https://docs.inductiveautomation.com/display/DOC81/Security+Levels
I'm pretty sure you'll need to set your Vision client to use the Identity Provider auth strategy in order for Roles for a user to actually be recognised by the Security Levels system.
You can configure Security Zones to define your locations based on IP address(es), and then combine that with Security Levels -> Authenticated -> Roles -> e.g. Administrator
I haven't actually used these yet myself, but you can restrict tag writes (and reads) using security zones and/or roles. Just note that I don't think these will "disable" the component the tag is used on, it will simply bring up an error popup if the user doesn't have the right privilege/area, which is one reason I haven't started using these...
You can also supposedly use the hasRole
expression function to read the security zone and role from the logged in user.
You'll see my post there saying I couldn't get it working, but I don't think i'd changed my auth strategy to IdP for Vision when I tested it. Actually, this option didn't even exist back in v7.9.4....
@Carl.Gould, any tips or comments?
What I do currently is bind each component's enabled
property to an expression that uses:
hasRole
to check if a user has a particular role (administrator, operator, engineer, etc.) and- if I need to restrict by area as well, I add another condition that looks at a vision client tag (or session custom prop) that is defined for each HMI, e.g.
[client]Security Zones/Packaging/Filtration/South Wall HMI
: