Tag Security Properties
Tag security is often the best way to configure security for data access. By defining security on a tag, you affect the tag across wherever it is used, as opposed to configuring component security on each component that displays or controls that tag.
There are three properties on tags that can restrict access.
- Read Permissions: Defines the security levels required in order to read values from a tag
- Read Only: Defines whether a tag is read-only or writable
- Write Permissions: Defines the security levels required in order to write values to a tag
Users with specific roles and zones can be given read/write access to a tag, while other users with other roles are excluded from modifying the tag.
If a user opens a Perspective view or a Vision client window that has components that are bound to a tag they do not have permissions for, the user will see an overlay on top of the component. For more information, see Quality Codes and Overlays. The following example shows a tank displayed in a session, but the user does not have read permission for the tag it is bound to.
Read Only Security
When a tag is set to read only, a Lock icon is displayed next to the tag in the Tag Browser.
Read and Write Permissions
Instead of making a tag Read Only for all users, you can conditionally provide read and write access based on Security Levels. Doing so involves a adjusting the security settings on the tag in question. The checkbox tree you are presented with will show you all of the security levels configured in the Gateway Config > Security > Security Levels page.
Read Permissions
Read permissions define the security levels required in order to read values from a tag. By default, tags have Read Permissions set to "Public". You can change the Read security using the Tag Browser in the Designer.
In the Tag Browser, right-click on the tag, and select the Edit icon.
Scroll down to the Security section. In the Read Permissions section, click the Edit icon.
On the screen, choose the security levels you want to have Read permissions for this tag. In this example, only users with role of "Driver" will be able to see the tag value.
Click Commit to accept the settings.
Click OK to save the changes to the tag.
If you are logged in as a user other than Driver, you will now see the "Bad_AccessDenied" in the Tag Browser instead of the tag's value.
Write Permissions
Write permissions define the security levels required in order to write values a tag. By default, tags have Write Permissions set to "Public". You can change the Write security using the Tag Browser in the Designer.
In the Tag Browser, right-click on the tag, and select the Edit icon.
Scroll down to the Security section. In the Write Permissions section, click the Edit icon.
On the screen, choose the security levels you want to have write permissions for this tag. In this example, only users with role of Administrator will be able to write to the tag value.
Using Security Levels
In addition to setting up security on individual tags, you can set up security policies specific to each Security Zone. This is useful in cases where you wanted to make all tags in a provider read only from network locations. Tag Access is one of the options for a Security Zones page for more details.