Using Security Tags

Security Tags provides ability to allow or deny access for Viewing or Updating Things/Connections based on Role that can be assigned to Applications or Users. It is possible to specify which Security Tags are required for a Role in order to gain view or update access. If a application or user does not have the required Security Tag applied to their Role, they will receive an Access Denied message when trying to view/update a Thing/Connection that contains a particular Security Tag.

If you are looking to use tags for filtering the Things/Connections, you will want to use Tags. For more information about Tags, see Using Tags

Use cases:

If you are creating a Thing/Connection with certain Security Tags that only certain people in your organization should be able to view/update then you should set those Security Tags while creating the Role and assign those users or Applications to that particular role. For more information creating a role, see Creating a Role.

  • Roles without Security Tags will be able to access the Things/Connections with or withouy Security Tags
  • Security Tags be used to restrict access to certain data (attributes, properties, alarms, and methods) associated with things via the thing definition.

It is possible to create custom roles manually by clicking the New role button and setting the permissions you would like your user to have(Creating a Role). Often times though there are already existing custom roles in the solution that can be re-used with slight modifications. Cloning an existing role (shown below), then making modifications to the tags in the role would enable you to create custom roles.

In the example image below a custom role for the University of Wisconsin-Madison is defined by adding key, name, and adding the uofwiscmad security tag to the View and Update Security Tags fields.

"_" (underscore) is not allowed in a Security Tag

When a tag is added to a Thing in the Security Tag field, only users assigned to the role of Admin or a role containing the security tag associated with the Thing will be able to view those things. When a custom role is created with security tag(s) the users assigned to that role will only be able to view the Things with that View Security Tag.

When Tags/Security tags are available in an application then a new Thing auto-registering through that application will automatically assigned with those Tags and Security Tags. For example, all the Things using the NewApplication below will get the vehicle tag and showbydefault Security tag.

View Security Tags and Update Security tags are available in the Thing Definition to restrict viewing or updating of attributes, alarms, properties, and methods. They work in the opposite way that you would use Security Tags to show certain tagged Things. Instead of adding tags to items you want the user to view, you would add tags (not included in your custom role with tags) to the View security tags field of the data points that you do not want the user to view. The same process is used for attributes, alarms, properties, and methods.

In this below image it shows the hidebydefault view security tag (not associated with a custom role) added to a property in the Thing Definition. When a user associated with a role with any other View Security Tag logs in would not be able to see this CPU Usage property when they view this Thing.

If you wanted the user to be able to view the property but not be able to make updates to it, you would add tags (not included in your custom role with tags) to the Update security tags field associated with the data you don’t want the user to have the ability update. The same process is used for attributes, alarms, properties, and methods.

In this below image it shows the hidebydefault update security tag (not associated with a custom role) added to a property in the Thing Definition. When a user associated with a role with any other Update Security Tag logs in would not be able to update the CPU Usage property but they will be able to view the data associated with this property.

Methods can be hidden using security tags in the same manner that is used in attributes, properties, and alarms by adding a security tag (not included in your custom role with tags) to the Security Tags field associated with the method you do not want your user to access.

In the example above the Update Main Firmware is restricted to user roles with restricted security tag. The users in custom roles with other View Security Tags set will not be able to view or execute this method.

Related Topics Link IconRelated Topics