View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008471 | Feature Requests | Feature Request | public | 2022-11-28 21:06 | 2022-12-21 07:01 |
| Reporter | Jim Luth | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | acknowledged | Resolution | open | ||
| Summary | 0008471: Need a way to configure Permissions hierarchically | ||||
| Description | Currently default Permissions can be set for all Nodes in a namespace and/or Permissions can be set on individual Nodes. We need an additional way to set Permissions for a user-defined group of Nodes, ideally at any level in a hierarchy. The need for this feature has become apparent in OPAF where we are trying to define AutomationML to set UA Permissions and setting Permissions on each Node is not practical, but the namespace of a Node does not provide a useful grouping for Permissions either. | ||||
| Additional Information | My thought is to create a user defined Permissions hierarchy using References (much like the Notifier hierarchy in A&C). If Permissions are not set on an individual Node, then walk up the Permissions hierarchy to the first parent Node with Permissions set and use those. If no Parents have Permissions set, then use the default Permissions on the namespace. | ||||
| Tags | No tags attached. | ||||
| Commit Version | |||||
| Fix Due Date | |||||
|
|
This is an important topic, as part of the discussion we could also think about other manner of assigning default permission, such as based on a type - i.e. have a type define a set of defaults. think of a model based on DI that has a type with three functional groups in it. one for Tuning, one for configuration and one inputs. In the type each of the functional groups could have there own default permissions. These defaults could be actually applied to instance when they are created or the instance could reference the type. In short we may need more then one standard reference type. One that is used to create the hierarchy and one that is used to point to a template type (much like an HasInterface - that indicate security inherited from here) |
|
|
Using references for applying permission to as set of nodes is not easier than setting the attribute on all affected nodes but will introduce a massive performance hit. The permission check needs to be executed for every service request (read, write, call etc.). Checking permissions for a list of roles is already an overhead but if there would be also an internal hirarchical browse necesary for every read/write access to a node, this would be a major performance problem. |
|
|
from UA meeting: - An alternative was discussed – where the hierarchy is not for checking but for assigning permissions. If the permission on a parent is changed then all of the children can optionally also inherit the permission - maybe this would be part of the operation that assigns the permissions. The run time checking will still be very simple since it is just the node that needs to be checked. The assignment of a permission (changing it) may take some time, but this is an infrequent activity. This would allow roles to be assigned and managed. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-11-28 21:06 | Jim Luth | New Issue | |
| 2022-11-29 17:06 | Jim Luth | Assigned To | => Jim Luth |
| 2022-11-29 17:06 | Jim Luth | Status | new => acknowledged |
| 2022-11-29 17:06 | Jim Luth | Assigned To | Jim Luth => |
| 2022-11-29 19:31 | Paul Hunkar | Note Added: 0018209 | |
| 2022-12-08 12:29 | Matthias Damm | Note Added: 0018272 | |
| 2022-12-21 07:01 | Paul Hunkar | Note Added: 0018330 |
