About security groups

Every object in the Galaxy belongs to only one security group. You can create and manage security groups that make sense for your organization. These security groups are mapped to roles on the Roles page.

Permissions determine what kind of access users have for each attribute. There are five basic operational permissions:

• Acknowledge alarms

• Change the value of attributes with security mode Configure

• Change the value of attributes with security mode Operate; this includes also security modes Secured Write and Verified Write

• Change the value of attributes with security mode Tune

• Confirm writes to attributes that require Verified Writes

By default, all currently used objects are assigned to a security group called Default.

A user who is a member of a role assigned to Security Role "Default" has permission to:

• Acknowledge alarms

• Change attribute values with "configure" security mode

• Change attribute values with "operate" security mode, including "secured write" and "verified write"

• Change attribute values with "tune" security mode

• Verify writes to Attributes with "verified write" security mode

For example, you want users in certain roles to only have permission to acknowledge alarms that are generated from objects contained in Area1. You have a role named Area1Acknowledgers. You need to:

1. Create a new Security Group, for example SecGrpArea001.

2. Assign all objects that are contained in area Area1 to Security Role SecRoleArea001.

3. On the Roles page, select the Area1Acknowledgers role. In the Operational Permissions the Security Group for SecGrpArea001, select Can Acknowledge Alarms.

4. Any user that belongs to the Area1Acknowledgers role can at least acknowledge alarms of objects contained in the security group SecGrpArea001. They do not have any other operational permissions for those objects.