[Imported] Show or hide objects based on group membership, is this possible without static path

sbeadle · ‎2019-11-06

>>Message imported from previous forum - Category:ClearSCADA Software<<
User: johnny07, originally posted: 2019-03-13 14:15:15 Id:383
Hello, we want to show or hide objects in a mimic based on group membership.

now we are using something like below to check membership
"(['_Config.Security.Users.' +USERNAME()+'.UserGroupNames[0]']="..Security.User Groups.GroupName.FullName")

this is working, but when we move the user or group to an other location, this is not working anymore.

is there a better solution where we can move users and groups around without issues? based on some id for example.

sbeadle · ‎2019-11-06

>>Responses imported from previous forum

Reply From User: sbeadle, posted: 2019-03-13 15:32:40
Replace '_Config.Security.Users.' with "_Config.Security.Users.FullName"
(Note quotes)
BUT - this seems to be a complex way of doing this.
Security settings are primarily based on a users permissions to do something on an object.
For example, the expression
".ValveAPoint.CheckAccess ('OVR')"
will check whether the object (with a relative reference here) can be overridden by the logged in user.

Reply From User: johnny07, posted: 2019-03-14 10:14:18
[at]sbeadle said:
Replace '_Config.Security.Users.' with "_Config.Security.Users.FullName"
(Note quotes)
BUT - this seems to be a complex way of doing this.
Security settings are primarily based on a users permissions to do something on an object.
For example, the expression
".ValveAPoint.CheckAccess ('OVR')"
will check whether the object (with a relative reference here) can be overridden by the logged in user.

thanks for this answer, i think i must choose for the CheckAccess option.

the issue is that i have been windows AD administrator, everything is based on group membership and the use of nested groups is also possible.

i am new to ClearScada, i need to think another way.

Thanks,

Johnny

Reply From User: tfranklin, posted: 2019-03-14 13:37:01
What Steve suggests is the best way that you can handle it in my opinion. If you need an alternative for whatever the reason there are two other methods that I've run across that work but really aren't necessary in most cases:

1) If you want to see if a user is within a user group or if a usergroup contains a user you can cast the array as a string and do an INSTRING. This isn't really too efficient but it works.

Example:

Usergroup contains a user: INSTRING(STR(".User Group Sample.GetUsers"),'tfranklin')0
User contains a usergroup: INSTRING(STR(".tfranklin.UserGroupNames"),'User Group Sample') 0

2) You can create dummy objects in the system like variable or parameter points and then remove the read permission for them. Think of this as creating you own user permissions to some degree. I can create a parameter called 'GasControlSupervisor' and then take away the read permission for that object for everyone but a certain group of users. When you want to evaluate this in an expression, you can use the EXISTS expression to work around it.

Example:

Visible animation: EXISTS("~Config.Special Permissions.GasControlSupervisor")

For users that don't have read access to that object, it'll never show up.

Reply From User: johnny07, posted: 2019-03-14 15:32:18
[at]tfranklin said:
What Steve suggests is the best way that you can handle it in my opinion. If you need an alternative for whatever the reason there are two other methods that I've run across that work but really aren't necessary in most cases:

1) If you want to see if a user is within a user group or if a usergroup contains a user you can cast the array as a string and do an INSTRING. This isn't really too efficient but it works.

Example:

Usergroup contains a user: INSTRING(STR(".User Group Sample.GetUsers"),'tfranklin')0
User contains a usergroup: INSTRING(STR(".tfranklin.UserGroupNames"),'User Group Sample') 0

2) You can create dummy objects in the system like variable or parameter points and then remove the read permission for them. Think of this as creating you own user permissions to some degree. I can create a parameter called 'GasControlSupervisor' and then take away the read permission for that object for everyone but a certain group of users. When you want to evaluate this in an expression, you can use the EXISTS expression to work around it.

Example:

Visible animation: EXISTS("~Config.Special Permissions.GasControlSupervisor")

For users that don't have read access to that object, it'll never show up.

tfranklin,

thanks for this very usefull additional info.
i am still learning CS, very much possibilities to achieve things.
i save your info, i might be very usefull in the future.

Thanks,

Johnny

See Answer In Context

sbeadle · ‎2019-11-06

>>Responses imported from previous forum

Reply From User: sbeadle, posted: 2019-03-13 15:32:40
Replace '_Config.Security.Users.' with "_Config.Security.Users.FullName"
(Note quotes)
BUT - this seems to be a complex way of doing this.
Security settings are primarily based on a users permissions to do something on an object.
For example, the expression
".ValveAPoint.CheckAccess ('OVR')"
will check whether the object (with a relative reference here) can be overridden by the logged in user.

Reply From User: johnny07, posted: 2019-03-14 10:14:18
[at]sbeadle said:
Replace '_Config.Security.Users.' with "_Config.Security.Users.FullName"
(Note quotes)
BUT - this seems to be a complex way of doing this.
Security settings are primarily based on a users permissions to do something on an object.
For example, the expression
".ValveAPoint.CheckAccess ('OVR')"
will check whether the object (with a relative reference here) can be overridden by the logged in user.

thanks for this answer, i think i must choose for the CheckAccess option.

the issue is that i have been windows AD administrator, everything is based on group membership and the use of nested groups is also possible.

i am new to ClearScada, i need to think another way.

Thanks,

Johnny

Reply From User: tfranklin, posted: 2019-03-14 13:37:01
What Steve suggests is the best way that you can handle it in my opinion. If you need an alternative for whatever the reason there are two other methods that I've run across that work but really aren't necessary in most cases:

1) If you want to see if a user is within a user group or if a usergroup contains a user you can cast the array as a string and do an INSTRING. This isn't really too efficient but it works.

Example:

Usergroup contains a user: INSTRING(STR(".User Group Sample.GetUsers"),'tfranklin')0
User contains a usergroup: INSTRING(STR(".tfranklin.UserGroupNames"),'User Group Sample') 0

2) You can create dummy objects in the system like variable or parameter points and then remove the read permission for them. Think of this as creating you own user permissions to some degree. I can create a parameter called 'GasControlSupervisor' and then take away the read permission for that object for everyone but a certain group of users. When you want to evaluate this in an expression, you can use the EXISTS expression to work around it.

Example:

Visible animation: EXISTS("~Config.Special Permissions.GasControlSupervisor")

For users that don't have read access to that object, it'll never show up.

Reply From User: johnny07, posted: 2019-03-14 15:32:18
[at]tfranklin said:
What Steve suggests is the best way that you can handle it in my opinion. If you need an alternative for whatever the reason there are two other methods that I've run across that work but really aren't necessary in most cases:

1) If you want to see if a user is within a user group or if a usergroup contains a user you can cast the array as a string and do an INSTRING. This isn't really too efficient but it works.

Example:

Usergroup contains a user: INSTRING(STR(".User Group Sample.GetUsers"),'tfranklin')0
User contains a usergroup: INSTRING(STR(".tfranklin.UserGroupNames"),'User Group Sample') 0

2) You can create dummy objects in the system like variable or parameter points and then remove the read permission for them. Think of this as creating you own user permissions to some degree. I can create a parameter called 'GasControlSupervisor' and then take away the read permission for that object for everyone but a certain group of users. When you want to evaluate this in an expression, you can use the EXISTS expression to work around it.

Example:

Visible animation: EXISTS("~Config.Special Permissions.GasControlSupervisor")

For users that don't have read access to that object, it'll never show up.

tfranklin,

thanks for this very usefull additional info.
i am still learning CS, very much possibilities to achieve things.
i save your info, i might be very usefull in the future.

Thanks,

Johnny