Hello,
we have requirement to make distributed system that will be to establish "local administration only" on one redundant node system.
While in "local administration only" state, this redundant system should distribute its data point values, but it should not accept any data point change outside of its redundant server pair.
Is there a simple way to disable commands (dp change) from distributed systems?
Best regards,
Vedad
How to disable commands (dp change) from distributed systems?
- vedadramovic
- Posts:121
- Joined: Mon Apr 07, 2014 10:36 am
How to disable commands (dp change) from distributed systems?
- vince2e
- Posts:39
- Joined: Tue Aug 02, 2016 4:19 pm
Re: How to disable commands (dp change) from distributed systems?
Hey Vedad,
I've done this by assigning different permissions to usernames, and then put a script in every pushbutton, textfield, etc. to check the User's permissions. If the User had permissions they could write to the DPE, if not it would do nothing. It was a simple solution, but not a quick one. If anyone has a better way please share.
I've done this by assigning different permissions to usernames, and then put a script in every pushbutton, textfield, etc. to check the User's permissions. If the User had permissions they could write to the DPE, if not it would do nothing. It was a simple solution, but not a quick one. If anyone has a better way please share.
- vedadramovic
- Posts:121
- Joined: Mon Apr 07, 2014 10:36 am
Re: How to disable commands (dp change) from distributed systems?
Hi Vincent,
thank you for the tip.
I was hoping for system solution coded in Event Manager, in order to avoid potential bugs, when someone from the developing team forget to check permissions.
thank you for the tip.
I was hoping for system solution coded in Event Manager, in order to avoid potential bugs, when someone from the developing team forget to check permissions.
- leoknipp
- Posts:2928
- Joined: Tue Aug 24, 2010 7:28 pm
Re: How to disable commands (dp change) from distributed systems?
Since WinCC OA 3.15 P004 a new feature called "Access Control Interface" is available.
This interface can be used during runtime to protect against connecting unauthorized components (Manager Authentication) as well as to inhibit unauthorized access to the process image data.
For detailed information please have a look at the WinCC OA documentation: Add-Ons --> API --> Access Control Interface.
Maybe you can solve your requirement by using the _auth config. At this config you can define which permission bit is required to be able to modify a specific config (+ attribute).
If the system is going to "local administration" you could modify the user permissions for the user group (used by the user in the distributed system) and remove the specific bit in the central system.
E.g., the user groups are the same in all systems:
-- user bit 7 is required (_auth config)
-- user in central system is assigned to group "local" where the permission bit 7 is assigned
-- user in distributed system is assigned to group "remote"
Scenario 1 - activating local administration
-- remove the permission bit 7 for the user group "remote" in the central system
Scenario 2 - deactivating local administration
-- set the permission bit 7 for the user group "remote" in the central system
Best Regards
Leopold Knipp
Senior Support Specialist
This interface can be used during runtime to protect against connecting unauthorized components (Manager Authentication) as well as to inhibit unauthorized access to the process image data.
For detailed information please have a look at the WinCC OA documentation: Add-Ons --> API --> Access Control Interface.
Maybe you can solve your requirement by using the _auth config. At this config you can define which permission bit is required to be able to modify a specific config (+ attribute).
If the system is going to "local administration" you could modify the user permissions for the user group (used by the user in the distributed system) and remove the specific bit in the central system.
E.g., the user groups are the same in all systems:
-- user bit 7 is required (_auth config)
-- user in central system is assigned to group "local" where the permission bit 7 is assigned
-- user in distributed system is assigned to group "remote"
Scenario 1 - activating local administration
-- remove the permission bit 7 for the user group "remote" in the central system
Scenario 2 - deactivating local administration
-- set the permission bit 7 for the user group "remote" in the central system
Best Regards
Leopold Knipp
Senior Support Specialist
- vedadramovic
- Posts:121
- Joined: Mon Apr 07, 2014 10:36 am
Re: How to disable commands (dp change) from distributed systems?
Thank you Leopold for fast and detailed answer.
For security and priority reasons is it possible to change required permission bit in _auth config, on local system without restart of this manager?
Best regards,
Vedad Ramovic
For security and priority reasons is it possible to change required permission bit in _auth config, on local system without restart of this manager?
Best regards,
Vedad Ramovic
- leoknipp
- Posts:2928
- Joined: Tue Aug 24, 2010 7:28 pm
Re: How to disable commands (dp change) from distributed systems?
The changes at the _auth config are applied without the needs of a restart.
Best Regards
Leopold Knipp
Senior Support Specialist
Best Regards
Leopold Knipp
Senior Support Specialist
- vedadramovic
- Posts:121
- Joined: Mon Apr 07, 2014 10:36 am
Re: How to disable commands (dp change) from distributed systems?
Thank you Leopold