EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  <20112012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  <20112012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>

Subject: Re: cainfo and access
From: Andrew Johnson <[email protected]>
To: [email protected]
Date: Wed, 21 Dec 2011 14:37:58 -0600
Hi Pierrick,

On 2011-12-21 Pierrick Hanlet wrote:
> 
> When using caInfo on a record, one piece of infomation displayed is
> read/write access to the record.  What are the different means of
> setting this read/write access?  Can a network firewall setting affect
> this value, or is it strictly controlled by epics?

Whether a PV is readable or writable is controlled by the CA server that 
provides the PV, and can depend on the client's host and/or login name as well 
as other state known to the server.  For an IOC the permissions are controlled 
by any Access Security (AS) rules loaded by that IOC, as documented in chapter 
8 of the Application Developers' Guide.  If the IOC doesn't load an access 
security configuration file no access restrictions are enforced so any client 
gets full read+write access to every record field.

AS rules can be used to make individual PVs read-write, read-only, write-only 
(!) or not accessible at all, but they can't make them invisible.  Note that I 
am using the term PV here instead of record, since different rules can apply 
to the VAL field of most record types than to the other fields.  The record 
type defines an Access Security Level (ASL) of 0 or 1 for each field in the 
record, and the rules can apply to either ASL0 fields (usually .VAL only) or 
to both ASL1 and ASL0 (all fields).

The PV Gateway also uses the same access security implementation and rules 
file syntax as the IOC, but it doesn't give as fine control as rules on the 
IOC do.

Network firewalls cannot change read/write access permissions, they can only 
block or allow CA traffic as a whole.  However you can run a PV Gateway in 
parallel with a firewall to make PVs visible from outside the machine network; 
the APS uses that to make our operational PVs visible (but read-only) to 
machines on our general office networks.

HTH,

- Andrew
-- 
Optimization is the process of taking something that works and
replacing it with something that almost works, but costs less.
-- Roger Needham


References:
cainfo and access Pierrick Hanlet

Navigate by Date:
Prev: cainfo and access Pierrick Hanlet
Next: Re: cainfo and access Geoff Savage
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  <20112012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: cainfo and access Pierrick Hanlet
Next: Re: cainfo and access Geoff Savage
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  <20112012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
ANJ, 18 Nov 2013 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·