To control access to an item's features and data, you allocate permissions to the various User Groups on your system (see Allocating Permissions to a User Group or User Account). You allocate permissions via the Security window.
To reduce the time taken to manage user permissions, we recommend that you allocate security permissions to User Groups, rather than to individual User accounts. (The Users that are 'members' of a User Group inherit their security permissions from those User Group(s).)
This is particularly a requirement on systems that Integrate ClearSCADA User Accounts with Active Directory or LDAP User Accounts. On such systems, ClearSCADA automatically updates a user's User Group membership each time the user logs on. (This automatic update only applies to User Groups that are integrated with Windows domain groups or LDAP user groups.) As such, the security permissions that are assigned to the user get updated automatically in line with any changes in User Group membership.
Depending on your system requirements, you may need to remove some User Groups or individual User accounts from the permissions for certain database items. For example, if you want to stop some items from being viewed via the Guest user account on a WebX client, you need to remove the Web user from the security settings for the database items.
(Remember that for those User accounts that are integrated with Windows or LDAP user accounts, a User's User Group membership is managed remotely, outside of ClearSCADA. On such a system, providing that the User Groups are integrated with Windows domain groups or LDAP user groups, a User's membership of those User Groups updates automatically at log on. Each User account automatically inherits the security permissions of the User Groups of which it is a member. You do, however, still have to manage the actual allocation of security permissions for those User Groups directly in ClearSCADA.)
SECURITY THREAT
Removing permissions from a User Group
To remove permissions from a User Group (or individual User account):
- Display the Database Bar (see Display an Explorer Bar).
- In the Database bar, right-click on the database item for which you want to define the security settings.
A context sensitive menu is displayed. - Select the Edit Security option to display the Security window.
- Select the User Group (or individual User account) for which you want to remove the security permissions from the list on the Security window.
- Select the Remove button.
The User Group or User account is removed from the list. The User Group or User account will now have no access to the selected database item. - Select the OK button on the Security window to confirm your selections.
If you remove the permissions for a User account, that User account will still be able to access the item if it is part of a User Group that has access permissions. This applies to every User Group, including the default 'Everyone' User Group. For example, if the 'Everyone' User Group provides access to a point, every user account (apart from the Guest user) will have access to the point, even if you have removed the individual user accounts from the point's security settings. To deny access to an item, you need to remove the 'Everyone' User Group from its security settings.
When you change permissions, certain menu options will remain visible to users even if they do not have the permissions to use them. If the users attempt to use such options, an Access Denied message box is displayed. If the users log off and then log on again, those options to which they do not have access will no longer be displayed.