Introduction to System Security
The security configuration options provide a number of options for system administrators to control access to the system. This section will introduce some of the security concepts including the available authentication methods and the object classes used in the system.
Two authentication methods are supported:
Windows Authentication - This utilizes Windows user/Group accounts (either Windows Active directory or local Windows accounts) as authentication to either login to the system using DataStudio or to access the system using the Web API or Lua API. These are represented by the User and UserGroup objects created in the Access Model (see below).
Profile Credentials - This is an system authentication system that corresponds to inmation Profile objects created in the Access Model (see below). Can be used as authentication to either login to the system using DataStudio or to access the system using the Web API or Lua API.
Introduction to Security Objects
Security permissions are based on the following objects that can be created in the Access Model of DataStudio.
Profile: Profile objects are the highest level object in the Access Model and the objects to which security permissions are directly assigned. The Profile Credentials authentication method uses Profile objects for authentication.
User: User objects are created below Profile objects and thereby assigned to a particular profile (and therefore assigned the permissions of that profile). The User object represents a Windows Active Directory user account for Windows authentication.
UserGroup: UserGroup objects are created below Profile objects and thereby assigned to a particular profile (and therefore assigned the permissions of that profile). The UserGroup object represents a Windows Active Directory group account for Windows authentication.
Permissions to any object in a model tree are granted by using Profile objects from the Access Model. Users can be assigned to multiple Profiles, directly as children of object type User or indirectly by making use of Group objects. The User and Group object represents Windows Active Directory or local Windows user/group accounts.
To grant different rights to users, a User (or Group) object can be created a child of multiple Profile accounts. A Security Reference is created by a drag & drop operation of a Profile object onto an IO Model object (e.g. IO Item) for which permissions can then be defined.
Permissions that can be granted are:
List: Object will appear when listing the parent’s children.
Read: All object properties can be read.
Write: The current value of the object can be written.
Modify: All object properties can be written.
Execute: The object’s methods can be called.
Inheritable: The explicitly set permission are inherited to all child objects.
In general Security References grant rights at the object level they have been created at. Making use of the permission List” and Inheritable though allow to implicitly grant permission to parents and children.
|Implicitly granted permission are always overruled by explicit permission! There is no such thing as automatic merging of permissions along the model tree hierarchy up- or downwards.|