Open topic with navigation

Removing Permissions from a User Group or User Account

To control access to an item's features and data, you allocate permissions to the various User Groups on your system (see Allocating Permissions to a User Group or User Account). You allocate permissions via the Security window.

To reduce the time taken to manage user permissions, we recommend that you allocate security permissions to User Groups, rather than to individual User accounts. (The Users that are 'members' of a User Group inherit their security permissions from those User Group(s).)

This is particularly a requirement on systems that Integrate Geo SCADA Expert User Accounts with Active Directory or LDAP User Accounts. On such systems, Geo SCADA Expert automatically updates a user's User Group membership each time the user logs on. (This automatic update only applies to User Groups that are integrated with Windows domain groups or LDAP user groups.) As such, the security permissions that are assigned to the user get updated automatically in line with any changes in User Group membership.

Depending on your system requirements, you may need to remove some User Groups or individual User accounts from the permissions for certain database items. For example, if you want to stop some items from being viewed via the Guest user account on an Original WebX client, you need to remove the Web user from the security settings for the database items.

(Remember that for those User accounts that are integrated with Windows or LDAP user accounts, a User's User Group membership is managed remotely, outside of Geo SCADA Expert. On such a system, providing that the User Groups are integrated with Windows domain groups or LDAP user groups, a User's membership of those User Groups updates automatically at log on. Each User account automatically inherits the security permissions of the User Groups of which it is a member. You do, however, still have to manage the actual allocation of security permissions for those User Groups directly in Geo SCADA Expert.)

NOTICE

SECURITY THREAT

On systems on which Geo SCADA Expert can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.
Failure to follow these instructions can result in equipment damage.
NOTICE

Security threat

On systems on which the 'Everyone' User Group is enabled, all User Accounts on the system automatically inherit the security permissions that are assigned to the 'Everyone' User Group, including the Guest user (which does not require a logon). Each user's security permissions comprise: Everyone permissions + User Group permissions + User Account permissions. To help avoid providing all users with unintended access to features and functionality that should be restricted, use configured User Groups rather than the 'Everyone' User Group. If the 'Everyone' User Group has to be used, it MUST be assigned the minimum permissions required, with access restricted where possible to just the relevant parts of the database. (On new installations, the built-in 'Everyone' User Group is inactive and is not assigned any security permissions by default.)
Failure to follow these instructions can result in equipment damage and a breach in system security.

Removing permissions from a User Group

To remove permissions from a User Group (or individual User account):

  1. Display the Database Bar (see Display an Explorer Bar).
  2. In the Database bar, right-click on the database item for which you want to define the security settings.
    A context sensitive menu is displayed.
  3. Select the Edit Security option to display the Security window.
  4. Select the User Group (or individual User account) for which you want to remove the security permissions from the list on the Security window.
  5. Select the Remove button.
    The User Group or User account is removed from the list. The User Group or User account will now have no access to the selected database item.
  6. Select the OK button on the Security window to confirm your selections.

    7. If you remove the permissions for a User account, that User account will still be able to access the item if it is part of a User Group that has access permissions. This applies to every User Group, including the built-in 'Everyone' User Group. For example, if the 'Everyone' User Group provides access to a point, every user account (apart from the Guest user) will have access to the point, even if you have removed the individual user accounts from the point's security settings. To deny access to an item, you need to remove the 'Everyone' User Group from its security settings.

    When you change permissions, certain menu options will remain visible to users even if they do not have the permissions to use them. If the users attempt to use such options, an Access Denied message box is displayed. If the users log off and then log on again, those options to which they do not have access will no longer be displayed.

Disclaimer

Geo SCADA Expert 2020

© 2020 AVEVA Group Plc.  All Rights Reserved.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. Schneider Electric, Life is On Schneider Electric and EcoStruxure are trademarks and the property of Schneider Electric SE and are being licensed to AVEVA by Schneider Electric.