What is the preferred mechanism to have permissions that a tag is writeable by gateway scripting only? Effectly read only by users, writeable by the gateway.
I used this technique successfully since 8.0 days:
It stopped working somewhere between 8.1.33 and 8.1.42, no idea why.
Some background:
I use this to have separate security levels for different command destined same enumeration. E.g. Mode enum (0=Maintenance, 1=Manual, 2=Auto). Operators can put it into auto, from anywhere. Supervisors can put a device into manual, and only technicians can put a device into maintenance.
This is a achieved using booleans with the correct permissions and a tag event script on the boolean UDT member will in turn write the correct ordinal to the enumeration.
I think I found the issue, and it is somehow related to where the original action came from.
If the original write came from the designer or another tag, it works. If the original write came from Perspective, it fails.
See the attached tags and view.
Setup:
Security/InternalTag is the enumeration
Write secured by a level call Authenticated/Internal.
Security/OperatorTagX is the boolean
Write secured by a level call Authenticated/Operator
Has a change script that when true, will write the corresponding integer to the enum tag Security/InternalTag
Give yourself a user grant for Authenticated/Operator
Used the attached view for Perspective
From the Designer:
Direct manipulation of Security/InternalTag fails. This is expected as we don't have Authenticated/Internal
Setting of Security/OperatorTagX works, and triggers the change script that successfully writes to Security/InternalTag and resets self
From Perspective (or Perspective preview view in the Designer):
Direct manipulation of Security/InternalTag fails. This is expected as we don't have Authenticated/Internal
Setting of Security/OperatorTagX works, and triggers the change script that successfully resets self but fails to write to the secured Security/InternalTag
Changing the write permissions on Security/InternalTag to Authenticated or Public, fixes it all. This is probably insecure