If you plan on using recipes with iFIX, you may find it useful to restrict access to one or more aspects of the Recipe Package. iFIX security enables you to restrict access to the following items:
- Recipe Builder application features.
- Individual recipes.
- Database blocks you can download to.
For more information about securing Recipe Builder application features, refer to the Configuring Security Features manual.
You can protect a recipe by assigning a security area to it. For more information about assigning a security area to a recipe, refer to section Selecting a Security Area. Also make sure that each operator has rights to the security areas he or she needs. Without these rights, an operator cannot open a recipe once you assign a security area to it.
iFIX protects against writing to individual blocks by comparing the security areas assigned to a block with those assigned to the logged in user. Since recipes can be scheduled to download when no one is logged in, a special user account called RECIPE is used. When the Recipe Package attempts to write a value, the security system examines the rights assigned to the Recipe user account instead of those assigned to the currently logged in user. If the security area of the target block matches one security area defined in the Recipe user account, the recipe value downloads. Otherwise, the value is not written to the database.
NOTE: An unsigned write occurs when a database tag is configured for electronic signature, but you write a value directly to that tag during a recipe download without capturing a signature. If you are working in a secure environment with the Electronic Signature option enabled, you must be aware of the impact of unsigned writes to the process database. Unsigned writes can originate from recipe downloads. Refer to the Implications of Database Writes With Electronic Signature section of the Using Electronic Signatures manual for detailed information.
The security system also allows recipes to be uploaded regardless of who, if anyone, is logged in currently. Be aware that using "RECIPE" as a domain user account is not supported in the iFIX product. If you do attempt to use RECIPE as a domain user name, you will be able to download a recipe on a SCADA node, but not on a View node.
For more information on creating a Recipe user account, refer to the section Creating a Recipe User Account in the Configuring Security Features manual.
IMPORTANT: iFIX security loads the Recipe user account into memory the first time a recipe is downloaded from a node. If you modify this account, the node continues to use the account in memory. To force the node to re-read the new version of the Recipe user account, log out the current user, log in with the Recipe user account, and then log out again. Once you log out of the Recipe user account, the current user can log in again. Alternatively, you can force the node to re-read the Recipe user account by shutting down and restarting iFIX.
