Tango access control behaviour on database modification

# 7 years ago
Snehal P	Hi, How does tango access control behave if I change entries in access_address and access_device tables in tango database while TangoAccessControl device server is running? How frequently are these tables polled? Thanks and Regards, Snehal

# 7 years ago
Andy	Hi, I am not an expert on the TANGO access control lists but I assume that for performance reasons the access lists are read only when the client builds a connection to the device server. It then gets a key which is sent to the server during each transaction. I don't think it is renewed i.e. does not poll the database until the next time the connection is established. Therefore I don't think the database is polled. I will check this with the experts next week. What is your use case? How would you like to use the access control lists? How often would you need to be polled? Maybe there is a different way of solving this need. Let us know more about your use case. Kind regards Andy

# 7 years ago

Andy

Hi,

I am not an expert on the TANGO access control lists but I assume that for performance reasons the access lists are read only when the client builds a connection to the device server. It then gets a key which is sent to the server during each transaction. I don't think it is renewed i.e. does not poll the database until the next time the connection is established. Therefore I don't think the database is polled. I will check this with the experts next week.

What is your use case? How would you like to use the access control lists? How often would you need to be polled? Maybe there is a different way of solving this need. Let us know more about your use case.

Kind regards

Andy

# 7 years ago
Pascal	Hi The information in database are not polled. The access rights are read at DeviceProxy creation, and are not modify during the life of this DeviceProxy object. Regards Pascal

# 7 years ago
Snehal P	Hi, Thanks Andy. Thanks Pascal. Yes that did answer my question. Andy, my use case has several clients and one administrator. The administrator can modify access control lists. The clients has to have access to different devices at different time. For example, 1) Client1 has access to device1 and device2 at time T unit, the administrator may limit Client1 access to device1 at time T+1 unit. 2) Similarly, if Client1 and Client2 have access to device1 at time T unit, administrator can modify the list to give device1 access only to Client1 at time T+1 unit. Now by my understanding (please correct me if I am wrong), in case 1) Client1 has created device proxy to connect to both device1 and device2 at time T unit. Now, at time T+1 unit if administrator modifies access list for Client1 as device1, it won't be effective until Client1 creates new DeviceProxy object for device1 and device2. So my conclusion (again please correct me if I am wrong) is to keep access lists modification by administrator as an independent activity. Client would only be allowed to create DeviceProxy object after administrator has completed modifications and DeviceProxy objects created earlier would no longer be valid . Regards, Snehal

# 7 years ago

Snehal P

Hi,

Thanks Andy. Thanks Pascal. Yes that did answer my question.

Andy, my use case has several clients and one administrator. The administrator can modify access control lists. The clients has to have access to different devices at different time. For example, 1) Client1 has access to device1 and device2 at time T unit, the administrator may limit Client1 access to device1 at time T+1 unit. 2) Similarly, if Client1 and Client2 have access to device1 at time T unit, administrator can modify the list to give device1 access only to Client1 at time T+1 unit.

Now by my understanding (please correct me if I am wrong), in case 1) Client1 has created device proxy to connect to both device1 and device2 at time T unit. Now, at time T+1 unit if administrator modifies access list for Client1 as device1, it won't be effective until Client1 creates new DeviceProxy object for device1 and device2.

So my conclusion (again please correct me if I am wrong) is to keep access lists modification by administrator as an independent activity. Client would only be allowed to create DeviceProxy object after administrator has completed modifications and DeviceProxy objects created earlier would no longer be valid .

Regards,
Snehal