more quick actions
minimize quick actions
Alarm Data mgt
7
Posts
6
Users
0
Likes
47
Views
Topic starter
Hi,
As you may know, as part of the v12 WebVue make-over, we are cleaning-up some of the ugly stuff in SCADA Basic when executed in WebVue context (by the way there is some good material for a spoiler here).
The idea, in general, is to:
- Either fix so that it works correctly in WebVue context
- Or return a useful error code if executed in WebVue context, 0 in general, because it is the most widely used code for generic errors.
Of course, there are SCADA Basic instructions that do not fit well in any of these 2 categories.
2 of them are the modes USERNAME and PASSWORD of the verb SYSTEM.
One returns the password of a user passed as parameter, the other returns the username for a given password.
They are an issue in the context of our clean up effort because they are functionally disputable and technically do not return any code (they return a string).
We could probably return an empty string if executed in WebVue context, with the meaning of, "no way these modes do not disclose such data to a web client" that we would document.
BUT, I (and a few others) strongly feel we should simply and frankly stop supporting them and generate an execution error, both for desktop clients and WebVue clients.
Rationales:
- With security in mind, they should simply not be there, the sooner they disappear, the better.
- Of course, they do not work with Active Directory.
- Functionnally speaking, I do not see any use case for them.
Question 1:
Do you see a use case for them ? Do any of you know why they were introduced in the product ? Which customer may be using them nowadays ?
Question 2:
Do you have a strong argument for keeping them in the product ?
Thanks in advance
Posted : 07/06/2018 9:00 pm
I think it should be used to workaround the impossibility to change a password from WebVue.
With these instruction it is possible to check that the person who change the password knows the current password.
Maybe we should keep them in old version (Updates) but complettely remove them in V12 because it is possible now to change our password during login.
Posted : 08/06/2018 7:08 pm
Hi,
Even if I am working for ARC for a long time, I don't know why someone did ask for implementation of this mode.
I agree to remove it from the product. It is definitely non secure and it doesn't make sense to keep it today because of cyber security constraints.
Posted : 08/06/2018 9:08 pm
Hi,
You can remove them.
Posted : 11/06/2018 1:07 pm
Hi Benoît,
I don't see the use case for these verbs and also agree with removing them.
Posted : 11/06/2018 2:42 pm
Never see this mode in project, Remove
Posted : 12/06/2018 11:36 am
Topic starter
Thank you for your feedback.
I asked some other people in the sales team, without getting more about the history and potential usage nowadays.
There is an overall agreement that they can be removed and therefore will be removed from v12.
In general, this decision breaks our commitment to backward compatibility.
Removing stuff overnight in a new version is not a good way to handle obsolescence, and we are not going to practice this way for everything for which we would like to end support. Keep in mind that these 2 modes are particular and justify an unusual decision: Functionnally disputable (dysfunctionnal if you consider what it does if 2 users have the same password for example) and cannot stay in the current context of cybersecurity.
Posted : 12/06/2018 6:15 pm