I want to expose the “Device Control/Rebirth” NCMD metric for my MQTT Transmitters but ensure no other tags can be written to via MQTT so that data consumers can discover metrics, but don’t accidentally get control permissions in my plant. What is the most robust/secure way of achieving this?
Assuming the mqtt tags work like regular tags, you can make use of the built in tag security. I would start by changing all your mqtt tags to be read only, except for the ones you wish to be writable. (If you have a lot, system.tag.getConfiguration and system.tag.configure will be extremely helpful.)
You can then allow write access to only the control members you want, and restrict who can write to those for finer control. Control can be done via assigned roles, security zone, or both.