We're working on a project using vision clients for the plant floor HMIs. Each client is dedicated to a specific work zone and we'd like to restrict these clients to control of their respective zones (ie: view the whole project, only control a subset of screens). They will still need an authenticated login, but the idea is to stop a worker in Zone A from changing settings in Zone B.
I can implement something using expressions or client startup scripts with vision client tags to evaluate the IP / Hostname / MAC, and that should be easy enough to implement in tandem with the standard user security. However, I am worried that these tag values could easily be overridden by modifying the client launcher.
So the ask; is there a better way to go about doing this? Something more secure or embedded in the security functions? Security zones didn't seem like the appropriate use case here, open to suggestions.