ILabPascal - Access Rights

When you are writing scripts you might wonder how to protect your scripts from being read or edited, while nevertheless being able to execute them. Epina ImageLab provides a simple way to protect scripts by encrypting the scripts and by granting access to certain users or groups of users. The access mode can be either full access (which includes reading, editing and executing a script), or execute-only (in which case users can execute the script but cannot read or edit it) or no access at all.

The general principle behind protecting a script is first to lock it (by encryption) and then to grant access for selected users (or groups of users). The script engine supports two kinds of encryptions: (1) a password controlled encryption and (2) a system controlled encryption. In the first case the user will be asked for a password before the script is loaded and/or executed, in the second case Epina ImageLab takes care of the encryption without the need of a user-defined password.

Independent of the mode of encryption the access rights (which are specified within the script by the meta tag #ACCESSRIGHTS) are analysed by Epina ImageLab before granting access to the script. As already mentioned the access rights can be assigned both to users and groups. Each user and each group can be assigned to either full or execute-only access.

The specified groups are matched against the license group name(s) which is/are assigned when an Epina ImageLab license is created. The specified users are matched against the license id of the Epina ImageLab installation. Note that there is a special group called "world" which is automatically assigned to each license (i.e. every license automatically belongs to the group "world").

The process of granting access to a script works as follows (assuming that there are three different access states, 0 = no access, 1 = execute-only access, 2 = full access):

  1. The default access state is 0 (no access) for encrypted scripts and 2 (full access) for unencrypted scripts.
  2. Access rights are evaluated only if the script can be successfully decrypted (either via the password specified in the meta tag #ENCRYPT or by system means).
  3. For successfully decrypted scripts the specified group names and the specified users are matched against the license groups and the license id, respectively.
  4. If a group or user matches, it is checked whether there is full (access code 2) or execute-only access (access code 1)
  5. The final decision is the maximum of all individual group and user access codes.

Meta Tags

#ENCRYPT: The meta tag controls whether the script is stored as an encrypted file and which kind of encryption is applied. Three scenarios are possible:
  1. no encryption at all: the #ENCRYPT tag is not present in the meta tags
  2. Epina ImageLab controlled encryption: the meta tag #ENCRYPT is present, but no password is specified
  3. password controlled encryption: the meta tag #ENCRYPT is present followed by a password

#ACCESSRIGHTS: This meta tag defines the access rights on a per group, and/or per user basis. The groups and users have to be specified in square brackets after the keywords "group" and "user". Group names and user ids within the square brackets are separated by semicolons. Execute-only access is indicated by a ':x' substring appended to the user or group name (see examples below).

Example 1

The following specification encrypts the script using the password "Mo$su377KM" and gives full access to the group "myfriends" and execute-only access to the group "myclients". The user "9a8c-ee61-66ee-bb24" has full access, the user "b101-f82a-720b-72c0" has execute-only access:

#ENCRYPT Mo$su377KM
#ACCESSRIGHTS group [myfriends;myclients:x] user [9a8c-ee61-66ee-bb24;b101-f82a-720b-72c0:x]
Thus when a user tries to load or run the script, he or she must first specify the password. If the entered password is correct the script can be edited and executed by users who belong to group "myfriends" and by user "9a8c-ee61-66ee-bb24". It cannot be read or edited but it can be executed by users belonging to group "myclients" and by user "b101-f82a-720b-72c0". All other users are locked out.

Example 2

Example 2 encrypts the script without a password and allows execute-only acces to user "a689-7211-7000-627b". Please note that this scenario is a poisonous one. Once the script has been stored it can only be executed by the specified user, but it cannot be edited by anybody. Thus the script might be lost unless you created a backup copy before it was encrypted. Epina ImageLab issues a warning before saving a script with poisonous access rights.
#ENCRYPT
#ACCESSRIGHTS user [a689-7211-7000-627b:x]

Example 3

Example 3 shows a typical scenario where there is a group of users (called "scientists") who are allowed to run the script but cannot read or edit it. The only user who has full control over the script is user "11b7-8ced-59b7-11f0".
#ENCRYPT
#ACCESSRIGHTS group [scientists:x] user [11b7-8ced-59b7-11f0]
This scenario should be used when you want to deliver scripts and hide the contents of the script from the users. Of course, the user who has full access rights (11b7-8ced-59b7-11f0) should be you. Please note that Epina ImageLab automatically creates access rights for yourself if you insert the meta tags by using the context menu command "Insert Meta Tags" in the script editor (the inserted license id for full access is the license id of the currently active user).