Hello team,
Currently we are developing projects under perspective module.
Needed few clarifications related to Application protection:
-
How can we make our application non-editable if we are providing it to someone else?
-
How to safeguard the entire Application[views, named queries and every setting related to application], so that even if the project is passed over to another, they shouldn't be allowed to modify any data present within the application.
Application Built on: Ignition Perspective Module
Please provide us with a solution to the scenario described above.
There is no such solution. OEM lock is a feature request as noted above, but don't hold your breath.
Consider creating an actual 3rd-party module in java containing the most critical parts of your solution. You can then control that with Ignition's licensing system.
Just curious, is it not enough to provide customers with low-level accounts without development and gateway permissions? What is the vulnerability?
You might be providing an application to run on my server on which I do my own development and I would want administrator rights.
I see. Customers cannot add content to my project.
Anyone can reset the admin password with the gwcmd utility, thus anyone can gain access to your project development files to modify and essentially steal, which is the issue, particularly for OEMs wanting to offer ignition as a solution as they simply can't lock down their solution. Not that I would ever want to use the solution provided by an OEM... They're usually half baked and use terrible practice, at least in my experience
2 Likes
Haha, I am oem. I agree with you that OEM has its own limitations, so we will continue to maintain and improve within one or two year after project acceptance. We also provide and maintain Ignition's servers as part of our service. Usually customers do not have administration to the server, and when they need to improve a project, they contact us. We will indicate in the contract which parts can be added or modified, but in the implementation process, we still rely heavily on business negotiations. English has helped me in the sense that my customers usually don't think they are capable of developing ignition, even if they have other scada development experience.
1 Like
Hi all,
I am confused weather you are providing a solution or a kind of discussion for telling if there are any possibilities.
Anyone with access to the gwcmd utility. Which may not be the case, even for someone with designer access.
No. We provide Ignition server machines. Customers do not have the permission of the system.
Do you provide physical machines for your customers to install? Or do you run the servers in your own facilities? Because if they have physical possession, I doubt you can secure your projects from them.
Yes, we provide physical machines. We use VPN to connect all projects to my company. There is a clause in the contracts that if the customer operates the server by himself, the service will be terminated.
But, yes, if they're determined to mess with my project, there's really nothing I can do to stop them. I have never seen anyone try to develop ignition by themselves, so I said English help me, they are all intimidated by the 700M manual pdf.
1 Like
All someone needs is a backup of the Ignition project which can be taken manually if you have file explorer access. And even if you don't, if someone is willing, they could easily get the files regardless.