Security preferences

You can set the following preferences in the Security category of the Preferences window.

Select the headings under the Security topic to see settings for other areas

The security preferences let you set what Maya does when you open files, run scripts, or load plug-ins. Sometimes scene files can contain malicious code or viruses, for example, a scene file downloaded from an untrusted source.

This way, if Maya finds any dangerous code hidden in these files, you are warned.

General Security Preferences

Security

The General Security Preferences control all the security settings in the window.

Turn on the security settings using the General Security Preferences options

Select On to turn on all security preferences (MEL, Python, Plug-ins) at the same time.
Choose Off to disable the security settings, which may be necessary if Maya is blocking a file from loading. (In this case, see the sections about Flagged commands/scripts in this topic.)
Select Custom if you want to change any of the default settings. Maya automatically switches this setting to Custom when you activate/deactivate any of the subsections in the Startup Script Permissions.

Startup Script Permissions

These settings let you set what Maya does when it opens a scene that contains scripts that are run automatically.

Read and execute 'userSetup' scripts

Turn this option on to run a hash check of any userSetup scripts to make sure they are trustworthy. A hash check makes sure that the script is safe by checking that the data does not contain code that is not from the script creator.

Maya warns you if a script fails the hash check, and lets you save the new hash value. Saving a new hash value means that the detected changes to the original script are safe. This way, the script passes future hash checks.

This check is disabled by default.

By default, the scripts are found here:

Windows: ..\My Documents\maya\<version>\scripts
macOS: ~/Library/Preferences/Autodesk/maya/<version>/scripts
Linux: ~/maya/<version>/scripts

Warn me if 'userSetup' scripts contain changes

Activate this option so Maya performs a hash check of any userSetup scripts to make sure they are trustworthy. A hash check validates the integrity of the script by checking that the data does not contain anything that is not from the script's creator.

If a script fails the hash check, Maya warns you, and lets you save the new hash value. Saving a new hash value means that the detected changes to the original script are acceptable. This way, the script will pass future hash checks.

This check is disabled by default.

Security logging

Enable security logging

Turn this on so that any security events (MEL, Python, or Plug-in) discovered by these settings are saved to a log file named "mayaSecurity".

Log file format: Lets you set the "mayaSecurity" file type. You can choose JSON or XML.
Default security logging directory: Lets you set where the "mayaSecurity" file is saved.

MEL

Allows you to block specific MEL commands so they do not run when loading scene files. This is useful if you are using files from an unknown source and want to make sure they do not contain dangerous code.

This is enabled by default.

Note: This setting affects commands executed only when a file is loaded (such as through a scriptJob/scriptNode). It does not affect commands run from the Script Editor.

Secure MEL loading

When active, Maya either asks for permission or refuses to run commands. This behavior depends on what you set in the Flagged commands list.

Flagged commands

Select commands to flag when Secure MEL loading is active from the list. A flagged command is a command that you are worried may be dangerous.

Click Add to open a window where you can add other commands to the list. You can also select commands that are already in the list and click Remove to stop them from being flagged.

Default action for flagged commands

Lets you set what Maya does with flagged MEL commands during when a file containing them is loaded.

Ask for permission lets you know each time Maya finds a command on the Flagged commands list when opening a file. This setting is the default.

Deny blocks any flagged commands on the Flagged commands when opening a file from running.

Allow global proc definition in scene file

Lets you allow embedded MEL scripts to define global procedures. When this setting is off, Maya blocks all global procedure calls on file load. This is disabled by default.

Python

Allows you to block Python commands or modules embedded in .ma/.mb files (including scriptNodes or scriptJobs) so they do not run when loading scene files. This is useful if you are using files from an unknown source and want to make sure they don't contain dangerous code.

Note: These settings only affect commands run when a file is loaded, such as with scriptJob or scriptNode. It does not affect commands run from the Script Editor.

Python

This section lets you set what Maya does when it finds a Python command or module embedded in a file that it is opening.

Check before executing (secure) lets you customize what commands / modules are allowed or denied with the Execute and Don't Execute options.

Execute and Don't Execute let you enable or refuse all Python modules Maya finds. This setting is set to Execute by default, but we highly recommend switching to Check before executing (secure) before loading any files from an untrusted source.

Python Built-in Functions

Secure built-in functions

Activate this setting so that Maya asks for permission or refuses to run commands, depending on what is in the Flagged built-in functions list.

This setting works only when Python is set to Check before executing (secure).

Flagged built-in functions

Select commands to flag when Secure file loading is active from the list.

Specifies what Python commands to deny when Secure built-in functions option is active. Functions with a check mark are flagged and not allowed to run.

Default action for importing modules

Lets you set what Maya does with flagged Python command when a file containing them is loaded.

Ask for permission lets you know each time Maya finds a command on the Flagged commands list when opening a file. This setting is the default.

Deny blocks any flagged commands on the Flagged commands list from running when opening a file.

Python Modules

Secure module import: When turned on, Maya asks for permission or refuses to run all modules not in the Trusted modules list from loading. This depends on the current Default action for flagged commands setting and only works when Python is set to Check before executing (secure).
Trusted modules: Specifies what Python modules are allowed when Secure module import is turned on. Click Add and then navigate to a folder in the file browser to add locations to the list. You can also select locations already in the list and click Remove to remove them.
Default action for importing modules: Determines how Maya handles a module outside the Trusted modules list.; Ask for permission lets you know each time Maya loads a module that is not on the Trusted modules list.; Deny blocks unlisted modules from importing when loading.; The default is Ask for permission.

Plugins

Lets you control what plug-ins can be loaded based on their location.

Secure plug-in loading

Activate this setting so that Maya asks for permission or block plug-ins from loading. The action of this option depends on what is set in the Default action for flagged commands setting.

My trusted plugin locations

Lets you add safe plug-in locations when Secure plugin loading is active.

Click Add, then use the file browser to add locations to the list. You can also select locations in the list and click Remove to remove them.

Note: Maya also has a list of trusted plug-in locations that do not appear in this list.

Default action for non-trusted locations

When Secure plugin loading is turned on this setting lets you define what happens with plug-in loads data from a location not from a trusted plug-in location.

Ask for permission lets you know you each time a plug-in from a nontrusted location attempts to run. This setting is the default.

Deny blocks any plug-in from a nontrusted location.