Restrict Tag Access

Access to tag data and the ability to see what tags are available can be restricted by user authentication or prevent unauthorized access.  The Security features can be used to designate tag groups or individual tags per organization, customer, or designation on how you determine to allocate users in OAS.

Before proceeding first follow the steps in the Getting Started – Security guide to create an Admin user.

When adding tags to OAS organizing the tags in groups by area or organization will make the security restriction easy to designate tags that start with a character string.

In the following steps we will use the example tag configuration demonstrate access to tags organized by company and customer.

Company-Customer-Tags

To restrict access to read, write, and browse tags use the Security group tab Tags, Read Tags, and Write Tags of the Default security group and allow access to the designated security group defined to each user.

Read Tags

Use Configure-Security to list all currently defined Security Groups.

Configure Security

Select the Default security group and uncheck Enable All Features.

Uncheck Enable All Features

Under the Read Tags tab check Disable All Tags From Reading.

Disable Read Tags

Note: This will prevent all applications including remote OAS Engines to receive live values from this OAS Engine.

You can optionally enable specific tags or tags start with a matching string for read access without authentication required.

Enable Read Tags

Select Apply Changes to update the Default security group.

Apply Changes

Next create security groups for customers, companies, administrators full access privileges.

The first example create a security group for Customer 1 of Company 1.

Change the Group Name property of the security group, the group name can be anything you like, we will use Company 1-Customer 1 in this example.

In the Read Tags tab leave Disable All Tags From Reading unchecked.

Select ADD in the list to Enable Reading Tags that Start With to browse for a tag within the Company 1.Customer 1 group and remove the tag portion of the string and select OK.

Browse Company Customer

This security group will allow read access to tags that start with Company 1.Customer 1.

Allow Read Tags Company and Customer

Note: If you wanted to provide company wide access to all customers set the string that starts with to Company 1.  If you want to provide read access to all tags in the configuration uncheck Disable All Tags From Reading.

You can also designate tags by complete name with the list Tags To Enable Reading.  This is a way to include specific tags within a tag group, but not all tags in the group.

Select Add Group.

Add Group

From the top menu select Configure-Users to define one or more users to the Company 1-Customer 1 group.

Configure Users

Enter a User Name and Password for the user that will have access to read tag from Company 1.Customer 1 tag group.

Use the Security Group pull down to select the security group you have defined for the Company 1.Customer 1 group.

Company Customer User

Select Add User.

Add User

Select Save to save a security configuration file.

Save

When prompted select to set as the default security configuration file.

Default Security File

Repeat the above steps for each customer in each company.

Note: To define multiple security groups and users you can use CSV Export / Import, .NET Server Configuration, or REST API.

CSV Import and Export

Write Tags

To restrict write access to tags per user use the same steps above as listed for Read Tags and use the Write Tags tab of the security groups.

In the Default security group check Disable All Tags From Writing.

Disable Write Tags

In each additional security group select ADD in the list to Enable Writing Tags that Start With to browse for a tag within the Company 1.Customer 1 group and remove the tag portion of the string and select OK.

This security group will allow write access to tags that start with Company 1.Customer 1.

Enable Write Tags

Note: If you wanted to provide company wide access to all customers set the string that starts with to Company 1.  If you want to provide write access to all tags in the configuration uncheck Disable All Tags From Writing.

You can also designate tags by complete name with the list Tags To Enable Writing.  This is a way to include specific tags within a tag group, but not all tags in the group.

Select Save to save a security configuration file.

Save

Browse Tags

To restrict browse access to tags use the same steps above as listed for Read Tags and use the property Disable All Tags from Browsing in the Tags tab of the security groups.

Check Disable All Tags From Browsing in the Default security group in the Tags tab and select Apply Changes.

Disable Browsing

Select Apply Changes to update the Default security group.

Apply Changes

In each additional security group select ADD in the list to Enable Browsing Tags that Start With to browse for a tag within the Company 1.Customer 1 group and remove the tag portion of the string and select OK.

This security group will allow browse access to tags that start with Company 1.Customer 1.

Enable Browse

Note: If you wanted to provide company wide access to all customers set the string that starts with to Company 1.  If you want to provide browse access to all tags in the configuration uncheck Disable All Tags From Browsing.

Select Save to save a security configuration file.

Save

View how to Implement User Credentials in Client Applications to provide log in method for each user.