When the Sender service makes a secure connection to a remote Receiver service using the 'Net.TCP - Username' endpoint (55256), credentials are passed in to verify who the Sender is. There are two options:

1. Identity
2. User

Identity

By default, the Sender will use the 'Identity' option which uses the Sender's machine name along with a randomized GUID. This is typically sufficient for most cases when restricting who has access to write data to the historian.

Using this method, the Sender will initially appear on the 'DENY' list within the Receiver tile on the historian/proxy server when logging begins. The remote Sender will need to be manually allowed by opening the Canary Admin>Receiver tile>Configuration>Senders. Once allowed, the Sender will be able to transmit data. 

User

The 'User' option is typically used within a multi-tenant environment where remote Sender machines are permitted to write to a specific dataset. This prevents unwanted users from writing data to another client's dataset.

In this scenario, the Sender does NOT appear in the Receiver's deny list. Instead, security must be enabled within the Views service on the historian machine and the configured username must be granted Write permissions to the dataset(s).

Security is enabled by navigating to the Views tile>Security>Settings on the historian server.

It is recommended to set up the appropriate permissions before enabling security as this would prevent any user from reading/writing to/from the historian if not configured.

Permissions are configured within Views tile>Security>Permissions. A user can be given explicit permissions to a specific dataset by expanding the machine name, selecting the dataset, then adding the user.