DataHub security model

The DataHub security model lets you restrict each connection according to user, source, and protocol, with permissions to access DataHub data sets and functionality for each, as needed. Secure networking uses the latest SSL-3 encryption cipher for MQTT, Tunnel/Mirroring, WebView, and Remote Config connections.

Sophisticated Security Model diagram

Here is a video walk-through of the security model:

Security model constructs

User accounts are created in the Security interface, or imported from Windows or LDAP servers. Users are authenticated by username and password, and optionally with TOTP (time-based one-time passwords) for multi-factor authentication.

Users are associated with one or more principals. Each principal provides a separate log-in context for that user, consisting of two parts:

  1. A connection source, which is an IP pattern.
  2. A connection protocol, such as TCP, OPC, MQTT, and so on.

You can grant different permissions to a user depending on where they log into the system from, or which protocol they use, or both. For example, a manager could have read/write privileges for OPC UA on a certain data set from a server on the plant network. But he might be limited to read-only access on WebView via TCP for that same data from his laptop which he takes home or on the road.

DataHub Security Model Screen

For convenience, permissions with related functionality are grouped together and assigned to roles. These roles in turn get associated with principals. For example, most users are members of the BasicConnectivity role that provides just the Connect permission. To read data, they would need AllDataReader; to write, AllDataWriter; and for permission to do anything with all data, the AllDataFullAccess role. For each user, this access can be limited to applications, like just for WebView, or just for Remote Config, or perhaps just for DataPid and DataSim.

DataHub software ships with a number of pre-configured users, roles, and permission sets to help administrators quickly implement the most common scenarios. These can be replicated and customized for virtually any requirement.