Home Server Security Securing Tags

Securing Tags

This article applies to versions 4.19 and later of IFS OI Explorer. For more, see Release History.

Note: Changing security for individual tags requires Server administrator privileges.

There are several options for securing tags. 

  • Security can be inherited from a Datasource. For tags added to the system via Tag Discovery, privileges can be applied at the datasource level, which will then be inherited by the tags from that datasource. Additionally, more specific privileges can be applied to individual tags from that datasource.
  • For tags not originating from a datasource (e.g. calculations), privileges are applied directly to the individual tags.
  • Individual tags can also be added to Tag Groups, and secured at that level. 

These options are described below.

Note on Inheritance

Default object security provides the Everyone role with implicit view privileges for all objects in the system. When securing a Server object, you will need to remove the View privilege from the resource, as well as default object privileges for other roles.

When applying object-level privileges, it is important to remember the cascading nature of privileges applied at the resource-level. If a role has explicit View privileges (or higher) on the resource, all users with that role can view all objects for that resource. 

TIP: If you intend on changing security for specific tags, avoid explicitly setting privileges on the relevant datasource, as it can result in over-complicated security scenarios.

Related: How Security WorksHow Roles WorkHow Object Access Works,  Add an Administrator

What the Privileges Mean

Each resource may have different privileges. This is a list of the privileges for each resource, and what they mean.

Calculation Tags

These privileges apply to calculation tags. They are independent of a datasource.

Privilege What it means
View See the calculation tag in Server Management and Explorer. 
Edit Modify the calculation tag in Server Management and Explorer.
Delete  Delete the calculation tag from Server Management. 

Datasources

These privileges apply to the datasource, and are inherited by any tags associated with the datasource.

Privilege What it means
View See the datasource and associated tags or datasets, in both Server Management and Explorer.  
Write Write to the tags or datasets associated with a datasource, from Explorer.

Note: The Write flag on the datasource must be enabled for this to take effect. If the flag is not enabled, this privilege will have no effect.
Edit Modify the datasource and associated tags or datasets, in Server Management.  
Delete  Modify the datasource and associated tags or datasets, from Server Management.  

Dataset Tags

Note: Dataset tags cannot be added to a Tag Group.

These privileges apply to the datasource, and are inherited by any tags associated with the datasource.

Privilege What it means
View See the dataset, in both Server Management and Explorer.  

Timeseries Tags

These privileges apply to tags from a Tag datasource. Depending on the datasource used, some privileges may not be available.

Privilege What it means
View See the datasource and associated tags or datasets, in both Server Management and Explorer.  
Write Write to the tags or datasets associated with a datasource, from Explorer.

Note: The Write flag on the datasource must be enabled for this to take effect. If the flag is not enabled, this privilege will have no effect.
Edit Modify the datasource and associated tags, in Server Management.  
Delete  Modify the datasource and associated tags, from Server Management.  

Tag Group

These privileges apply to the tags in the group. Only timeseries and calculation tags can be added to a group.

Privilege What it means
View See the datasource and associated tags or datasets, in both Server Management and Explorer.  
Write Write to the tags or datasets associated with a datasource, from Explorer.

Note: If this is a Datasource Tag, the Write flag on the datasource must be enabled for this to take effect. If the flag is not enabled, this privilege will have no effect.
Edit Modify the datasource and associated tags, in Server Management.  
Delete  Modify the datasource and associated tags, from Server Management.  

What the Colours Mean

The privileges matrix is colour-coded to indicate the cascading nature of privileges. The colours are:

Grey: Privilege not granted.
 Green tick: Privilege is explicitly granted, associated privileges will also be automatically granted. 
 Green dot: Privilege is granted because a higher level privilege has been granted on the object.
 Blue: Privilege is granted because it is inherited by a resource privilege.

 

Tutorial 1. Securing a Datasource

1. In Server Management, open the datasource for which you want to change the privileges. 

2. For each role, click the relevant privileges you want to assign.

Screenshot showing privileges for a tag datasource

  • To remove a privilege, click the green check icon. This will change to a grey cross icon. 
     
  • To grant a privilege, click the grey icon. This will change to a green check icon. Remember that privileges cascade from higher to lower levels, so a role with Edit privileges will also have View privileges. 
     
  • Blue icons indicate an inherited Role Privilege, which you cannot change from here.

3. When you have finished, click Save.

All tags in this datasource will inherit these privileges.

Related: Changing a Role's PrivilegesLocking Down an Object

Tutorial 2. Individual Tags

This applies to datasource tags and calculation tags which can be secured individually.

1. In Server Management, open the datasource for which you want to change the privileges. 

2. For each role, click the relevant privileges you want to assign.

Screenshot showing privileges for a tag

  • To remove a privilege, click the green check icon. This will change to a grey cross icon. 
     
  • To grant a privilege, click the grey icon. This will change to a green check icon. Remember that privileges cascade from higher to lower levels, so a role with Edit privileges will also have View privileges. 
     
  • Blue icons indicate an inherited Role Privilege, which you cannot change from here.

3. When you have finished, click Save.

These privileges will override those set at the datasource level.

Related: Changing a Role's PrivilegesLocking Down an Object

Tutorial 3. Tag Groups

A Tag Group is a collection of tags which all have the same View, Edit, Delete, and Write security privileges.

Note: Tag Groups must be explicitly enabled in the ServerConfig.xml file by setting TagGroupSecurityEnabled to true.

When Tag Groups are enabled, tags must be added to groups and the groups secured. Tags would not be able to be individually secured.

Note: Tag Groups are only available for calculations and timeseries tags.

All tags are automatically added to a default “All Tags” group, which can be assigned privileges as appropriate.

To further refine tag security via Tag groups:

Create a Tag Group and Assign Tags in Bulk

Tag Groups are created in the Configuration section of Server Management.

1. Click Create New Tag Group, or click an existing group to edit it. 

Screenshot showing a list of tag groups

2. Fill in the Name and Description for the tag group.

3. In the Assigned Tags section, move tags from the left to the right to add them to the tag group.

You can use the Filter by Datasource list to find all the tags in a specific datasource (including Calculations).

Screenshot showing the configuration of a tag group

4. In the Tag Group Tag Privileges panel on the right, select the role privileges you want for this tag group.

Assign a Datasource to a Tag Group

You can assign a Datasource to a Tag Group. The advantage in doing this is that when new tags are discovered for the datasource, they will automatically be added to the tag group.

On the Datasource page in Server Management, the Tag Group Security option is located below the Tags list.

Choose one or more Tag Groups for the Datasource. The privileges specified for the Tag Group will apply to all tags from the datasource.  

Datasource tag group security

Assign Individual Calculation Tags to a Tag Group

You can assign calculations of type Tag, to a Tag Group. You cannot assign dataset calculations to a tag group.

On the Calculation Configuration page in Server Management, the Tag Group Security option is located below the Type option.

Choose one or more Tag Groups for the calculation. The privileges specified for the Tag Group will apply to this calculation.  

Calculation Tag Group security

Troubleshooting

The following messages may appear in Server Management.

Tag Groups

If you don't have sufficient privileges to create a Tag Groups, the Tag Groups page will display the message:

There are no tag groups configured in the system.

Tag Groups no tags configured

Entity Overview

If a tag you don't have permissions to see is assigned to an entity that you can see, the Entity page will display the message:

This page is read-only as you do not have sufficient privileges to edit this entity.

Entity overview insufficient privileges

Release History

  • Securing Tags 4.19.0
    • Assign Calculation to a Tag Group Directly
    • Tag Group Filter by Datasource
  • Securing Tags 4.17.1
    • Initial release of group-based tag security

Comments are closed