Tag Configuration - Security Setting By Script or Parameter

Ignition
1

I have a UDT/Tag. I would like to set the security settings of the UDT/Tag through a script or a parameter. Is this possible? Clarification, I don't need to dynamically change the security setting (on the fly), just to be able to set it during configuration.

An example implementation would be to secure a UDT/Tag based on whether it should be limited to "Supervisor" role or an "Operator" role.

The only current solutions or ideas that I have thus far are as follows:

  1. Override UDT security settings on a case by case base. I'm very hesitant to this because there are a large number of tags that would need to be manually modify security on.
  2. Utilize UDT parent tag settings, however, this still seems much more complicated than it should be, for example:
  • Create a base UDT
  • Create another UDT with security settings for "Supervisor", which utilizes "base_UDT" as its' parent
  • Create another UDT with security settings for "Operator", which utilizes "base_UDT" as its' parent
  • Create my UDT instances (choosing from the Supervisor UDT or the Operator UDT as necessary) based on the security setting
1 Like
2

Looks like there is no current solution, upvoting as a feature request:

https://ideas.inductiveautomation.com/ignition-features-and-ideas/p/tag-security-bindings

1 Like
3

I was going to reply to this when you first posted it, but I couldn't think of a nice way to achieve it. The issue is that the permissions are objects rather than a simple value.

I think the best way to do this at the moment would be property overrides. It would be a little bit of work, but you could setup a view to manage it if you wanted to where you could see all udt instances and their tags, and check boxes or something to set the privileges :confused:

4

Thanks for linking the feature request.

As security becomes ever more important, I see the need to implement some more flexibility in security configuration on tags. We are looking at potentially implementing 100+ security levels for different facilities. Unfortunately, security zones themselves aren't the answer for my situation as we have several remote facilities, with 10s and some 100s of thousands of tags tying into each gateway, which means dividing up within by using security levels.

Here's an example of what I've done in the meantime is write a script that replaces the system's original security levels. It will loop through a folder/udt instance and it's subfolders and replace the old security levels with the new ones. This particular version of the script relies on the security levels being defined in the gateway and security levels configured on the tag that are being replaced, but you could manipulate it to add the levels based on the tagname property, or whatever works best for your particular solution.

I'm sure someone could accomplish the this in a cleaner, slicker way but it has worked for me so far.

parentPath = "'[Plant]Test Folder/' #root folder path. Point this to your UDT Instance
pathToFolder = parentPath + 'Test' #This is the name of the UDT instance you've directed to.

configs = system.tag.getConfiguration(pathToFolder, True) #system function to read all tag properties

#define the structure of the original level
old_AdminGroup = {"type":"AnyOf","securityLevels":[{"name":"Authenticated","children":[{"name":"Roles","children":[{"name":"Admins","children":},{"name":"plt-ign-admins","children":}]}]}]}

#define the new structure
AdminGroup = {"type":"AnyOf","securityLevels":[{"name":"Authenticated","children":[{"name":"Roles","children":[{"name":"Admins","children":}]}]}]}

def ICSCheck(folder):
for tag in folder['tags']: #loops through the defined root folder
if str(tag['tagType']) == 'AtomicTag': #Check for valid tags
if tag.has_key('writePermissions'): #This .has_key is very important. This will grab all tags with write permissions configured and skip the rest
permissions = system.util.jsonDecode(str(tag['writePermissions']))
if permissions == old_AdminGroup:
tag['writePermissions'] = AdminGroup

  	elif tag.has_key('tags'):
  	ICSCheck(tag)

ICSCheck(configs[0])
system.tag.configure(parentPath,configs,'m') #Write new security levels based on the conditions in the ICSCheck function

2 Likes