|Home Script Language Access Rights|
|See also: Meta Tags
ILabPascal - Access Rights
When you are writing scripts you might wonder how to protect your scripts from being read or edited, while nevertheless being able to execute them. Epina ImageLab provides a simple way to protect scripts by encrypting the scripts and by granting access to certain users or groups of users. The access mode can be either full access (which includes reading, editing and executing a script), or execute-only (in which case users can execute the script but cannot read or edit it) or no access at all.
The general principle behind protecting a script is first to lock it (by encryption) and then to grant access for selected users (or groups of users). The script engine supports two kinds of encryptions: (1) a password controlled encryption and (2) a system controlled encryption. In the first case the user will be asked for a password before the script is loaded and/or executed, in the second case Epina ImageLab takes care of the encryption without the need of a user-defined password.
Independent of the mode of encryption the access rights (which are specified within the script by the meta tag #ACCESSRIGHTS) are analysed by Epina ImageLab before granting access to the script. As already mentioned the access rights can be assigned both to users and groups. Each user and each group can be assigned to either full or execute-only access.
The specified groups are matched against the license group name(s) which is/are assigned when an Epina ImageLab license is created. The specified users are matched against the license id of the Epina ImageLab installation. Note that there is a special group called "world" which is automatically assigned to each license (i.e. every license automatically belongs to the group "world").
The process of granting access to a script works as follows (assuming that there are three different access states, 0 = no access, 1 = execute-only access, 2 = full access):
Meta Tags#ENCRYPT: The meta tag controls whether the script is stored as an encrypted file and which kind of encryption is applied. Three scenarios are possible:
#ACCESSRIGHTS: This meta tag defines the access rights on a per group, and/or per user basis. The groups and users have to be specified in square brackets after the keywords "group" and "user". Group names and user ids within the square brackets are separated by semicolons. Execute-only access is indicated by a ':x' substring appended to the user or group name (see examples below).
The following specification encrypts the script using the password "Mo$su377KM" and gives full access to the group "myfriends" and execute-only access to the group "myclients". The user "9a8c-ee61-66ee-bb24" has full access, the user "b101-f82a-720b-72c0" has execute-only access:
#ENCRYPT Mo$su377KMThus when a user tries to load or run the script, he or she must first specify the password. If the entered password is correct the script can be edited and executed by users who belong to group "myfriends" and by user "9a8c-ee61-66ee-bb24". It cannot be read or edited but it can be executed by users belonging to group "myclients" and by user "b101-f82a-720b-72c0". All other users are locked out.
Example 2Example 2 encrypts the script without a password and allows execute-only acces to user "a689-7211-7000-627b". Please note that this scenario is a poisonous one. Once the script has been stored it can only be executed by the specified user, but it cannot be edited by anybody. Thus the script might be lost unless you created a backup copy before it was encrypted. Epina ImageLab issues a warning before saving a script with poisonous access rights.
Example 3Example 3 shows a typical scenario where there is a group of users (called "scientists") who are allowed to run the script but cannot read or edit it. The only user who has full control over the script is user "11b7-8ced-59b7-11f0".
This scenario should be used when you want to deliver scripts and hide the contents of the script from the users. Of course, the user who has full access rights (11b7-8ced-59b7-11f0) should be you. Please note that Epina ImageLab automatically creates access rights for yourself if you insert the meta tags by using the context menu command "Insert Meta Tags" in the script editor (the inserted license id for full access is the license id of the currently active user).#ENCRYPT