1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024 |
<== Date ==> | <== Thread ==> |
---|
Subject: | Re: [EXTERNAL] Re: What is the best (and simple) way to implement security in a Phoebus solution? |
From: | Oscar Ibañez via Tech-talk <tech-talk at aps.anl.gov> |
To: | "tech-talk at aps.anl.gov" <tech-talk at aps.anl.gov> |
Date: | Wed, 21 Apr 2021 22:40:00 +0200 |
Hi Kay,I have re-read my message and I think that I know why we are not understanding each other.
When I say "low-privileged account" (or a high one), I don't mean an OS user account. What I mean is a different worker profile using Phoebus. Maybe an example could help:
Imagine that you have a computer account named "john". John is an account with some privileges. It does not matter which ones. Using that account, a scientist is running Phoebus. As a scientist, he may view and change a few things. Not many. However, when that scientists finishes his task, he gets up and he leaves its seat available for an engineer. The enginner can view and modify the same PVs that the scientist, however, he also may view and change other things. So, he changes his current Phoebus profile from scientist to engineer. His screen changes and now he is capable of changing many things.
Take into account that the computer session has not changed. No "sudos". No command line. The computer account is still the same, "john". Nothing has changed. The different worker profiles exist inside Phoebus.
Best, Óscar El 21/04/2021 a las 21:49, Kasemir, Kay escribió:
We are going to have several users using Phoebus. Different users have different permissions to view and to edit, like any other system. ... the change has to be made without logging out from the current computer session.Permissions to do _what_? Write PVs? That's handled by Channel Access (or PV Access) security, which is based on the current user. Phoebus (or EDM, MEDM, python CA library, command line caput, ...) don't have any way to change that user. The only option you have is either log out & log back in, or use 'sudo' to change user and start another instance of the program as that different user. -Kay