Security Roles
- Last UpdatedFeb 06, 2024
- 3 minute read
To restrict access to Plant SCADA's sensitive components, only users with relevant permissions can perform certain security-related operations. To help manage these permissions, Plant SCADA uses a set of security roles. Each role provides a different level of access to features, applications and project resources.
The following security roles are used on all Plant SCADA computers.
|
Security Role |
Description |
|---|---|
|
Configuration Users |
Members of this role can run configuration tools (such as Plant SCADA Studio or Computer Setup Wizard) and start the runtime display client and server processes. Note: It is recommended that members of this role only start runtime for development purposes and not in a production system environment. |
|
Runtime Users |
Members of this role can run the runtime display client and make local CtAPI connections. Note: Any Windows® user account that has to start runtime needs to be assigned to this role. See Add the Required Users to the Runtime Users Role. |
|
Server Users |
Members of this role can run Plant SCADA as a server process. If you are not running Plant SCADA as a service, add a member to this role who needs to run a Plant SCADA server (including a display client with [CtAPI]Remote enabled). |
Note: Plant SCADA computers use a server password to authenticate each other. This creates a trusted network between servers and, optionally, clients. This password is specified for a computer via Configurator or the Computer Setup Wizard. To set the server password for a computer, you need to be a member of the Configuration Users security role. To read the server password you need to be a member of either the Configuration Users or the Server Users security role. You can be a member of these roles either directly or via an associated domain group.
If you have installed deployment server components on a computer, additional three Security Roles will exist.
|
Security Role |
Description |
|---|---|
|
Deployment Administrators |
Members of this role can add or remove client computers to/from deployment server. They can also perform upload and deploy operations. |
|
Deployment Users |
Members of this role can deploy a new project to a connected deployment client computer. |
|
Deployment Uploaders |
Members of this role can upload a new project version to the deployment server. |
If you have installed Industrial Graphics Server on a computer, two additional Security Roles will exist.
|
Security Role |
Description |
|---|---|
|
Industrial Graphics Users |
Members of this role can connect and authenticate with the Industrial Graphics Server. For more information, see the topic Configure User Access for an Industrial Graphics Web Client in the Plant SCADA documentation. Note: You should avoid adding individual users to this security role. To allow authorization in a distributed system, only add domain groups to an Industrial Graphics security role. |
|
Industrial Graphics R/W Users |
Members of this role can connect and authenticate with the Industrial Graphics Server. They will also be able to write to variable tags in a Plant SCADA system, provided the tags have been configured to support writes via the Write Roles property. For more information, see the topic Enable Tag Writes for Industrial Graphics Applications in the Plant SCADA documentation. Note: You should avoid adding individual users to this security role. To allow authorization in a distributed system, only add domain groups to an Industrial Graphics security role. |
During installation, by default the local Windows user groups are associated with these security roles as members (see the information on Windows User Groups and Security Roles in the topic Installation Information).
You can view the current associated members with the security roles via the Security Roles page under Plant SCADA in Configurator. When you select a role, the existing members associated with the role will be listed in the Members of... section.
It is recommended that you replace the local Windows groups associated with these security roles with your own domain groups. If required, you can also assign additional user accounts or groups to a role (see Modify the Members of a Security Role).