Vision Security based on Zones

Is it possible to use Security Zones, not user roles, to prevent accidental machine control?

Our biggest project is used on a lot of computers, some for viewing purposes only. I would like to restrict the ability of any user on a machine outside our production line to control any aspect of our production line. I've watched the videos and done some reading, but I didn't see anything that explicitly said I can do this using just the Security Zones.

For instance, I open the project on my computer, and as an Admin, I have full visibility/control, even of the production lines in another building. I need to watch certain things on the line, but I don't want to accidentally click on a button when, say, reaching for the mouse and the finger taps the clicker.

I did find this thread: https://forum.inductiveautomation.com/t/vision-client-hostname-ip-mac-based-permissions/69725 where Phil details using the MAC addresses of the machines.

Is this the only or best way or is there another way?

Thanks,
Mike

I think using the MAC addresses is the simplest robust way to do this.

Using this method, then, I would do something like this:

1. create a message handler in the Gateway Events --> Scripts --> Message
2. This message would then send the request as well as receive the response? Like so: returnValue = system.util.sendRequest(project='ACME', messageHandler='test', payload={'hoursOn':15}) print returnValue?
3. Then I would send the returnValue to a script in the Project Library?
4. Then for each window needing this, whatever is coming back, I would run the script from the Project Library? Which would give me something to enable or disable control.

So, what would I want back from the Gateway, just a boolean? If you're in Zone 1 you have control, but if in Zone 2, no control.

Then use that boolean to set some custom property on each window enabling or disabling the controls.

What thinkest thou?

I would use a client startup event script to extract the local mac addresses and send that to the gateway in a message payload, and have the gateway return a collection of allowed local operations. Write those to boolean Vision Client Tags.

Bind the enable of buttons or other controls to the Vision Client Tag that is appropriate. No need to keep sending messages.

This would be a list I create, not some pre-designed/scripted methods/properties, correct?

Since this is vision, instead of doing security on the components you can set the client to read only.

Correct. You need to decide which operations on which machines need this treatment, and make boolean client tags for them. The client startup script needs to be sure to write false to them all before the gateway request, then only write true where appropriate.

I played around with the Security Zones and Policies a bit, and I cannot lock my designer out of writing to any tags.

I tried IP addresses, even my machine's host name, and denying access to one tag provide to all tag providers.

From Read/Write to Read Only... Nothing. I can still write to a tag in any provider. I even added the name of the Gateway, DEVELOPER. (The Trial is active, BTW)

I am following this video: https://inductiveuniversity.com/videos/security-zones-and-service-security/8.1 and I feel like I got everything in place that he touches on. And I did place this Policy at the top of the list.

My machine's real IP is a 10.11.* number, but in the Designer, the [System]Client/Network/IPAddress shows a 192.168.* number. So I tried both, with *, singly and together.

I'm at a loss on this Security Zone/Security Service thing.

If you have designer access, you have full system access. Zones and security work in the client space.

Pretty sure the guy in the video is working from a designer. But, he has a remote gateway setup, perhaps that has something to do with full vs. restricted access?

Also, 7.9, so who knows if the system ever got included with the current version.

Facts

What if I stored the MAC addresses in a DB table, and queried that from the Gateway Message Handler Script, instead of keeping a list of MACs in the Script itself?

That tag is the gateway's idea of the client IP, which will be the NAT closest to the gateway if any NAT is present at all. Security Zones based on IP are light-duty only, untrustworthy, and are incompatible with NAT.

Perfectly reasonable, and I do that wherever I need to do runtime commissioning of new PCs.

Playing around with this a bit. It works on the main window startup, but I can't seem to get it to work when I call it from a project script from the main window startup event. I have everything hard coded to my MAC.

The project script:

gl_mac = ''

def setConnMode():
	if gl_mac == '00:00:00:00:00:08':
		system.util.setConnectionMode(2)

Vision Client Event - Startup: (the tag is a memory tag with my MAC address)

mac = system.tag.readBlocking(['[System]Client/Network/MACAddress'])
macVal = mac[0].value

payload = {'mac':macVal}
system.util.sendRequest('Sandbox_Sample', 'test', payload)

Gateway Event Message:

Mac_Test.gl_mac = payload['mac']

Main Window Startup, internalFrameActivated:

Mac_Test.setConnMode()

For some reason this does not work.

None of this is suitable for window events, as they will run multiple times depending on caching. Use just a Client Startup event that calls a function in the project library. Use java's NetworkInterface class as shown in the topic linked in the OP to retrieve the correct outbound interface's mac address. Do not attempt to read any tag in the startup event. Just get the mac and make the gateway request to do the permissions lookup. Write the results to Vision Client Tag(s). In windows, bind to the Vision Client tags as needed.

The client startup event can conditionally open a desired main window, possibly with parameters, if that is needed in your application. (You would omit marking a main window that opens on startup in that case.)