Security Concerns Regarding User Access to Tags in Perspective

diamond · October 19, 2025, 10:25am

Hello,

I have a tag that stores a token required to upload data to a cloud storage system. This token refreshes every hour. I also have a Perspective button that executes a script using that token to generate a temporary URL, which is then used to display a file.

My concern is security — I don’t want the end user to have any access to the tag or token. At the same time, the user needs read privileges for the script to work.

Is there any way for the user to access the value of that tag if it’s not displayed anywhere? Should I consider a different approach?

Thanks!

pturmel · October 19, 2025, 1:27pm

It isn't a question of display. If you bind that tag to a Perspective property (anywhere), and that property isn't marked as private, then you are publishing that tag to the browser. Also for any script assignment to a Perspective property. A competent coder can examine browser state to find it.

If you are using system.tag.readBlocking() in your script, then you are safe, as scripts run entirely in the gateway.

diamond · October 19, 2025, 5:15pm

I have the tag set to private and I’m accessing it through system.tag.readBlocking(). Why does the user still needs to be within the required security level for readBlocking to return a value? If readBlocking runs on the gateway, I don’t get why Ignition is checking the user security level.

As for the example:

My token tag (private): [default]Tokens/mytoken
Scripting library function:

# project.library.cloud
def getFileUrl(file_id):
    token = system.tag.readBlocking(["[default]Tokens/mytoken"])[0].value
    return build_url(file_id, token)

Perspective button:

url = cloud.getFileUrl(self.view.params.file_id)
#do something with the url

Thank you

pturmel · October 19, 2025, 6:31pm

What does this mean? (In my comment above, I was referring to setting a Perspective property to private, if you were using a tag binding.)

The whole point of tag security is to provide a barrier that UI programmers don't have to think about. Ignition will stop the use of tags from UI events that don't have the appropriate access.

Perhaps you should be caching your token in a library script module top-level dictionary or similar persistent variable.

diamond · October 19, 2025, 7:44pm

Under tag security, I’ve configured read permissions to be allowed only for my “admin” security level (which the Perspective user does not belong to). From my understanding, readBlocking should not check whether the user is within that security level, since it executes on the gateway side.

pturmel · October 19, 2025, 9:59pm

Perspective scope is a subset of Gateway scope, and will enforce tag permissions. My presumption in my first comment was that you weren't using tag permissions.

(Hiding things from a designer is pointless--designer access restrictions are only guardrails once logged in.)

diamond · October 20, 2025, 6:48am

So, setting the tag’s read permissions to public is safe as long as the tag isn’t bound anywhere, right?

pturmel · October 20, 2025, 10:49am

Neither bound nor assigned to a Perspective property. If you really want to avoid exposure, use a script top-level variable to hold your token.

paul-griffith · October 20, 2025, 4:11pm

I'll just echo this. If you're concerned about exposure, why use a tag at all?