.util.setConnectionMode(2) where 2 means Read-Only.
    
3. Click OK.
   The startup script will run the next time a user logs into the Client, resulting in the Client being Read-Only.