Allocating Permissions to a User Group or User Account

To control access to an item's features and data, you allocate permissions to the various User Groups on your system. If need be, you can also allocate permissions to individual User accounts, so that those permissions apply in addition to the permissions allocated to the User Groups of which the user is a member. You allocate permissions via the Security window.

To reduce the time taken to manage user permissions, we recommend that you allocate security permissions to User Groups, rather than to individual User accounts. (The Users that are 'members' of a User Group inherit their security permissions from those User Group(s).)

This is particularly a requirement on systems that Integrate ClearSCADA User Accounts with Active Directory or LDAP User Accounts. On such systems, ClearSCADA automatically updates a user's User Group membership each time the user logs on. (This automatic update only applies to User Groups that are integrated with Windows domain groups or LDAP user groups.) As such, the security permissions that are assigned to the user get updated automatically in line with any changes in User Group membership.

Allocating permissions to a User Group

To allocate permissions to a User Group (or directly to a User account if need be):

  1. Display the Database Bar (see Display an Explorer Bar).
  2. In the Database bar, right-click on the database item for which you want to define the security settings. The permissions you allocate to the User Group or User account define which features for the selected database item are available for the User Group or individual User. (Remember that the permissions that you allocate to a User Group are also inherited by the User accounts that are a member of that User Group. The User accounts inherit the security permissions of all User Groups of which they are a member.)
    A context-sensitive menu is displayed.
  3. Select the Edit Security option to display the Security window.

    On a new system, the built-in Guest User account and Everyone User Group are both inactive and are not assigned any security permissions, so as not to provide access to the database. No other User accounts or User Groups exist on an installation that has a blank database. On such a system, you have to initially log on to ClearSCADA using the Super User account and set up the User accounts and User Groups that you require (and User Patterns, if applicable).

    If the User Group (or individual User account ) for which you want to allocate permissions is already listed on the Security window, proceed to step 7.

    If the User Group (or individual User account) is not listed on the Security window, proceed to step 4.

  4. Select the Add button to display the Add Permission window.

  5. Select the User Group that you want to add to the list on the Security window. Go to step 7.
  6. If you want to add an individual User account to the list rather than a User Group, select the Display Users check box, then select the required User account.

    To reduce the time taken to manage user permissions, we recommend that you allocate security permissions to User Groups, rather than to individual User accounts. (The Users that are 'members' of a User Group inherit their security permissions from those User Group(s).)

    This is particularly a requirement on systems that Integrate ClearSCADA User Accounts with Active Directory or LDAP User Accounts. On such systems, ClearSCADA automatically updates a user's User Group membership each time the user logs on. (This automatic update only applies to User Groups that are integrated with Windows domain groups or LDAP user groups.) As such, the security permissions that are assigned to the user get updated automatically in line with any changes in User Group membership.

    When you display the Add Permission window, the Guest user and WebX user are listed automatically. These are Built-In User Accounts. The Guest user is for ViewX users and third-party applications that access the database without logging on. The WebX user is for users who access the database from Original WebX without logging on.

  7. Select the OK button to confirm your choice and close the Add Permission window.
    The selected User Group or individual User account is added to the list on the Security window.
  8. Select the User Group (or individual User account) for which you want to configure the security permissions from the list on the Security window.
    The Permissions check boxes indicate which permissions are currently in place for the selected User Group or User account.
  9. Define the permissions settings (see Permissions for Database Items):
    • Select the check boxes for the permissions that you want to allocate to the User Group or individual User account.
    • Clear the check boxes for those permissions that you do not want to be allocated to the User Group or individual User account.

    The permissions shown in the Security window vary, according to whether any permissions have been denied.

    NOTICE

    SECURITY THREAT

    On systems on which ClearSCADA can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.
    Failure to follow these instructions can result in equipment damage.
  10. Repeat this procedure for each User Group (or individual User account) as required.
  11. Select the OK button on the Security window to confirm your selections.

When you change permissions, certain menu options will remain visible to users even if they do not have the permissions to use them. If the users attempt to use such options, an Access Denied message box is displayed. If the users log off and then log on again, those options to which they do not have access will no longer be displayed.

Further Information

Organize your Users and User Groups.


Disclaimer

ClearSCADA 2017 R3