Privilege and Area Combinations
- Last UpdatedJul 18, 2023
- 3 minute read
Outlined below are four general rules regarding the use of privileges and areas within Plant SCADA.
-
Global privileges apply to every area.
-
Assigning a privilege to an area within a role means any user assigned that role will gain viewable access to that area automatically. However the user can only operate system elements in that area that have a matching privilege. As a result of the first rule, if users are assigned a global privilege they will also be able to view every area.
-
Area 0 includes every privilege a role may have been assigned in other areas. In other words, if granted a privilege 3 for use in another area that role can also control those system elements in Area 0 that have a privilege set as 3.
-
All users can view Area 0.
The table below outlines numerous scenarios, and the resulting security that is applied to an alarm when accessed by a user assigned to an "operator" role.
|
Alarm Properties |
Operator Role Properties |
Result |
|---|---|---|
|
Area = 0 <All areas> Privilege = 0 <None> |
View Areas = 0 (blank) Global privileges = 0 (blank) Privilege 1 Areas = 0 (blank) Privilege 2 Areas = 0 (blank) ... |
No privileges are assigned to the alarm, or the operator role. An operator will be able to view and acknowledge the alarm. |
|
Area = 0 <All areas> Privilege = 1 |
View Areas = 0 (blank) Global privileges = 0 (blank) Privilege 1 Areas = 0 (blank) Privilege 2 Areas = 0 (blank) ... |
The alarm is assigned level 1 privileges. An operator will be able to view the alarm, but cannot acknowledge it as the operator role does not have the necessary level 1 privileges. |
|
Area = 0 <All areas> Privilege = 1 |
View Areas = 0 (blank) Global privileges = 1 Privilege 1 Areas = 0 (blank) Privilege 2 Areas = 0 (blank) ... |
An operator can view the alarm and acknowledge it, as the operator role has been granted matching global privileges (level 1 access). The operator will also be able to view and control other system elements that have level 1 privileges across all areas of the plant. |
|
Area = 1 Privilege = 0 <None> |
View Areas = 0 (blank) Global privileges = 0 (blank) Privilege 1 Areas = 0 (blank) Privilege 2 Areas = 0 (blank) ... |
An operator cannot view the alarm, as it is now assigned to Area 1 and the operator role has no permissions for Area 1. |
|
Area = 1 Privilege = 0 <None> |
View Areas = 1 Global privileges = 0 (blank) Privilege 1 Areas = 0 (blank) Privilege 2 Areas = 0 (blank) ... |
The View Areas property has been adjusted so that users assigned to the operator role can view Area 1. They can acknowledge the alarm as it has no privilege restrictions. |
|
Area = 1 Privilege = 1 |
View Areas = 1 Global privileges = 0 (blank) Privilege 1 Areas = 0 (blank) Privilege 2 Areas = 0 (blank) ... |
An operator can view the alarm in Area 1, but cannot acknowledge it as the operator role does not have the required level 1 privileges. |
|
Area = 1 Privilege = 1 |
View Areas = 1 Global privileges = 1 Privilege 1 Areas = 0 (blank) Privilege 2 Areas = 0 (blank) ... |
An operator can view the alarm and acknowledge it as the operator role now has global privileges for level 1. |
|
Area = 1 Privilege = 1 |
View Areas = 0 (blank) Global privileges = 0 (blank) Privilege 1 Areas = 1 Privilege 2 Areas = 0 (blank) ... |
An operator can view the alarm and acknowledge it as the operator role now has level 1 privileges for the matching area (Area 1). |
|
Area = 2 Privilege = 1 |
View Areas = 0 (blank) Global privileges =1 Privilege 1 Areas = 0 (blank) Privilege 2 Areas = 0 (blank) ... |
The alarm is now in Area 2, however, an operator can still view the alarm and acknowledge it as the operator role has global privileges for level 1. |