Tag permissions and gateway scripts

Hey,
If I have a tag that I want to be essentially read only, but I want my automatic gateway scripts and web Dev functions to still be able to write to it, what security zoning or settings do I need to change?

Thanks!

I think, I could be wrong, you can create a user role that is never assigned to any user, and set the write permissions to require that role. Scripting should I think still be able to write to it. I'm actually not entirely sure how it works for gateway scoped writes...

I was wondering if a security zone including only my gateway would work, as I worry that if I use a role, and there's no currently open session, would the role still work? Or does the gateway have its own 'session'?

I have a feeling that the tag security doesn't care if its run under the gateway scope - permissions rules are essentially voided in that case and the gateway can do what it likes

Tag writes on the gateway originating anywhere that isn't Perspective will automatically have the "system" context:

A SecurityContext without any security level, roles or zones set, but the isSystem flag is set to true. This indicates to the tag system that a tag write is originating from the gateway, and there is no relevant user info. Examples include gateway tag event scripts and tag writes from SFCs.

From Perspective, writes will originate as the appropriate user.
And the 'system' context, if I remember right, is basically allowed to write to whatever.

4 Likes

Okay great, I'll set a special system user role for these tag writes

Thanks!