Security for points is assigned on two separate levels. Point attributes (zero, span,
descriptor, etc.) have one access level and the point data values (Snapshot and Archive data) have another. Thus, you can have different owners and different access for point attributes than for point data.
6.7.1 Point Data Access
When a point is created, the Archive and Snapshot data for the point are assigned a point data owner and a data group. The data are also assigned various combinations of read and write access for the data owner, group, and world.
6.7.2 Point Attribute Access
When a point is created, the attributes of the point (such as zero, span, compression specifications, etc.) may be assigned to a different owner and different group than the point data.
Note: Changing point ownership or security access is best done separately from
other point editing operations. For example, change the span and the compression deviation first, and then change the security or the ownership.
There is not any relationship necessarily between the point owner and the point group.
Security Scenario for Users
In a typical facility, a control engineer may be assigned to be the owner of the point attributes for the instruments that he or she is responsible for configuring. The point owner may be assigned ownership and read and write access for the data as well.
On the other hand, the control room staff as a group, may be given read and write access to the data but be limited to read only access for the attributes.
Interfaces usually need read/write access and use a trust login to obtain the privileges of a particular user. See Trust Login, page 125.
System Manager Privileges
System Manager privileges allow changing access permissions for any point, without regard to the point attribute owner (ptowner). The manager can override and change any setting, even if access is restricted.
Note: The user piadmin is a special user. This account is the PI System super user.
It has full access to all databases and database records regardless of security attribute settings. piadmin is the only user that has this level of privileges.
6.7.3 Access Algorithm
Whenever a user logs in, the following algorithm is used to determine what access to a point is granted:
6.7 - Point Security
1. If the requester is piadmin, then grant full privileges.
2. If the requester is the owner, then grant the privileges assigned to the owner. 3. Otherwise if the requester is a member of the group, then grant the privileges
assigned to the group.
4. If the requester is neither the owner nor a member of the group, then grant the privileges assigned to the world.
Note: If a requester is a member of a given group, and group permission is more
restrictive than world permission, then world access to the point is granted.
6.7.4 Assigning and Changing Ownership and Access Permissions
Ownership and access permissions are assigned using the piconfig utility. The piconfig Utility on page 171 explains how to use this utility.
The point owner or data owner can change the security attributes in the Point Database using piconfig.
Changing the Point Attribute Owner Example
In this piconfig example, open the table and list the point access ownership for a tag. Then change the owner for this point.
* (Ls) Piconfig> @table pipoint
* (Ls) Piconfig> @ostructure tag, ptowner * (Ls) Piconfig> @select tag=sinusoid * (Ls) Piconfig> @endsection
SINUSOID,piadmin
* (Ls) Piconfig> @mode edit
* (Ed) Piconfig> @istructure, tag, ptowner * (Ed) Piconfig> sinusoid, tom
* (Ed) Piconfig> @mode list
* (Ls) Piconfig> @ostructure tag, ptowner * (Ls) Piconfig> @select tag=sinusoid * (Ls) Piconfig> @endsection
SINUSOID,tom
Changing the PtGroup, DataOwner, and DataGroup attributes works similarly.
Changing Point Attribute Access Permissions Example
In this piconfig example, open the table, list the attribute access permissions, and then change them by adding group and world read permission:
* (Ls) Piconfig> @table pipoint
* (Ls) Piconfig> @ostructure tag, ptaccess * (Ls) Piconfig> @select tag=sinusoid * (Ls) Piconfig> @endsection
SINUSOID,o:rw g: w:
* (Ls) Piconfig> @mode edit
* (Ed) Piconfig> sinusoid,o:rw g:r w:r * (Ed) Piconfig> @mode list
* (Ls) Piconfig> @ostructure tag, ptaccess * (Ls) Piconfig> @select tag=sinusoid * (Ls) Piconfig> @endsection
SINUSOID,o:rw g:r w:r
Changing the Point Data Owner and Group Example
To change a point owner and group, open the Point Database and list the DataOwner and DataGroup for the tag. It shows that the data owner is piadmin and the data group is piadmin. We want to change the owner to Operator1 and the group to the Operations Group, so that they can put in lab values.
* (Ls) Piconfig> @table pipoint
* (Ls) Piconfig> @ostructure tag, dataowner, datagroup * (Ls) Piconfig> @select tag=sinusoid
* (Ls) Piconfig> @endsection SINUSOID,piadmin,piadmin * (Ls) Piconfig> @mode edit
* (Ed) Piconfig> @istructure tag, dataowner, datagroup * (Ed) Piconfig> sinusoid, Operator1, OperationsGroup * (Ed) Piconfig> @mode list
* (Ls) Piconfig> @select tag=sinusoid * (Ls) Piconfig> @endsection
SINUSOID,Operator1,OperationsGroup
Changing Data Access Permissions Example
To modify access permissions, open the Point Database and list the permissions for a tag. The listing below shows that the owner, group members, and world all have read and write access.
* (Ls) Piconfig> @table pipoint
* (Ls) Piconfig> @ostructure tag, dataaccess * (Ls) Piconfig> @select tag=sinusoid
* (Ls) Piconfig> @endsection SINUSOID,o:rw g:rw w:rw
Then, for example, modify the permissions by removing world access completely. Now only the owner and group members can read and write data for this tag:
* (Ls) Piconfig> @mode edit
* (Ed) Piconfig> @istructure, tag, dataaccess * (Ed) Piconfig> sinusoid, o:rw g:rw w: * (Ed) Piconfig> @mode list
* (Ls) Piconfig> @ostructure tag, dataaccess * (Ls) Piconfig> @select tag=sinusoid
* (Ls) Piconfig> @endsection SINUSOID,o:rw g:rw w:
6.7.5 How to Make All Points Accessible
You can change all the access permissions on all points to world read/write access by executing the following piconfig commands:
6.8 - User Security