Access Rights in the GSI Control System

Introduction

In the GSI control system access to devices is restricted. While reading data fron devices presently is permitted freely, any access which modifies devices is refused unless access rights have been granted.

Access rights are handled on user base. Permissions are assigned to users, identified by their operating system's login name. The particular acess rights are determined from the user's name who runs the client application to access devices.

Access rights are granted on a per device base. In principle, for each user, the access right can be set specificly for each device. However, generally access rights are set identical for similar devices.

Different levels of access rights are foreseen. For one device, properties request different levels of access right, depending on the criticality of the property.

Console applications in the main control room run under a general consol user name, for which free access to all devices is granted.

Access rights in the DevAcc control system are handled by the nameserver. For details see page Nameserver unter Linux administrieren und warten.

Criticality of Properties

Functionality of equipment is in the accelerator control system modelled by properties. Executing a property may influence operation of the accelerator, like modifying a reference value of a magnet power supply, or may be without harm, like reading back the reference value from the equipment's front-end controller. To conform with different levels of criticality, each property is assigned to a criticality level. Several levels are foreseen:

Criticality Level	Meaning
Free	Property will not modify operation of device, no effect on accelerator operation is expected.
Device	Property will modify the device's operation, by modifying reference data or the device's state.
System	Property will modify the control system, or may affect several devices.
Critical	Property will modify the operation of the control system itself.

The criticality level of a property is set in the front-end equipment control software (fixed in the "Gerätemodell-Software"). This means, a property has the same criticality level for all devices which are handled by the same control system front-end software.

In general, all read-properties are classified by the criticality 'free'. Access to such properties will not modify settings in the facility.

Properties which set data for a device, and call-properties (property class 'call') generally are assigned to the property class 'Device'.

The property class 'system' is mainly foreseen for properties which modify the behaviour of elements of the control system. E.g. the 'RESET' and the 'INIT' properties of front-end equipment controllers (ECs) are assigned to this criticality class. Executing such a property of the equipment controller, like 'INIT', can influence all devices which are handled by the controller and must be executed with great care only.

The property class 'critical' is reserved for properties which can affect very critical parts of the control system. Such properties are not foreseen, and are not needed, to operate the accelerators. Execution of such properties requires very good knowledge of the effects and must be done with extreme care only. Execution can be granted to some experts only which must take the responsibility for the impact of the properties. Presently, this criticality class is used for properties to overcome internal deadlocks in the medical operation of the accelerator.

User Access Rights

To execute a property which is assigned to one of the criticality levels (see above), appropriate access rights are required. Access rights are granted to users on a per device base. This means, access rights are granted for single devices or for groups of devices (typically all for devices of the same type, e.g. for all magnet power supplies). Users are identified by their control system login name.

Access rights are graded, corresponding to the levels of criticality. Access rights always grant access to properties with lower criticality levels too. Following access right levels are defined:

Access Right Level	Meaning
read	Grant access to properties of criticality level 'free'.
modify	Grant access to properties of criticality level 'device'.
local system	Grant access to properties of criticality level 'system' of control system components hosting the device (see below)
system	Grant access to properties of criticality level 'system'
admin	Grant access to properties of criticality level 'critical'

The access right level 'local system' has a specific meaning: Granted for a device, it grants also access to properties of level 'system' of the equipment controller (EC) which hosts the device. When granted, this access right gives the right to call properties like 'RESET' or 'INIT' of the EC hosting the device. By such an access right, users are permitted to restart the equipment controller (EC).

Access rights are granted to users, which are identified by their login name', on a device base. This means, access rights are granted for a device. For this device the user may execute all properties of the criticality level whis is allowed for the user, including all lower criticality levels.

To simplify management, the access rights setup provides additinal means to grant access rights for all devices of same type (same equipment model software), or for devices of same type in a specific area (to all devices of which the nomenclature starts with a given character sequence).

User names may be grouped and access rights may be granted to the group, which results in granting the acees rights to all members of the group.

Check of Access Rights

Assignment of access rights to users is stored in the name server. When querying for a device's nomenclature, the nameserver also sends a coding of the access right for the specified device. This coding is used on the (front-end) device when a property is executed. If a user has no access right for the property, property execution is cancelled, resulting in an 'Access denied' error message.