14.3.3. Data domain restriction
Prev 14.3. Restricting Access Next

14.3.3. Data domain restriction

In addition to restricting user access by protocol and IP address, you can also restrict access to the data according to the DataHub data domain. This requires editing an existing role, or creating a new one. We recommend creating a new role, which can be done as follows.

Single domain

  1. In the Security configuration dialog, select the Roles tab and click the Add button to add a new role.

  2. Enter a name for the role. For this example we'll call it DomainSpecificRole, because we will apply it to just one domain.

  3. Click OK.

  4. In the Permission Sets for the new role, select BasicConnectivity and DataFullAccess.

    Also select WebViewFull, which we can use to test the results.

  5. For each of the three permission sets, select it, click the Edit button, and enter the pattern Domain1.

  6. All three permission sets should now show a Domain Pattern of Domain1

    Click Apply to apply the changes. Now we need to create a user for this role.

  7. In the Users tab, click the Add button to add a Built-In user.

  8. Enter the user name Domain1User and a password.

  9. Uncheck both Default Roles boxes and click OK.

  10. In the Roles for this user, select DomainSpecificRole. That is the only role you need.

  11. Click OK and Apply. For the Domain1User, the list of Effective Permissions should now display the Data permissions with the Domain Pattern of Domain1.

    Notice that it also has permissions in the Connection, HTTP, and WebView categories. These are not data-specific, so the domain pattern does not apply.

This completes the basic task of restricting access to data according to one DataHub data domain. Anyone logging onto the system with the Domain1User username and password will have read/write access to the data in Domain1 only.

For an example of specifying multiple domains, and for testing the results, please continue with the following steps.

Domain pattern for multiple domains

  1. As above, we will first add a new role, this time called DomainPatternRole.

  2. Give this role the same three permission sets, BasicConnectivity, DataFullAccess, and WebViewFull.

  3. But this time for the Domain Pattern of each permission set, enter ^Dom.*, and check the Is Regex box.

    This regular expression syntax will match any domain that starts with the characters Dom.

    [Note]

    The DataHub program uses .NET Regular Expressions, whose use and syntax can be found here.

  4. Click the Apply button. The completed role should look like this:

  5. Now, add a new user, DomainAllUser and give it only the DomainPatternRole.

  6. Click the Apply button. Your DomainAllUser should now have the DomainPatternRole that allows connections to any domain starting with the characters Dom.

Testing

You can use WebView to ensure that the domains you've specified are the only ones available to the user.

  1. Start up WebView and log in with the Domain1User.

  2. Put a gauge control on the canvas and edit its value property, choosing a Point binding.

  3. Enter the string Dom to display a choice of available points.

    Notice that only points in Domain1 are on the list.

  4. Try another domain. Enter default or any other domain name used in your DataHub instance.

    The list should be empty.

  5. Now close WebView and try logging in with DomainAllUser.

  6. Entering Dom should now display the points available in any domain that matches the pattern.

This is how to restrict access to specified data domains. Of course, any user can also be restricted by protocol and IP address.

Prev Up Next
14.3.2. IP address restriction Home 14.4. TOTP Authentication