Re: write access through ca gateway

["Kenneth Evans, Jr." <evans@aps.anl.gov>]

Jane,

     The problem is that the user for the IOC is the Gateway.  And it is no
different from any other user.  The IOC won't get any more privileges than
you give it.  The IOC has no way of knowing who is accessing the server side
of the Gateway.  In the IOC you have to allow the Gateway the maximum
privileges any of the Gateway users might be allowed.  It looks as if you
have done that.  And that is the most control you can do on the IOC.

     If you want to limit access to the Gateway on a per user basis, you
need to do that in the Gateway.  It is another IOC (sort of).  You have to
fix it so those users you want to restrict do not have write access to those
PVs as supplied by the Gateway.  In addition to what is available in an IOC,
the Gateway has regular expressions via the gateway.pvlist.  As you probably
know, access security can be logically demanding, but it should work if you
get the Gateway access security right.

     You say your users have write access via the DEFAULT group.  You would
fix that by not allowing writes in that group.  (Or maybe I didn't
understand what you said.)

     Note that the Gateway access security report should give you
information about who and what is going in what group.  It is more extensive
for Beta11 and beyond, as changes were made in Base to allow asDump to a
file.  This should help you get it right.  It is better to experiment with
only a few user connections to your Gateway as the report file can get long.

     Hope this helps.

	-Ken