Have you looked at IOC Access Security [1]? You could simply define an ASG which blocks all writes to your ai record. Something like:
ASG(READONLY) {
RULE(1, READ)
}
Would that be enough for your purpose? The hardware, since it can use a different method to access the record (e.g. device support code, dbPutField in StreamDevice protocols, pvPut in sequencer running on the same IOC), should still
be able to write to the record without issue.
Careful.
As you point out, local access is not going through the Access Security layer. Local access includes writing through database links from other records on the same IOC.
Nothing keeps you from using any other ao soft record on the IOC, setting its output link to point to the "secured" ai, and happily writing through that ao.
"IOC Access Security" is a measure against involuntary misclicking. It is not implementing authentication/authorization.
This is a very useful feature, don't get me wrong. Its name might just make you think it would be doing more.
Cheers,
~Ralph
