Hi all,
I'm currently developing my first Ignition Perspective project after years of working extensively with CitectSCADA and I've came across some unexpected behaviour when trying to implement a security zone for a rail loadout.
I've setup a security zone on the loadout gateway, with an IP range of 172.24.8.100-101. Which corresponds to the loadout IP range on the network that should have full control.
I've set the loadout zones security services to have a higher priority than the default zone, with full control permissions for all services. I've set the default zone to be read only for all services and disabled the alarm ack/shelve permissions.
The security zone works as expected when accessing the loadout through a remote tag provider from the main plant server 172.24.8.18, read only error received when trying to write to tags, unable to acknowledge alarms.
But when a Perspective session is launched from outside the zones IP range, via a web browser 172.24.8.5 or Perspective workstation 172.24.8.119, directly to the loadout server, I still have full control of the loadout?
Am I missing an additional step to setup the zone correctly? The only way I've managed to get it to accept some form of security is by setting the realtime tag providers tag write permission to the loadout security zone. But I can still acknowledge and shelve alarms, which isn't ideal.
Appreciate any input.
Thanks Mitch
Did you apply the Security Level Rules to your Perspective Project?
Thanks for getting back to me.
Are you meaning under Project Properties > Perspective > Permissions?
If not where else am I supposed to assign project security levels? Somewhere else in the Gateway?
Thanks Mitchell
Assuming the screenshot above is the settings for the NWE_TLO Security Zone, and the latter screenshot is the saved permissions required for your project, you shouldn't even have been able to successfully open a session from the 172.24.8.5 or 172.24.8.119 IPs. If you're confident that all of you settings have been applied and saved you'll want to reach out to our Support team; they're better equipped to handle situations like this where Corporate Networking could possibly be coming into play.
Yes, you're correct. With the NWE_TLO security zone selected in the perspective permissions, I'm prohibited from accessing the project completely from either of those IP addresses. I was more asking the question if this was what you were suggesting, as I'd already came to the conclusion this wasn't the desired outcome. I've got it working by setting the realtime tag providers tag write access to SecurityZones/NWE_TLO and set the enableAcknowledge binding on the alarm status table to isAuthorized(false, SecurityZones/NWE_TLO). I'll reach out to support and confirm what is the best practice to implement the security zone requirements we have. Thanks for your help.
Mitchell
