Open topic with navigation

Security in DSA

Quarantined Brokers and Links

When quarantine is disabled on a broker, any link can connect to the broker without approval. When quarantine is enabled on a broker, any downstream broker or link without an authorized token is held in quarantine. The system can read, subscribe to, and command nodes that are in quarantine, but a node that is in quarantine cannot access other nodes in the system.

To enable or disable quarantine, edit dsa/dglux-server/server.json.

To remove a node from quarantine, you can authorize or deauthorize the node. An authorized node is granted access as the permission group that you specify. A deauthorized node is refused access and removed from the system. You can also deauthorize any downstream broker or node that has previously been authorized.

To authorize a broker or link:

1. Right-click sys > quarantine > Authorize. A list of quarantined nodes is displayed.
2. Specify settings: For DsId, choose the node that you want to authorize. For Group, choose the permission group that you want to assign.
3. Specify a name, and click Invoke.

To deauthorize a broker or link:

1. Right-click sys > quarantine > Deauthorize. A list of quarantined nodes is displayed.
2. Choose the node that you want to deauthorize and click Invoke.

Users

To create a user:

Right-click sys > users and choose Create User.

1. Enter a user name and password, and specify whether the user has superuser access.
2. Click Invoke.

To edit a username, right-click sys > users > [username] and choose Rename User.

To edit a user password, right-click sys > users > [username] and choose Change Password. Enter the new password and click Invoke.

To edit a user's permission group, landing page, or other user properties, right-click sys > users > [username] and choose Edit User. Edit the properties and click Invoke.

To delete a user, right-click sys > users > [username] and choose Remove User.

Permission Groups

In DSA, you assign permission groups to users. Permission groups are defined in dsa/dglux-server/server.json. In server.json, the defaultPermission config is a permission list that defines the capabilities of each permission group in relation to the root node.

The first value of each item in defaultPermission is the [permission group]. This can be a username, dsId, custom user group, or "default."

[More information]

The second value of each item is the [permission value]. Valid values are:

• config
• write
• read
• list
• none

Example:

"defaultPermission": [
			[":config","config"],
			[":write","write"],
			[":read","read"],
			[":user","write"],
			["default","read"]

Any user with "superuser" enabled has the maximum permission level and does not need a permission group defined.