Tag Security is used for restricting who can read and/or write to the Historian. When enabled, Canary users/groups must be given proper permissions within the Identity service.

Read

By default, anyone who has access to the Canary system using Axiom, the Excel Add-in, ODBC, or the Read API can see all tags within the Historian. If wanting to limit what is available to the end user, Tag Security can be enabled. This may be beneficial if a system has many DataSets and/or Virtual Views and wishing to present a cleaner browse structure. A view that is useful for one business group may be irrelevant to another. It is also useful for restricting what is available for a 3rd party to see and consume.

Write

When Tag Security is enabled, remote Canary Collectors must also be given permission to write to the Historian. This is accomplished by configuring the Collector to use an API token generated in the Identity service. If Tag Security is enabled prior to the Collector being configured, data will buffer in the Store and Forward (SaF) service until it can be given permission.

Configuration

Writing

Does your Canary system have remote Collectors sending data to a centralized Historian? If so, the following steps should be taken first to avoid data buffering. If all data collection is local to the Historian, skip to the Reading configuration.

1. Open the Canary Admin client on the server containing the Identity service.
2. Navigate to the Identity tile>Security>API Tokens screen.

   

3. Click the ADD button to create a token that will be used for the remote SaF service on the Collector server. See How to Create an API Token for more details as a Canary user may also need created.
4. Copy the token and open the Canary Admin client on the remote Collector server(s).
5. Navigate to the SaF tile>Configuration>Settings screen.
6. Paste the token into the Identity API Token field.

   

   Each remote Collector server must be configured this way. A new token is not needed for each Collector unless there is a compelling reason to do so.
7. Navigate back to the Identity server and open the Identity tile>Security>Tag Security screen. The Canary user linked to the API token must be given Write permissions to the local Historian view or the individual DataSet(s) under that view.
8. Select the Historian view or DataSet(s) from the BROWSE window then ADD an explicit permission.

   

Before Tag Security is enabled, other permissions will need added for those Reading data from the Historian. See below.

Reading

1. Open the Canary Admin client on the server containing the Identity service. The Identity service is responsible for authenticating and authorizing Canary users within the system.
2. Navigate to the Identity tile>Security>Tag Security screen.

   

3. By default, the Identity service is connected to the local Views service. The Views service is responsible for requesting data from the Historian on behalf of the end user. If the Views service is remote from the Identity service, specify the server name using Host and port number (55321).
4. Select a View or branch from the BROWSE window. Permissions can be applied at any level in the tag hierarchy, all the way down to the tags themselves.
5. With a branch selected, click the ADD button to add an explicit permission at that level. A window will appear allowing you to select a Canary user/group and grant them Read, Write, ReadWrite, or None permissions.

   

   If using remote Collectors from above, the Canary user linked to the API token must be given Write permissions to the local Historian view or the individual DataSets.
6. Once the proper permissions are in place, check the box to Enable Tag Security.

Explicit and Inherited Permission Rules

• Explicit permissions are applied at a specific View or branch within the hierarchy. These permissions are then propagated to all nodes under that branch, all the way down to the tag and are displayed in the INHERITED PERMISSIONS window.
• An explicit permission always overrides an inherited one.
• Permissions are applied in the order that they appear. If a user is listed within the EXPLICIT PERMISSIONS along with a group they also belong to, make sure the user is above the group by clicking and dragging them above the group. Otherwise, the message "Unreachable Permission Detected!" will appear. Similarly, if a user is among two different groups, the group listed first takes precedence.

When configuring Explicit Permissions you can choose from the following:

• None - will keep the Canary user/group from accessing this branch and any other sub nodes or tags within it
• Read - will allow the Canary user/group to read data from this branch and any other sub nodes or tags within it
• Write - will allow the Canary user/group to write data to this branch and any other sub nodes or tags within it
• ReadWrite - will allow the Canary user/group to both read or write data to this branch and any other sub nodes or tags within it

Monitoring Permissions

The EFFECTIVE PERMISSION drop-down list returns the permissions a Canary user/group has for the selected branch within the BROWSE window.