OverviewDemos and ResourcesContact
Search…
What is Engine?
Key Concepts
Security
Deployment
System Architecture
Single Sign-On
Integrations
Supported Integrations
Directory Services
IoT
Location Services
Administration
Backoffice
Developer Guide
Development Environment
Building Drivers
Discovery and Metadata
State
Scheduling Actions
Response Tokenisation
Device Drivers
SSH Drivers
Service Drivers
Logic Drivers
Testing
Live Monitoring
Logging
Security
Utilities and Helpers
User Interfaces
API
Authentication
Control
Support
Service Desk
Powered By GitBook
Security
Authentication is mandatory and authenticated users have access to all systems and drivers within. They can’t edit or see settings, can’t list systems or change anything however they can, by default, access all functions defined in drivers if they know the system id. This is via the websocket API, most restful API’s are out of bounds to a regular user.
A global callback can be defined to check if a user should be able to access a system:
1
# Returning true means access should be granted
2
Rails.application.config.orchestrator.check_access = proc { |system_id, user|
3
if system_id == 'sys-nuclear-warheads'
4
user.sys_admin ? true : false
5
else
6
# We only want to block access to the warheads
7
true
8
end
9
}
Copied!
All drivers have a helper method for accessing the user details so you can manually manage permissions:
1
def some_method_in_driver
2
user = current_user
3
if user.nil?
4
# Method was invoked internally - timer, onload callback etc
5
else
6
logger.info "Method called by user #{user.email} (#{user.id})"
7
end
8
end
Copied!
You can also protect methods using protect_method. The last protect_method call for any function is the one that will be used.
1
class Some::Device::Driver
2
include ::Orchestrator::Security
3
​
4
# By default both Tech Support and Admin users have access to these methods
5
# Regular users will be rejected
6
protect_method :method_1, :method_2
7
​
8
# if you provide a block then it can be used to decide if a user should have access
9
protect_method :method_1, :method_2 do |user|
10
user.sys_admin || user.name == 'service account' || check_room_bookings(user)
11
end
12
​
13
def method_1; end
14
def method_2; end
15
end
Copied!
you can also check if a user has access to a method
1
can_access? :method_name
2
# by default it checks against the current user, this can be overridden
3
can_access? :method_name, user
Copied!
NOTE:: the current user is maintained across asynchronous function calls and timers.
i.e. Browser (user: Bob) -> LogicModule.do_something_weird -> Display.reset_to_factory_new
If Bob is a regular user and the reset_to_factory_new function is protected then reset_to_factory_new will not be executed.
Finally all system access is logged and saved for a few months to make it fairly easy to track down bad actors within an organisation.

Encrypted Settings

Passwords often need to be stored in the database for accessing secure devices. To have a setting stored securely, you enter the key with a $ sign prefix.
1
{
2
"$password": "secret"
3
}
Copied!
once saved, the setting is encrypted with 256 bit AES using GCM ciphers to prevent tampering
Previous
Logging
Next
Utilities and Helpers
Last modified 3yr ago
Copy link
Contents
Encrypted Settings