Reag tag's role and zone (tag with custom AccessRight)

Can we read with some script function the tag’s role and zone (tag with custom AccessRight) ?

  • with Ignition 7.9.9 ?
  • with Ignition 8.0 ?

I don’t happen to have 7.9 code open, but in 8 there’s a couple of common tag props that will get you what you need, AccessRights and PermissionModel.

If AccessRights is AccessRightsType.Custom then the PermissionModel is used. TagPermissionsModel.getAccessMap() returns Map<ZoneRole, Boolean>. False indicates read-only access for that ZoneRole, True indicates read-write access.

2 Likes

I have been able to execute the Tag.AccessRights value of “Custom” however how could can I get the second part of the TagPermissionModel using and expression or is this possible?

Thanks,
Ign8.0 (Perspective)

This is code we use to read the access rights in 7.9 (we don’t use zones, so it only matches the roles).

Note that it is rather slow (we’ve had up to 50 ms per tag). If you want to use it for UI purposes, you should call it async.

def getTagConfig(tagPath):
	t = system.tag.browseConfiguration(tagPath, False)
	tagConfig = system.util.jsonDecode(t.toJSON())
	
	if len(tagConfig) == 0:
		raise "Cannot read tag %s" % tagPath
	
	return tagConfig[0]


def canWrite(tagPath):
	userRoles = system.security.getRoles()
	try:
		tagConfig = getTagConfig(tagPath)
	except:
		return False
	if "accessRights" not in tagConfig:
		return True # default value in Ignition
	if tagConfig["accessRights"] == "Read_Only":
		return False 
	if "permissionModel" not in tagConfig:
		return False # no permissions defined in custom mode?
	
	permissionModel = tagConfig["permissionModel"]
	for conf in permissionModel:
		if conf["role"] in userRoles and conf["writeAccess"]:
			return True
			
	return False


def canRead(tagPath):
	userRoles = system.security.getRoles()
	try:
		tagConfig = getTagConfig(tagPath)
	except:
		return False
	if "accessRights" not in tagConfig:
		return True # default value in Ignition
	if tagConfig["accessRights"] == "Read_Only":
		return True 
	if "permissionModel" not in tagConfig:
		return False # no permissions defined in custom mode?
	
	permissionModel = tagConfig["permissionModel"]
	for conf in permissionModel:
		if conf["role"] in userRoles:
			return True
			
	return False
1 Like

@KathyApplebaum,

we try to upgrade from Ignition 8.0.12 to Ignition 8.0.13.
TagPermissionsModel is deprecated in 8.0.13…and we have to switch to the new SecurityLevel.

Pre-8.0.13, we used some functions to check tag’s permission as for example:

@KeywordArgs(names = {"tagPath","roles","zones"}, types = {String.class,List.class,List.class})
@ScriptFunction(docBundlePrefix = Constantes.BUNDLE_PREFIX_PERMISSIONS)
public  boolean hasReadPermission(PyObject[] pyArgs, String[] keywords) {
	boolean result = false;
	try {
		PyArgumentMap args = PyArgumentMap.interpretPyArgs(pyArgs, keywords, ClientScriptModulePermissions.class, "hasReadPermission");
		String tagPath = (String) args.getArg("tagPath", null);

		List<String> roles = convertToLstString((PyObject)args.getArg("roles",null));
		List<String> zones = convertToLstString((PyObject)args.getArg("zones",null));

		if ((tagPath == null) || (roles == null) || (zones == null)) {
			logger.error("hasReadPermission(): You must provide a tagPath / list of role / list of zone.");
			return false;
		} else {

			TagPath tagPathObj = TagPathParser.parseSafe("default", tagPath);

			List<Property> props = new ArrayList<>();
			props.add(WellKnownTagProps.AccessRights);
			props.add(WellKnownTagProps.PermissionModel);

			List<Object> propsValue = this.tagUtils.readBlockingProps(tagPathObj,props);

			AccessRightsType accessRightsType = (AccessRightsType) propsValue.get(0);
			TagPermissionsModel tagPermissionsModel = (TagPermissionsModel) propsValue.get(1);

			if (accessRightsType == null){
				logger.warn("hasReadPermission(): getTagConfigsAsync returned null for tagPath={}", tagPath);
				return false;
			} else {
				if (accessRightsType == AccessRightsType.Read_Only) {
					result = true;
				} else if (accessRightsType == AccessRightsType.Read_Write) {
					result = true;
				} else if (accessRightsType == AccessRightsType.Custom) {
					TagPermissionsModel.PermissionResult pResult = tagPermissionsModel.hasReadAccess(roles, zones);
					logger.trace("hasReadPermission():  permission [{}:{}] roles: {},zones: {}", tagPath, pResult.toString(), roles, zones);
					if (pResult.equals(TagPermissionsModel.PermissionResult.OK)) {
						result = true;
					} else {
						logger.trace("hasReadPermission():  permission NOK [{}:{}]", tagPath, pResult.toString());
						result = false;
					}
				}
			}
		}
	} catch (Exception e) {
		logger.error("hasReadPermission error : {}", e);
		result = false;
	}
	return result;
}

In 8.0.13, I suppose we have to use:

WellKnownTagProps.WritePermissions
WellKnownTagProps.ReadOnly
WellKnownTagProps.ReadPermissions
and com.inductiveautomation.ignition.common.auth.permissions.PermissionsConfig

but the I can’t acces to the javadoc with the link:

http://files.inductiveautomation.com/sdk/javadoc/ignition80/8.0.13/com/inductiveautomation/ignition/common/auth/permissions/PermissionsConfig.html

return:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>02BC0B3B6C7FFCD0</RequestId>
<HostId>RtaupwH4SCG6uOD+pPWU3DvoWq/AXXjnhrfr3PyRpCeVPApphXJY691wlydPDJ1akmjsIRPzIXk=</HostId>
</Error>

Thanks for bringing up the access problem! I’m in the process of republishing the 8.0.13 javadocs, should be fixed within the next 10-15 minutes. Please let me know if you continue to see issues after that.

:+1: javadoc is ok now.I will be able to dive into the new tag permission api. :closed_lock_with_key:

@PerryAJ, @KathyApplebaum, @mgross

In a vision scoped script, I try to check the tag permission with Ignition 8.0.13 and the new API

How to use isAuthorized ??? to check the tag permission against the permission of the client ?
I suppose I need to obtain the client permission and pass it to Authorized() ???

from com.inductiveautomation.ignition.common.auth.permissions import PermissionsConfig

path = "[default]path/to/tag.writePermissions"

permission = system.tag.readBlocking([path])[0].value
print permission.isAuthorized()
print type(permission.getSecurityLevels())  
Traceback (most recent call last):
  File "<input>", line 9, in <module>
TypeError: isAuthorized(): expected 1 args; got 0