tango access control examples

# 7 years ago
Snehal P	Hi, I wanted to know how is tango access control implemented in real time applications. For eg, how is it implemented in ESRF or SOLEIL (higher level/logical implementation). It would be great if you could share any links of documentation/paper describing the same. Regards, Snehal

# 7 years ago
Jean-Michel	Dear Snehal, The Tango Access Control is described in the link below http://www.tango-controls.org/community/projects/tango-access-control-tac/ At ESRF we use it as described.I don't understand what do you mean by "How it is implemented in real time application". Is it answering to your question? Cheers Jean-Michel

# 7 years ago
Snehal P	Hi Jean, Thanks for your patient reply. I do understand how tango access control works ( well explained in the link you mentioned). However, I seek to understand a real time example. By real time example I meant a currently working system (sorry for confusion). I mentioned ESRF in similar context. A hypothetical short example would be a distributed system containing 3 elements. Tango access control defines access for each element at host and device level. Then in such a scenario, can two users simultaneously control one element machine with different access rights? By my understanding it is not possible unless the second user logs in with his system login credentials. Keeping this example in mind, I wanted to inquire how is it implemented at ESRF and similar applications. Is it a standard practice of defining access using system login credentials and tango access control is designed on similar lines? Regards, Snehal

# 7 years ago

Snehal P

Hi Jean,

Thanks for your patient reply. I do understand how tango access control works ( well explained in the link you mentioned). However, I seek to understand a real time example. By real time example I meant a currently working system (sorry for confusion). I mentioned ESRF in similar context.

A hypothetical short example would be a distributed system containing 3 elements. Tango access control defines access for each element at host and device level. Then in such a scenario, can two users simultaneously control one element machine with different access rights? By my understanding it is not possible unless the second user logs in with his system login credentials.

Keeping this example in mind, I wanted to inquire how is it implemented at ESRF and similar applications.
Is it a standard practice of defining access using system login credentials and tango access control is designed on similar lines?

Regards,
Snehal

# 7 years ago
Andy	Hi Snehal, this is a quick answer to give you some feedback. At the ESRF we use the access control to limit the access from experimental stations to the accelerator. Each experimental station has their own Tango database (with < 500 devices)and runs independently of the accelerator and other stations. The accelerator has one Tango database (with approximately 10000 devices). Each experimental station has a beam port and some hardware in the accelerator to determine the xrays they receive (control of open/close shutter + intensity and wavelength of xrays). The experimental stations need read+write access to these devices. There are also a number of parameters of diagnostics devices of the accelerator they need to have read access to (beam current and position). Each experimental station runs in its own network + with a specific user id. The Tango Access Control (TAC) is configured to give read+write access to the specific hardware and read access to others for each experimental station user. At the same time the accelerator users have full read+write access to the all the devices. Does this answer your question if multiple clients can have different access to the same device - yes. Some things which have been requested but which are not implemented are (1) single user access i.e. don't even allow read access for other clients if one is in single user mode, and (2) access control at the attribute/command level (as opposed to at the device level), (3) role based access rights i.e. same user can have different roles. Both of these sound useful but due to lack of need for ESRF and limited resources they have not been implemented. If someone had the resources they could look into adding these. But I suggest first to get into contact. Hope that answers some of your questions Andy Edited 7 years ago

# 7 years ago

Andy

Hi Snehal,

this is a quick answer to give you some feedback. At the ESRF we use the access control to limit the access from experimental stations to the accelerator. Each experimental station has their own Tango database (with < 500 devices)and runs independently of the accelerator and other stations. The accelerator has one Tango database (with approximately 10000 devices). Each experimental station has a beam port and some hardware in the accelerator to determine the xrays they receive (control of open/close shutter + intensity and wavelength of xrays). The experimental stations need read+write access to these devices. There are also a number of parameters of diagnostics devices of the accelerator they need to have read access to (beam current and position). Each experimental station runs in its own network + with a specific user id. The Tango Access Control (TAC) is configured to give read+write access to the specific hardware and read access to others for each experimental station user. At the same time the accelerator users have full read+write access to the all the devices.

Does this answer your question if multiple clients can have different access to the same device - yes.

Some things which have been requested but which are not implemented are (1) single user access i.e. don't even allow read access for other clients if one is in single user mode, and (2) access control at the attribute/command level (as opposed to at the device level), (3) role based access rights i.e. same user can have different roles.

Both of these sound useful but due to lack of need for ESRF and limited resources they have not been implemented. If someone had the resources they could look into adding these. But I suggest first to get into contact.

Hope that answers some of your questions

Andy

Edited 7 years ago

# 7 years ago
Jean-Michel	to complete Andy's answer, there is another feature to complete the access control. There is a way for a client to lock a device for it's exclusive use. i.e. to be the only client allowed to modify an attribute or execute a command. It is a single user mode regularily used for preparing a device for a specific action. This is the Tango::DeviceProxy::Lock and Tango::DeviceProxy::Lock have a look on the reference documentation of the DeviceProxy class. Cheers Jean-Michel

# 7 years ago

Jean-Michel

to complete Andy's answer, there is another feature to complete the access control.
There is a way for a client to lock a device for it's exclusive use. i.e. to be the only client allowed to modify an attribute or execute a command. It is a single user mode regularily used for preparing a device for a specific action.
This is the Tango::DeviceProxy::Lock and Tango::DeviceProxy::Lock
have a look on the reference documentation of the DeviceProxy class.

Cheers
Jean-Michel

# 7 years ago
Snehal P	Thanks a lot Andy and Jean . It surely answered all my questions. Thanks for your help ! Regards, Snehal

# 7 years ago
Snehal P	Also it would be great if you could give me any references implementing or trying to implement the three features with tango access control. It would be great help. Regards, Snehal