Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Plant SCADA

TABLE OF CONTENTS

Roles

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 06, 2024
  • 5 minute read

Roles define a set of permissions that can be assigned to users of the same type. Before you create a role, determine the permissions required by the users that will be assigned to the role (based on the available Privileges and Areas).

To integrate Windows user groups into your Plant SCADA security, use the Windows Group property when defining a role. See Integrate Windows™ User Groups.

Note: Area 0 is assigned by default to every role. This means users can view any system element in Area 0 (no privileges defined).

To add a Role record:

  1. In the Security activity, select Roles.

  2. Add a row to the Grid Editor.

  3. Type the required information in each column, or in the fields in the Property Grid.

    For a description of the properties, see below.

  4. Click Save.

Role Properties

General Properties

Property

Description

Role Name

The name of the role. Each name must be unique.

Windows Group

The name of the Windows™ user group associated with this role. You can enter a group name on its own (for example, "PlantOperators"), or you can restrict the group's accessibility by including a local computer name or domain name (for example, "ComputerName\PlantOperators" or "DomainName\PlantOperators").

You can only associate Windows user groups with up to 1024 Plant SCADA roles. Duplicated Windows user groups are not supported.

For more information, see Integrate Windows™ User Groups.

Privileges

The privilege assigned globally to the role. Enter a value of 16 characters or less.

In the privilege field you can separate numbers with commas or you can enter a range separated by two periods, for example, 1..8.

As you configure your system, you can assign privileges to the various elements, such as graphics objects, alarms, accumulators, commands, and so on. For example, a role with a Global Privilege of 3 will be able to send any command that is assigned a privilege of 3, or action any alarm with a privilege of 3, or click any button that is assigned a privilege of 3, etc. Unless you are using areas, if you do not specify a global privilege, the role cannot access any command with a privilege assigned.

Note: (For users using windows authentication) When you have completed the fields in this dialog and if you have not already done so, add the users to the group in Windows security that you want to have the privileges of this role.

View Areas

The areas the user assigned the associated role is permitted to view. Enter a value of 16 characters or less.

Note: Do not set Viewable Areas in conjunction with Global privileges, as global privileges give roles view access to areas automatically.

Remember, you need to still assign privileges to the elements in these viewable areas, such as graphics objects, alarms, accumulators, commands, etc. If you do not, the user will have full access to them. For example, if you do not assign a privilege to a command in one of these areas, the user will be able to send it regardless of whether you want them to or not.

To make an element (such as a button on a expression) view only for a particular user, assign it an expression and a privilege. Add the area to the user's list of Viewable Areas, but don't give the user the necessary privileges in that area (or the necessary global privilege).

Multiple areas can be defined using groups.

If you do not specify "Viewable Areas", the user will have viewable access to area 0. See Privilege and Area Combinations for more information.

Allow RPC

Determines if a user or group will be restricted from performing remote MsgRPC and ServerRPC calls.

From the drop-down, select True or False:

  • True - the user or group will be allowed to run MsgRPC and ServerRPC

  • False - the user or group will not be allowed to run MsgRPC and ServerRPC.

If the field is left blank, it will default to FALSE. The following compiler warning message will be generated:

"'Allow RPC' permission is not defined (defaulting to FALSE)."

Note: If you want to use MsgRPC to call a procedure on a remote client computer, you will need to set the parameter [Client]AllowRPC to 1 on the client computer.

Allow Exec

Determines whether a user or group will be allowed to run the Exec Cicode function.

From the drop-down select True or False.

  • True - user or group allowed to run Exec.

  • False - user or group not allowed to run Exec.

In the Example project, Allow Exec is set to TRUE for the Engineer role. Note that this is used in conjunction with the Citect INI parameter [Security]BlockExec. Therefore, the parameter also needs to be set as [Security]BlockExec=0 so that users with this role can run the Exec Cicode function. For more information about the parameter, refer to the Parameters help.

If the field is left blank, Allow Exec will default to FALSE.

Manage Users

Determines if the user is authorized to manage user accounts. From the drop-down select TRUE or FALSE.

If TRUE the user is able to:

  • Add, modify, and delete users at runtime.

  • Modify other users passwords without having to know the user's old password.

If FALSE the user will only be able to change their own password. To do this they will need to know their old password.

In the Example project, Manage Users is set to TRUE for the Engineer role.

Kernel Access

Determines if a user can launch the Kernel window at runtime. Choose from the following:

  • No Access - the user cannot launch the Kernel.

  • Read Only - the user can display the Kernel, but cannot perform some privileged commands like running Cicode.

  • Full Access - the user can display the Kernel and has full access to its functionality and commands.

Note: You need to restrict access to the Kernel. Anyone using the Kernel has total control of Plant SCADA (and subsequently your plant and equipment).

For more information, see the section Access to Cicode and Cache Commands in the topic The Kernel.

Note: If you change the Kernel Access setting for a Role and run the recompiled project, you will need to restart any server processes that you want to run the Kernel on.

Comment

Any useful comment.

Entry Command

A Cicode command that is executed when the user assigned this role logs in. You can use any Cicode command or function. Enter a value of 254 characters or less.

Exit Command

A Cicode command that is executed when the user assigned this role logs out. You can use any Cicode command or function. Enter a value of 254 characters or less.

Priv1 Areas. . . Priv8 Areas

The privileges (by area) assigned to the user. Enter a value of 16 characters or less. Using this combination of areas and privileges, you can assign a user different privileges for different areas. For example, users assigned a role with privilege class 6 in areas 29 and 30 will only have access to commands in those areas that require privilege class 6.

In the privilege field you can separate numbers with commas or you can enter a range separated by two periods, for example, 1..8.

Note: In assigning a privilege to an area, you are making that area viewable to users assigned that role.

If you do not specify areas with associated privileges, access is defined by Viewable Areas or Global Privileges only.

Project Properties

Property

Description

Project

The project in which the role is included.

See Also

Runtime System Security

Users

In This Topic
TitleResults for “How to create a CRG?”Also Available in