docs(security): document AdminUI policy tiers (ConfigEditor/AuthenticatedRead) + R2-05 status

This commit is contained in:
Joseph Doherty
2026-07-13 10:01:52 -04:00
parent aac3285468
commit dad783514a
4 changed files with 24 additions and 4 deletions
+3 -2
View File
@@ -220,8 +220,9 @@ help, document formatting, and tag-path completions inside `ctx.GetTag("…")` /
runtime publish gate uses, so what the editor accepts/rejects matches publish
exactly. The backend lives in
`src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/ScriptAnalysis/` (six minimal-API
endpoints under `/api/script-analysis/*`, gated to the `Administrator,Designer`
roles via `RequireAuthorization` in `ScriptAnalysisEndpoints.MapScriptAnalysis`).
endpoints under `/api/script-analysis/*`, gated by the `ConfigEditor` policy
(Administrator or Designer) via `RequireAuthorization` in
`ScriptAnalysisEndpoints.MapScriptAnalysisEndpoints`).
See `docs/ScriptEditor.md` for the full guide. Scripts may use the `{{equip}}` token for equipment-relative tag paths that resolve per-equipment at deploy time — see the "Equipment-relative tag paths" section in `docs/ScriptEditor.md`.
## Scripted Alarm Ack/Shelve