Is it possible to use Security Zones, not user roles, to prevent accidental machine control?
Our biggest project is used on a lot of computers, some for viewing purposes only. I would like to restrict the ability of any user on a machine outside our production line to control any aspect of our production line. I've watched the videos and done some reading, but I didn't see anything that explicitly said I can do this using just the Security Zones.
For instance, I open the project on my computer, and as an Admin, I have full visibility/control, even of the production lines in another building. I need to watch certain things on the line, but I don't want to accidentally click on a button when, say, reaching for the mouse and the finger taps the clicker.
Using this method, then, I would do something like this:
create a message handler in the Gateway Events --> Scripts --> Message
This message would then send the request as well as receive the response? Like so: returnValue = system.util.sendRequest(project='ACME', messageHandler='test', payload={'hoursOn':15}) print returnValue?
Then I would send the returnValue to a script in the Project Library?
Then for each window needing this, whatever is coming back, I would run the script from the Project Library? Which would give me something to enable or disable control.
So, what would I want back from the Gateway, just a boolean? If you're in Zone 1 you have control, but if in Zone 2, no control.
Then use that boolean to set some custom property on each window enabling or disabling the controls.
I would use a client startup event script to extract the local mac addresses and send that to the gateway in a message payload, and have the gateway return a collection of allowed local operations. Write those to boolean Vision Client Tags.
Bind the enable of buttons or other controls to the Vision Client Tag that is appropriate. No need to keep sending messages.
Correct. You need to decide which operations on which machines need this treatment, and make boolean client tags for them. The client startup script needs to be sure to write false to them all before the gateway request, then only write true where appropriate.
I played around with the Security Zones and Policies a bit, and I cannot lock my designer out of writing to any tags.
I tried IP addresses, even my machine's host name, and denying access to one tag provide to all tag providers.
From Read/Write to Read Only... Nothing. I can still write to a tag in any provider. I even added the name of the Gateway, DEVELOPER. (The Trial is active, BTW)
My machine's real IP is a 10.11.* number, but in the Designer, the [System]Client/Network/IPAddress shows a 192.168.* number. So I tried both, with *, singly and together.
I'm at a loss on this Security Zone/Security Service thing.
Pretty sure the guy in the video is working from a designer. But, he has a remote gateway setup, perhaps that has something to do with full vs. restricted access?
What if I stored the MAC addresses in a DB table, and queried that from the Gateway Message Handler Script, instead of keeping a list of MACs in the Script itself?
That tag is the gateway's idea of the client IP, which will be the NAT closest to the gateway if any NAT is present at all. Security Zones based on IP are light-duty only, untrustworthy, and are incompatible with NAT.
Perfectly reasonable, and I do that wherever I need to do runtime commissioning of new PCs.