MES 3.0

Recipe Editor Security

The Recipe Editor component allows the editing of recipes and also provides a number of properties that be used to restrict who has access to which functions. The video shows how to setup security on the Recipe Editor component. Recipe security settings can also be set through scripting shown further below.

Recipe Value Security

Security of who can modify recipe values can be set up by right-clicking on the recipe value of the Default items in the Recipe Editor and selecting Security. The recipe value security uses Ignition's authentication roles to limit who can change what recipe values and by how much. Each recipe value can be set to specific security settings or it can inherit from its parent. Like other recipes value settings, the security settings can propagate down multiple levels of inheritance.

The only place the recipe value security can be changed is by using the Recipe Editor component or through scripting, and it can only be changed in the default values area, not in the actual recipes. 

These security settings work in the Client environment, but may have reduced functionality in Ignition Designer. Functionality should be tested and verified while in the Client environment.

The Security Mode drop-down list provides several options for enabling or inheriting security mode:

  • Inherited - This behaves the same way as if the old checkbox was True. Security properties will be copied from the most immediate parent with security information. If a parent does not exist, or all parents are in Inherited mode, then the Setpoint 's security will be treated as if it was disabled. This is the Default setting for all newly created setpoints.

  • EnabledThis behaves the same way as if the old checkbox was False. This unlocks the Role allowances, allowing the operator to set value limitations for certain roles (or deny permission altogether).

  • DisabledThis is a new feature. The Recipe Value is always editable by all people. The Roles and allowances may be set, but they will not take affect.

The recipe value security is verified when changing values using the recipe editor component, importing recipes or changing values using script.

The Edit Allowance drop-down can be used to quickly select or deselect all Allow Edit rows.

Security Mode drop-down

Edit Allowance drop-down

When changing a recipe value using the Recipe Editor component, importing recipe values or from client script, the authentication role applied comes from the roles the currently logged in user belongs to. If the user belongs to multiple roles then the role with the least security will be applied. For example, if a user belongs to both the Operator and Maintenance authentication roles, then the least  secure one will be applied. If the Operator role can change the Product Pressure recipe value from 10 to 15 and the Maintenance role can change it from 5 to 20, then the Maintenance role will apply.

When changing a recipe value from gateway script, the Administrator authentication role is always applied. Whether or not the logged in user can change the security settings can be controlled with the Enable Security Editing property of the recipe editor component. This property can be bound to an expression to determine if the currently logged in user belongs to authentication roles that are allow to edit security. Another approach is to create a window that allows the recipe value security editing and restrict opening the windows based on authentication roles the currently logged in user belongs to.

Recipe Security Through Scripting

The list of security roles and the details of individual security roles can be retrieved through scripting. The objects Machine Recipe Value Security Info and Machine Recipe Value Security Role provide functions can be used to change security settings of a recipe item.

def recipeFunction(eqPath):
	print 'Process Recipe Stuff for %s' % eqPath
	linePath = eqPath
	# Get a list of all the recipe entries under this path
	recipeVals = system.recipe.getDefaultValues(linePath, "1", "")
	# Cycle through the list
	for ndx in range(recipeVals.size()):
	    # Get the recipe item at this point
	    recipeItem = recipeVals.get(ndx)
	    # Get the name of the item
	    recipeItemName = recipeItem.getName()
	    print recipeItemName
	    # Get the security object for this item
	    secInfo = system.recipe.getRecipeValueSecurity(linePath, recipeItemName, False)
	    #Cycle through and print the setting for each role
	    #for ndx in range(secInfo.getSecurityRoleCount()):
	    #   recSec = secInfo.getSecurityRole(ndx)
	    #   print recSec.getSecurityRole()
	    #   print recSec.isAllowEdit()
	    # Get the security info for a specific role
	    secRole = secInfo.getSecurityRole('Supervisor')
	    # Allow the role to edit
	    #This must be set otherwise it will inherit from the parent
	    print secRole.getMinValue()
	    print secRole.getMaxValue()
	    # if you know the datatype or you know the item by name you can set the min and max for the role
	    #if recipeItemName == 'FanSpeed':
	    #   secRole.setMinValue(32.5)
	    #   secRole.setMaxValue(212.0)
	    #Update the security settings
def eqTree(UUID):
	obj = system.mes.loadMESObject(UUID)
	if obj.getChildCollection().getList().size() > 0:
		list = obj.getChildCollection().getList()
		for item in list:

basePath = '[global]\New Enterprise'
obj = system.mes.loadMESObjectByEquipmentPath(basePath)

  • No labels