Integrated Security


Overview

Integrated Security allows you to specify and enforce permissions on items in Seeq.

In previous versions of Seeq, permissions could be configured on Folders, Analyses, and Topics.

Seeq will honor permissions set on PIPoints. 

You can now configure permissions on the following:

  • Calculated items created within an Analysis (e.g. Signals, Conditions, Scalars, Histograms, Scorecard Metrics, Formulas, CSV Imports, etc.). External Calculations.
  • Entire datasources, assets in an asset hierarchy, and/or individual data points from the datasource​.


Available Permissions

Admin users have full access to all items within the system. 

Users with Manage permissions may use Access Control to configure Read, Write, and Manage permissions in Seeq.  

Read allows users or groups to search for an item, see it in an asset tree, view metadata, view properties, annotate, and get sample data.

Write allows users or groups to modify an item name, properties, contents, settings, and sample data. Write also allows users or groups to send an item to the trash.

Manage allows users or groups to hard delete, as opposed to trash, and view and modify the access control permissions of an item.

Read, Write, and Manage permissions can be configured for:

  • Folders,
  • Analyses and Workbooks,
  • Topics and Documents,
  • Calculated Items,
  • Datasources,
  • Assets in an asset hierarchy, and
  • Individual data points.

Configure access control from:

  • Folders, Analyses, and Topics;
  • Investigate Tools;
  • Item Properties; and in the
  • Get Link dropdown.


Permission Inheritance

Child items inherit parent permissions by default. If a more advanced permission structure is needed, inheritance may be disabled, making all child permissions modifiable and preventing parent permissions from affecting an item. Note that on being re-enabled, parent permissions will apply to all children. The following example is used to illustrate setting, viewing, and disabling permission inheritance. 


We begin with a Folder for which the creator has all permissions by default on creating the Folder. Jonathan Pollard has been added as a user with Read permission to this Folder.


When an Analysis is created in this Folder, the Analysis inherits permission from the Folder. The Owner has all permissions and Jonathan Pollard has Read permission for this Analysis. Inherited permissions are denoted by a gray-colored checkbox.  









Clicking the details tab will display the parent of the child permissions


Disabling Permission Inheritance

A user with Manage permission may disable permission inheritance by clicking Advanced.


Click on the checkbox to disable permission inheritance.



Once inheritance is disabled, then the inherited permissions become editable and deletable.




Setting Permissions

Folders, Analyses, and Topics

As a parent item, Folder permissions propagate to all children. By default, all Analyses and Topics will have the same permissions as the folder containing them. The same is true for Worksheets in an Analysis and Documents inside Topics.

Select a Folder, Analysis, or Topic on the home screen to edit its permissions.


Workbook and Document Access Control is on the Workbook or Document header.

Folders, Analyses, and Topics that are moved retain their explicit permissions. Once moved, the permissions are local to the item unless they are inherited.

Newly-created Analysis and Topics give only the owner explicit full control (any permissions inherited from folders are still applied). When duplicating an Analysis, you become the new owner and will have full control. Any calculations that you didn't have permission to will be redacted. Any properly-cloned calculations within that Analysis' scope will inherit those permissions.

Items

Signals, Conditions, Scalars, Histograms, Scorecard Metrics, Treemaps, Formulas, CSV Imports, External Calculations are examples of Items in Seeq. Permissions may be viewed or configured on Items created within an Analysis through the Item Properties panel. 

There are several ways open Item Properties. 


Open Item Properties from the Tools tab. Then, select the Item from the dropdown menu.


Access Signal properties by clicking the Item Properties icon to the left of the Signal name in the Details panel.


View your level of access. Examples include:

You have administrator access.




You have Manage access and the item is shared.



You have read and write access.






After clicking Manage, you will be presented with the Access Control modal. Underneath the title, you will see the name of the item you are editing.



Scope

Scope controls where this item may be found via item search. By default, items are only searchable in the analysis in which they were created. This can be changed to make them searchable globally for users with permission to the item.

If you have Manage permission, you will be able to Change the availability of this item.



After selecting Change, you will be presented with a modal to update the availability of this item. 

*Please note that this action cannot be undone.

Select Make Global and Save 



The change will be saved and the text will be updated.



Honoring Datasource Permissions

 Connectors may set a Security String which specifies permissions of the asset, signal, condition, or scalar​.

  • OSIsoft PI connector sets PI permissions
  • Other connectors can use a connector property transform to set the Security String​. See the Datasource Permissions article for more details.

We sync PI identities as Seeq user groups. Mapping PI identities to users is not yet supported. 

​An item that has Permissions set by a Security String may not have permissions modified in Seeq​.

In the Access Control Modal, the user will not be able to edit permissions. 





Viewing Identity Datasource

You can now view the user or group's datasource by hovering over the name.



Limited Access within a Worksheet
Redaction

If you do not have read access to an item within a worksheet, you will see it as redacted.

Redaction will hide information from users that do not have permission to view specific items within a worksheet. Calculated items that derive (e.g. via tool or calculation) from a non-accessible item are viewable as long as the user has at least Read permission on the calculated item.

If the user does not have access to an item, they will be notified in two ways.

  1. Notification Banner
  2. Alert Icon in the details pane

Get Link

We've updated the text in the Get Link feature so that users will understand the workbook permissions that are needed in order to access each link.