EPICS Home

Experimental Physics and Industrial Control System


 
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  <20052006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  <20052006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
<== Date ==> <== Thread ==>

Subject: Re: write access through ca gateway
From: "Kenneth Evans, Jr." <evans@aps.anl.gov>
To: "Tech-Talk" <tech-talk@aps.anl.gov>
Date: Sat, 22 Jan 2005 12:49:45 -0600
Jane,

     The problem is that the user for the IOC is the Gateway.  And it is no
different from any other user.  The IOC won't get any more privileges than
you give it.  The IOC has no way of knowing who is accessing the server side
of the Gateway.  In the IOC you have to allow the Gateway the maximum
privileges any of the Gateway users might be allowed.  It looks as if you
have done that.  And that is the most control you can do on the IOC.

     If you want to limit access to the Gateway on a per user basis, you
need to do that in the Gateway.  It is another IOC (sort of).  You have to
fix it so those users you want to restrict do not have write access to those
PVs as supplied by the Gateway.  In addition to what is available in an IOC,
the Gateway has regular expressions via the gateway.pvlist.  As you probably
know, access security can be logically demanding, but it should work if you
get the Gateway access security right.

     You say your users have write access via the DEFAULT group.  You would
fix that by not allowing writes in that group.  (Or maybe I didn't
understand what you said.)

     Note that the Gateway access security report should give you
information about who and what is going in what group.  It is more extensive
for Beta11 and beyond, as changes were made in Base to allow asDump to a
file.  This should help you get it right.  It is better to experiment with
only a few user connections to your Gateway as the report file can get long.

     Hope this helps.

	-Ken


Navigate by Date:
Prev: write access through ca gateway Jane Richards
Next: if-then-else in iocsh Emmanuel Mayssat
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  <20052006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
Navigate by Thread:
Prev: write access through ca gateway Jane Richards
Next: if-then-else in iocsh Emmanuel Mayssat
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  <20052006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020