I haven’t done much with the new Security in v8 yet, but I have some questions:
How would I lock down particular Views based on user role(s) and/or IP address, both disabling access altogether and also providing view-only (no control actions)?
I understand that for filtering by IP I would use Security Zones in order to assign particular client IPs or hostname to a particular zone.
I also understand that I can disable all access to a View by using the View security permissions (can select user roles and/or security zones here).
What I don’t understand is how I can provide view-only access based on the client Security Zone and the user role? As well as this, what if I also wanted to provide control to certain components only?
In Vision, each component has its own security settings, but I can’t find a security panel in Perspective. I could bind each active component’s enabled property to the various session auth props, but I don’t know if this is best practice. It’s also a major pain as there’s no expression function that can check if a key is within a dictionary (e.g. like the containsAny or containsAll expression functions that are available only within the Security Level Rules or User Attribute Mapping https://docs.inductiveautomation.com/display/DOC80/containsAny. It would be useful if these functions were available outside of these two locations as well)
Thanks in advance!
The View-wide Security is all or none, so you can only specify that users may or may not see a View within View Security Settings. Within the View, you can set security for individual components via bindings on the enabled property of inputs, or in the case of Script Actions you can actually select Security Levels which must be met to execute the script.
As a component being disabled does not actually prevent Events from occurring, I recommend using Script Actions anywhere possible. For example: You could disable a button component, but the onClick Event will still occur. The only Event which will not occur if a component is disabled is the onActionPerformed Event.
Cheers, I thought this would be the case. For the enabled expressions, what exactly would you use to check if the client is part of the right security zone? Would you bind to the session auth securityzones property and use a scripting transform to check if the property contains the zone they need? Or is there a way to do it without a script? I haven’t checked yet, hut otherwise, is there a direct scripting function that will check the security zones?
I would make a security level based off of security zones, and use the isAuthorized expression:
isAuthorized(true, "Authenticated/Roles/QA")
More here.
Hi, I am trying to hide views to certain roles.
Should i use security zones too?
Is there a way to do something similar to what I am trying?
If you look at the documentation for that expression, it is only available for Security Level Rules and IdP User Attribute Mapping. You could bind against the session.props.auth.user.roles property, but you would then need to run i through a transform:
2 Likes
I would tend to use an expression over a script transform, as I believe they are better for performance. It’s a bit uglier though…
try(hasRole('Administrator', {session.props.security.auth.userName}, 'default'))
That session prop is off the top of my head and could be slightly wrong…
Actually, I changed to using a variation of this and instead defined these all in session params and I just check the value of the relevant session param:
try(
hasRole('Maintenance'
,{this.props.auth.user.userName}
,'default')
,False)
Then in a component I use:
{session.custom.security.roles.maintenance}
It would be nice if the session.props roles would present as a dictionary rather than a list…
1 Like
