Experimental Physics and
Industrial Control System

Jane Richards <[email protected]> · Fri, 21 Jan 2005 16:02:29 -0800

Hi I'm wondering whether I understand the gateway functionality because
what I have discovered does not seem to make sense to me.
First of all let me describe my system:
I have access security implemented on all my IOC's, with the vast
majority of PV's being the ASG DEFAULT - where access is tightly
controlled through the CALC function. On some PV's I have experimenter
ASG enabled, and this ASG can be changed through a host-run script when
the experiment changes. Since the access security is on the IOC I can be
assured that any non-ioc originated channel access write request will
obey these rules.
The Gateway Users Guide states under the Access Security section that:

"The Gateway applies access security in addition to any access security
that may be implemented in the IOCs... It supplements but cannot
override IOC access security."
In order for the gateway to write to an ASG on an IOC, that ASG must
have a write rule inserted that specifies the gateway UAG, gateway HAG
in the ".acf". I've done this.
I use a gateway.access file that more or less duplicates the ".acf" that
is used on the ioc. However, the experimenter using the gateway does not
have write access unless I allow the PVs in the gateway.pvlist. I chose
a broad match regular expression for an ASG (exptest) in the gateway
(specifically - ILE2:.* ALLOW exptest) thinking that if a PV matched
that expression BUT did not have an ASG of exptest then the gateway
would not write. I was wrong. I found that PV's matching the expression
that had ASG DEFAULT could be written by exptest users. This would seem
to contradict the User Guide assertion. Have I mis-implemented or
mis-understood?

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System