About roles

You can create and manage user roles that apply to your organization’s processes and work-based authorities. A role defines a set of permissions. After defining roles, you assign roles to authorized users as needed to provide the users with the permissions that they need. A user can be given multiple roles.

Application Server automatically creates two roles called Administrator and Default and gives both roles full permissions to everything. When defining roles, first remove any permissions that are not needed by all users from the Default role because all configured users will be assigned to the Default role and you cannot remove the Default role from a user. For example, if the minimum set of permissions required by all users is the ability to acknowledge alarms and modify "Operate" attributes, remove all other permissions. Add new roles by selecting the + button above Roles available, then enter a name for the role and an access level.

You can specify General and Operational Permissions for each role.

• General permissions relate to application configuration and administration tasks within the IDE and the Operations Control Management Console (OCMC). By default, the Administrator and Default roles have all general permissions. Remove any unnecessary general permissions from the Default role. Leave only the permissions that are needed by all users.

  Note: You cannot remove any General permissions from the Administrator role. You can, however, remove Operational permissions.

  

• Operational permissions relate to the security groups listed on the Security Groups page. For each role, modify security group permissions as needed. The Administrator and Default roles initially are given all operational permissions for the Default Security Group. If you created any new security groups on the Security Groups page, the Administrator and Default roles are not automatically granted any permissions to these security groups. If you do not intend to have users with the Administrator role working with alarms or attributes at run time, you can limit operational permissions from the Administrator role.

  Operational permissions are defined as follows:

  • Can Acknowledge Alarms: Allows users to manually acknowledge an alarm in the run-time environment.

  • Can Shelve Alarms: Allows users to manually shelve and unshelve alarms.

  • Can Modify Alarm Modes: Allows users to modify the mode of an alarm.

  • Can Modify Plant States: Allows users to modify plant states for state-based alarming.

  • Can Verify Writes: Allows users to provide an authentication signature for attributes configured with Verified Writes security classification. Only users with this permission can verify a task performed by users with the Can Modify "Operate" Attributes permission.

  • Can Modify "Operate" Attributes: Allows users with operational permissions to do certain normal day-to-day tasks like changing setpoint, output and control mode for a PID object, or commanding a Discrete Device object.

  • Can Modify "Tune" Attributes: Allows users to tune the attribute in the run-time environment. Examples of tuning are attributes that adjust alarm setpoints and PID sensitivity.

  • Can Modify "Configure" Attributes: Allows users to configure the attribute’s value. Requires that the user first put the object Off scan. Writing to these attributes is considered a significant configuration change, for example, a PLC register that defines a Discrete Device input.

Once you have defined a role by setting operational permissions and general permissions, you can assign users to that role.