0

Applying Security to Views (version 23)

The Views service can be configured using the Canary Admin application to grant or limit access to data within the Canary Historian or any Virtual View.  Since Views function as a single endpoint for all data queries, these authorization settings will be universally applied to all client requests.

Before security can be applied, you should verify necessary endpoints are properly configured.

  1. Launch the Canary Admin application and click on the Views tile.
  2. Select the 'Configuration' option from the bottom menu.
  3. 'Endpoints' will be automatically displayed.
  4. Enable the desired endpoints described below. 
  5. Click 'APPLY' to finalize View configuration changes.

  • Net.Pipe - Windows (Local Only) - Used when the connection is from a client on the local machine. Windows Authentication uses logon information of the current user.

  • Net.Pipe - Anonymous (Local Only) - Allows any local user access without credentials.

  • Net.TCP - Windows - Uses the windows credentials of the client user to make a secure connection through the default port (55234).

  • Net.TCP - Username - Uses username/password credentials entered by the client to make a secure connection through the default port (55234).

  • Net.TCP - Secure - Uses the Mirror credentials from the destination computer to make a secure connection through the default port (55234).

  • Net.TCP - Anonymous - Allows any remote user access without credentials through the default port (55231).

For the majority of use cases, 'Net.TCP' will be selected for 'Windows', 'Username', and 'Secure' but not for 'Anonymous'.  Both 'SOAP' options need not be selected.

  • Https - Username - Uses username/password credentials entered by a web client to make a secure connection through the default port (55232).

  • Http - Anonymous - Allows any remote web user access without credentials through the default port (55230).

Once endpoints are configured, you must specify specific users or groups to either allow or deny access to. Canary supports both Microsoft Active Directory and Windows Local users and user groups.  The Views Access menu features four windows.  The top two windows primarily focus on Axiom, Excel Add-in, and Views API access.  The bottom two windows are used primarily for managing Canary Mirror connections and other specialty Canary applications that use the Net.TCP Secure endpoint.  

  • ALLOW - Specific groups or individual users that have been given access to Views.  Use the 'ADD' or 'REMOVE' feature to configure this list.
  • DENY - Specific groups or individual users that have been restricted from accessing Views. Use the 'ADD' or 'REMOVE' feature to configure this list.
  • ALLOW (Secure Endpoint) - Displays the machine name of clients granted access to connect to Views through the 'Net.TCP Secure' endpoint. Use 'DENY' to specifically restrict access from specific machines.
  • DENY (Secure Endpoint) - When a secure client connection is received it automatically is listed within this panel.  A system administrator must allow the client access or choose to remove it. Use 'ALLOW' to provide the selected machine name access.  Use 'REMOVE' to clear a set of credentials from the list requesting secure access.  Use 'REFRESH' to update the list of clients requesting access, the panel does not automatically refresh.
  1. From within the Views panel of the Canary Admin application select 'Configuration' and then 'Access'.
  2. Click 'ADD...' from the 'ALLOW' window to launch the Microsoft Object Picker user interface.
  3. You may now select either a individual user or group of users that has been established with Microsoft Active Directory or a Windows Local account.
  4. Click 'OK' and then 'APPLY' to add the user or group.
  5. Repeat this process as necessary.
  1. From within the Views panel of the Canary Admin application select 'Configuration' and then 'Access'.
  2. Click 'ADD...' from the 'DENY' window to launch the Microsoft Object Picker user interface.
  3. You may now select either a individual user or group of users that has been established with Microsoft Active Directory or a Windows Local account.
  4. Click 'OK' and then 'APPLY' to restrict the user or group.
  5. Repeat this process as necessary.

Once users are authenticated, you may then enable Views security and then select which Views, DataSets, branches, and even which tags they have access to either read, write, or read/write from and to. 

Both explicit and inherited permissions can be administered to Views, DataSets, branches, and individual tags.  Explicit permissions are applied by default when an object is created and will take precedence over an inherited permission.

If a user is listed within the 'Explict Permissions' along with a group they also belong to, make sure the user is ordered above the group by clicking and dragging them above the group. 

When configuring Explicit Permissions you can choose from the following:

  • None - will keep the user or group from accessing this branch and any other sub nodes or tags within it.
  • Read - will allow the user or group to read data from this branch and any other sub nodes or tags within it.
  • Write - will allow the user or group to write annotations and potentially tag values to this branch and any other sub nodes or tags within it.
  • ReadWrite - will allow the user or group to both read or write annotations and potentially tag values to this branch and any other sub nodes or tags within it.

  1. From within the Views panel of the Canary Admin application select 'Security' and then 'Permissions'.
  2. From the 'BROWSE' window, select the top level of the browse structure (will be highlighted when successful).
  3. Click 'ADD...' from the 'EXPLICIT PERMISSIONS' window.
  4. Select 'user...' to launch the Microsoft Object Picker user interface.
  5. You may now select either a individual user or group of users that has been established with Microsoft Active Directory or a Windows Local account. Click 'OK'.
  6. With the user info now listed, choose the level of access you wish to grant, then click 'ok'.
  7. Repeat for other users or groups if necessary.
  8. You must click 'APPLY' to set the permissions.

This process can now be repeated for all other views, DataSets, branches, and tags.  By applying an access setting of 'None', all other sub nodes, branches, and tags will inherit this permission.

Likewise, if a branch has been set to 'None', selecting a sub branch or even tag within the branch and setting the access to 'Read', 'Write', or 'ReadWrite' will grant access to that item and all sub nodes, branches, or tags within.

The 'INHERITED PERMISSIONS' window is useful for displaying how the explicit permissions already defined effect the currently selected View, DataSet, branch, or tag.

Two tools can be used for viewing current permission rules.  The 'EFFECTIVE PERMISSION' window found with the 'Permissions' menu can display either user or group access levels for each View, DataSet, branch, or tag as they are selected within the 'BROWSE' window.  

Additionally, the 'Overview' menu will display each View, DataSet, branch, or tag path in which security permissions have been applied and these permissions effect user and/or group access levels.

 

Once permissions are configured, you will need to turn security on for them to take effect.

  1. From within the Views panel of the Canary Admin application select 'Security' and then 'Settings'.
  2. Check 'Security Enabled' and then 'APPLY'.

 

Reply

null