So don’t even know if I am thinking about this in the correct way but figured I would ask here. I have a need to set some information in fields in shotgun for project configuration purposes. Normally these are things like projects frame rate or the maya working units. That’s no problem create a field I add it to my project information area I can make calls to pull this information as needed in code. However I do also have the need to have information here that I need managers and admins to configure but I don’t want artists and others to either be able to configure it or sometimes not even see it. My first though is no problem set permissions and that does work however if the pipeline calls to these fields from an artists account because they can’t be seen, the information can’t be returned. Is there a way to make a field encrypted so that someone can not see the information but the information can still be accessed via code? There may be a much better way to accomplish this but figured I would inquire here.
Interesting question. Are these fields going to be called solely by your code?
If it’s going to be called by your code, say within a custom app, or a hook, then I would suggest that at the point where you need to make the call, create a new Shotgun API connection using script authentication, so that it can access the usually hidden fields.
Got ya yeah that is an option there. Would that be the best approach for things like this?
I personally can’t think of a better approach. I mean you could manually encrypt the data and store it in the field, but then it wouldn’t be readable to anyone without decrypting it.
Perhaps someone else will chime in with a suggestion. I’ll also try and bring it up with the team.
I just had a chat, we think my suggestion is the best way to go about that.
We can understand potentially wanting elevated permissions so that you could create or edit some field when running via a tool, but it’s less clear why you would want something not visible to the user, but still let them access it at certain times, via your tools.
If the artist knew what they were doing they could potentially extract that information using python. So it’s more of a deterrent than a completely secure solution.
Correct it’s not the most secure for sure and we have discussed that the information that we are hiding here is not detrimental for security just something as you said more of a deterrent.
Humm not sure if I am doing this correctly. I created a new script, made sure it was part of the correct permission group, made sure that group is able to see and edit the fields I need access to, then in my call to get the information I use the following code to authenticate as the api script
sa = sgtk.authentication.ShotgunAuthenticator()
user = sa.create_script_user(api_script='<script_name>',
api_key='<api_key>',
host='<host url>')
sgtk.set_authenticated_user(user)
I then print sgtk.get_authenticated_user() to make sure I am logged in as the authenticated script which comes back correct with the script name and yet still making a call to get the information for my field fails and says the key can’t be found. Any idea what I may be doing wrong here?
Ah, sorry I didn’t mean for you to reauthenticate the Toolkit API, I was suggesting you create a new Shotgun API connection object, and use that for your find queries.
If you haven’t got a standalone copy of the API that you want to use, you can use the one that comes shipped with tk-core by doing:
from tank_vendor import shotgun_api3
sg = shotgun_api3.Shotgun(shotgun_url, script_name, api_key)
Auhh got ya that works there. Thanks!