Experimental Physics and
| |||||||||||||||
|
First of all let me describe my system: I have access security implemented on all my IOC's, with the vast majority of PV's being the ASG DEFAULT - where access is tightly controlled through the CALC function. On some PV's I have experimenter ASG enabled, and this ASG can be changed through a host-run script when the experiment changes. Since the access security is on the IOC I can be assured that any non-ioc originated channel access write request will obey these rules. The Gateway Users Guide states under the Access Security section that: "The Gateway applies access security in addition to any access security that may be implemented in the IOCs... It supplements but cannot override IOC access security." In order for the gateway to write to an ASG on an IOC, that ASG must have a write rule inserted that specifies the gateway UAG, gateway HAG in the ".acf". I've done this. I use a gateway.access file that more or less duplicates the ".acf" that is used on the ioc. However, the experimenter using the gateway does not have write access unless I allow the PVs in the gateway.pvlist. I chose a broad match regular expression for an ASG (exptest) in the gateway (specifically - ILE2:.* ALLOW exptest) thinking that if a PV matched that expression BUT did not have an ASG of exptest then the gateway would not write. I was wrong. I found that PV's matching the expression that had ASG DEFAULT could be written by exptest users. This would seem to contradict the User Guide assertion. Have I mis-implemented or mis-understood?
| ||||||||||||||
ANJ, 02 Sep 2010 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing · |