ClearSCADA's security feature can act as an effective security tool, helping to protect your system from being accessed by unauthorized users. But its effectiveness is dependent on the appropriate configuration of user accounts.
To access your system via a user account, a user needs to know the user name and password allocated to that user account. But the protection offered by user accounts does not end there - a user account can be denied access to items and features by its own configuration and the security settings of each database item (in addition to the system-wide security settings made at the server).
For more effective security, you should configure the settings for each user account so that they only provide the required access. Ideally, you should configure a user account so that it only allows the user of that account to access the features and items they need to perform their expected duties. For security purposes, the settings you should pay particular attention to are:
Allows you to define whether the user can access ClearSCADA via ViewX, WebX and Pager/SMS (Phone).
Allows you to associate a user account with one or more User Groups. The user account will have its own permissions plus those that are allocated to the User Group(s).
With user accounts that are integrated with Windows or LDAP user accounts, a user's User Group membership is updated automatically at log in (for those ClearSCADA User Groups that are integrated with Windows domain groups or LDAP user groups).
The Operational settings on the ViewX tab—You can use the check boxes to control which operator level features are available to the user.
The Configuration settings on the ViewX tab—You can use the check boxes to control which configuration features are available to the user.
The Alarm Banner/List settings on the ViewX tab—You can use the check boxes to control which alarm features are available to the user.
The Explorer Bars settings on the ViewX tab—You can use the check boxes to control which Explorer Bars (navigation hierarchies, such as the Database Bar) are available to the user.
The user-specific security settings that are on the Security tab (only available if the Allow per User option is enabled at the server, and the user accounts are managed directly in ClearSCADA, rather than via the
On systems on which the External Authentication feature is used, each ClearSCADA user account that is to be managed remotely using Active Directory or LDAP requires a corresponding Windows domain or LDAP user account. When Active Directory is used to manage the user accounts remotely, we recommend that the Windows domain user accounts are given minimal access rights on the ClearSCADA server (see Using External Authentication with ClearSCADA).
By configuring each user account so that it only has access to the features and items that are relevant to the user of that account, you help to protect your system from:
- Inappropriate changes made by users who are not trained in certain aspects of ClearSCADA. If a user can only access the features that are relevant to their role and which they have been trained to use, there is less chance of ClearSCADA being misused.
- Unauthorized access to high-level features via low-level user accounts. For example, let’s say your system has a high number of user accounts that are restricted to operational settings only. This means that even if an unauthorized user gains access via one of those accounts, the user is restricted from performing potentially damaging actions due to the configuration settings of the account.
Remember that on systems on which ClearSCADA is configured to Create users automatically from group membership, you configure the initial settings on the User Pattern Form, rather than the User Form.
Further Information