15.3. Custom Data Permissions
Prev Chapter 15. Using Security Next

15.3. Custom Data Permissions

To demonstrate how to configure custom data permissions, we will use the DataPid program.

Connecting via the internal TCP user

To provide easy access for local TCP connections, there is an internal user, TCP, that allows connectivity and full data access on the local machine.

Since DataPid connects via TCP it can connect and exchange data as the TCP user. You can verify this as follows.

  1. Start the DataHub program and DataPid.

  2. You should see the following:

    DataPid status: Connected
    DataHub Event Log: shows incoming TCP connection established
    DataHub Connection Viewer: TCP Incoming connection established with username TCP
    DataHub Data Browser: DataPid data is updating.

Custom user with permissions limited by role

Now we will use DataPid to demonstrate how to restrict access to the DataHub instance by creating a custom user with limited permissions.

  1. In the Local organization, create a BuiltIn user called DataPidSource with a password test.

  2. Disable the role RequireTotpAuthentication and enable the role AllDataReader, leaving just the two roles BasicConnectivity and AllDataReader.

  3. Apply the changes.

  4. Disconnect DataPid, and reconnect using the DataPidSource username and test password.

In the Event Log, you will see that the connection was established but permissions to create assemblies, sub-assemblies, and attributes (like data points), were denied.

Expanding permissions by changing roles

Now we will add a special role (DataPidAndDataSimFullAccess) designed to enable full permissions on the DataPid and DataSim domains. This special pre-defined role can be used an example for creating your own custom data permissions for specific data domains or data domain patterns.

  1. Edit the DataPidSource user by disabling the AllDataReader role and enabling the DataPidAndDataSimFullAccess role.

  2. Apply the changes.

  3. Disconnect and reconnect DataPid, still using the DataPidSource username and test password.

You should now see no error messages in the Event Log, and the data for DataPid should be updating in the Data Browser.

Restricting permissions by principal

It is also possible to restrict access by principal, such as the user's URL or data protocol. Here we will create a separate principal to restrict all DataPid updates except through TCP connections from localhost.

  1. Ensure that the DataPidSource user is still selected, then disable the DataPidAndDataSimFullAccess role and enable the AllDataReader role.

  2. Apply the changes, then disconnect and reconnect DataPid, using the DataPidSource username and test password.

    You will now see error messages in the Event Log, and the DataPid data will stop updating in the Data Browser. All updates to DataPid data are now restricted.

  3. Back in Security configuration, go to the Principals pane for DataPidSource and click the Add button to add a new principal.

  4. Enter 127.0.0.1/32 for the IP address, and select TCP for the interface. Then click OK.

  5. For this new principal, enable the BasicConnectivity and DataPidAndDataSimFullAccess roles.

    Notice that the DataPidAndDataSimFullAccess roles provides effective permissions for the DataPid and DataSim domains.

  6. Apply the changes, then disconnect and reconnect DataPid, using the DataPidSource username and test password.

You should now see no error messages in the Event Log, and the data for DataPid updating in the Data Browser. The DataPidSource user can still connect to this DataHub instance from anywhere, but is now unable to update DataPid data except when connected from localhost.

Prev Up Next
15.2.2. Example: WVUser Home 15.4. Tunnel and MQTT Users