Open topic with navigation

Working with the Security Window

When you have displayed the Security window for an item (see Accessing the Security Window for a Database Item), you can use the following settings to define the security features for the selected item:

Object

At the very top of the Security window, the name of the database item to which the security settings apply is displayed. For example, on the Root Group, the name is $Root (the system root).

Inherit Permissions from Parent

This check box is selected by default on new database items. When selected, it means that the ACL for the database item is removed, forcing the database item to use the security permissions that are allocated to its parent Group (the Group that contains the item, which may be the System or Root group). If you want the database item to have its own security settings and not inherit those of the parent group, you need to clear this check box. Clearing the check box makes the permission check boxes at the bottom of the Security window become available for use. You can use the Permission check boxes to define the ACL for the database item.

Remove Explicit Permissions on Descendants

This check box is only available on Group items and it allows you to specify whether the ACLs of the items in the Group are deleted and replaced with the same permissions that you configure for the Group.

If you select the check box, the items in the Group have their ACLs deleted which forces them to inherit the ACL of the Group.

If you clear the check box, the item's 'children' will retain their individual ACLs and may not inherit the security settings of the Group.

User Groups and User Accounts

Below the Remove Explicit Permissions on Descendants check box is a display area that shows the user accounts and User Groups that have permissions to access the selected item. The display shows the ACL—the name of the user account or User Group, the location of the account or User Group in the database, and its permissions.

If you select one of the user accounts or User Groups, you will see that the Permissions check boxes at the bottom of the Security window change to show which permissions have been allocated to the account or User Group.

To reduce the time taken to manage user permissions, we recommend that you allocate security permissions to User Groups, rather than to individual User accounts. (The Users that are 'members' of a User Group inherit their security permissions from those User Group(s).)

This is particularly a requirement on systems that Integrate Geo SCADA Expert User Accounts with Active Directory or LDAP User Accounts. On such systems, Geo SCADA Expert automatically updates a user's User Group membership each time the user logs on. (This automatic update only applies to User Groups that are integrated with Windows domain groups or LDAP user groups.) As such, the security permissions that are assigned to the user get updated automatically in line with any changes in User Group membership.

NOTICE

Security threat

On systems on which the 'Everyone' User Group is enabled, all User Accounts on the system automatically inherit the security permissions that are assigned to the 'Everyone' User Group, including the Guest user (which does not require a logon). Each user's security permissions comprise: Everyone permissions + User Group permissions + User Account permissions. To help avoid providing all users with unintended access to features and functionality that should be restricted, use configured User Groups rather than the 'Everyone' User Group. If the 'Everyone' User Group has to be used, it MUST be assigned the minimum permissions required, with access restricted where possible to just the relevant parts of the database. (On new installations, the built-in 'Everyone' User Group is inactive and is not assigned any security permissions by default.)
Failure to follow these instructions can result in equipment damage and a breach in system security.
Permissions

The Permissions check boxes show which of the database item's features are available for the selected User or User Group.

The availability of the permissions shown is dependent on the Permission Restrictions settings (see Define whether any Permissions are Restricted). By default, the Unacknowledge Alarms and Assign Alarm Responsibility permissions are restricted and so are not available.

The selected check boxes indicate the permissions that have been allocated; the blank check boxes indicate the permissions that the user account or User Group have not been allocated.

When you add a User or User Group in the Security Window the View, Browse and View Alarms permissions are selected by default.

NOTICE

SECURITY THREAT

On systems on which Geo SCADA Expert can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.
Failure to follow these instructions can result in equipment damage.

Each user account has the permissions for the 'Everyone' User Group, the User Groups of which the account is a member, and the permissions allocated to the user account itself. The only exception to this rule is the Guest user account which is not a member of the Everyone User Group.

Select All / Deselect All

These two buttons allow you to select or deselect all the permissions.

For more information on the individual permissions, see Permissions for Database Items.

ClosedExample Permission Settings

Example:

A user account named 'Engineer1' is a member of a User Group named 'Engineers'.

The Root Group is configured to have the following security settings:

The Everyone User Group and Guest User account have the Read permission.

When you are allocating permissions, remember that the permissions that are allocated to the Guest user are available to anyone. Also, the permissions that you allocate to the 'Everyone' User Group are allocated to every user account automatically (including the Guest user account). By default on new installations, the Guest user has no access permissions, and the 'Everyone' User Group is inactive and not assigned any permissions. We recommend that you leave the Guest user and 'Everyone' User Group at these defaults unless they are genuinely required. In which case, you MUST configure them to have the minimum appropriate permissions and access that are required, such as setting the Guest, and Everyone permissions to Read only on just the required section of the database. To allow your system users access to items and features, you should create 'configured' user accounts and User Groups. This provides greater flexibility and control over the functionality and features to which individual users, or groups of users, have access.

The System Administrators User Group is allocated Full permissions.

The Operators User Group is allocated the Read, Browse, Control, Acknowledge Alarms, and View Alarms permissions.

The Engineers User Group (to which the user account 'Engineer1' belongs) is allocated all permissions except Security and System Admin for the Root Group.

Add

Use this button to display the Add Permissions window. You can use the Add Permissions window to add a user or User Group to the ACL. When a user account or User Group is shown on the Security window, you can allocate its permissions.

By default, when you add a new User Account or User Group to the ACL the permission settings are Read, Browse and View Alarms, equivalent to a Guest operator, as shown below.

Remove

Use to remove a user account from the ACL. When you remove a user or User Group from the ACL, that user or User Group will not have access to the selected item (unless it is a member of a User Group that remains in the list).

Further Information

Organize your Users and User Groups.

Disclaimer

Geo SCADA Expert 2020

© 2020 AVEVA Group Plc.  All Rights Reserved.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. Schneider Electric, Life is On Schneider Electric and EcoStruxure are trademarks and the property of Schneider Electric SE and are being licensed to AVEVA by Schneider Electric.