Always Read-Only client instance

benw · August 11, 2021, 11:31pm

Hi all,

Just wanting to get some feedback on what would be the best way to handle the following situation.

We have an embedded PC on a process line running a Vision client of a certain project, this auto logs in as the base control user that can control most things on the line. We like the auto-login feature here as it removes the issues with production staff turnover and new operators not knowing log in details, login details getting lost, etc.

The client also wants to have access to the same screen from the comfort of their offices, mainly to just observe what’s happening on the line. We want to ensure that these instances can ONLY be read-only though and not stop or start anything remotely.

We were originally just going to make a read-only user, but then this would have to be the auto-login user which creates that problem listed above of the operator then needing to know the credentials to control the line on the main HMI. We are also concerned about relying on a read-only user because nothing prevents the office production managers - who will obviously know the operator username/password - from just logging in on the control account in their offices.

Ultimately just wondering what the recommended solution here would be? FactoryTalk SE has the ability to create a runtime instance as completely read-only, I’m hoping for something similar here with the Vision client instances such that clients we put on these office PCs can only ever be read-only. Is this possible?

Appreciate the assistance.

witman · August 11, 2021, 11:38pm

We’ve used a read-only auto login user and then created a local operator account that’s auto logged in at the local HMI via scripting. No one knows the password as no one ever has to login manually (okay, I know the password, but I could also program it do anything without the password…).

Kevin.Herron · August 11, 2021, 11:45pm

Maybe use Security Zones and/or Client System Tags identifying the HMI PCs… somehow?

benw · August 12, 2021, 12:00am

Hi Witman,

So do you just cross-reference against the hostname/username of the local machine in a Client Event Startup script to know whether it’s the machine that needs the operator logged in?

I thought this might be a better solution:
https://docs.inductiveautomation.com/display/DOC/Setting+Client+Read-Only

If I’m reading that correctly, you could still just use one auto logged in user, but depending on prereq checks in startup script could determine whether it boots in read-only or read/write?

benw · August 12, 2021, 12:07am

Hi Kevin,

I hadn’t looked into security zones as an option, this seems like the most logical solution on the surface? I’ll have to do some reading into it, but seems that just breaking into a security zone based on hostname would solve the issue.

Thanks for the suggestion

witman · August 12, 2021, 12:54am

Yes, and yes, though I haven't used the client wide setting as other users have the option to login as themselves and access additional things in our application.

benw · August 12, 2021, 1:15am

Yep, makes sense.

Thanks for the help.