Академический Документы
Профессиональный Документы
Культура Документы
Chapter 24 Security
TABLE OF CONTENTS
Chapter 24 Security ....................................................................................................................................................................... 1
24.1 General Information........................................................................................................................................................... 2
24.1.1 Objectives ................................................................................................................................................................... 2
24.1.2 Legend ........................................................................................................................................................................ 2
24.1.3 Reference Documentation........................................................................................................................................... 2
24.2 Overview ........................................................................................................................................................................... 3
24.2.1 Domain versus Workgroup ......................................................................................................................................... 3
24.2.2 800xA Security Model................................................................................................................................................ 4
24.3 Windows Security.............................................................................................................................................................. 5
24.3.1 Group Policy............................................................................................................................................................... 5
24.3.2 Organizational Units ................................................................................................................................................... 6
24.3.3 Windows Security Groups .......................................................................................................................................... 6
24.3.4 Default Windows Security Groups ............................................................................................................................. 7
24.4 System 800xA User Handling ........................................................................................................................................... 8
24.4.1 Windows Groups and 800xA User Groups................................................................................................................. 8
24.4.2 Default 800xA User Groups ....................................................................................................................................... 9
24.4.3 Adding Individual Windows Users........................................................................................................................... 10
24.4.4 Associating Groups................................................................................................................................................... 11
24.5 User Roles........................................................................................................................................................................ 12
24.5.1 User Structure ........................................................................................................................................................... 12
24.5.2 Example Audit Lists ................................................................................................................................................. 13
24.5.3 Indexes Linked to User Roles ................................................................................................................................... 14
24.5.4 User Role Mapping................................................................................................................................................... 15
24.6 Permissions...................................................................................................................................................................... 16
24.6.1 Main Default Permissions......................................................................................................................................... 16
24.6.2 Operations Linked to Permissions ............................................................................................................................ 17
24.6.3 Required Permission Mapping.................................................................................................................................. 18
24.7 Security Definition Aspects ............................................................................................................................................. 19
24.7.1 Evaluation Order....................................................................................................................................................... 20
24.7.2 Changing Security Settings....................................................................................................................................... 21
24.7.3 Granted Permissions View........................................................................................................................................ 23
24.8 Log Over.......................................................................................................................................................................... 24
24.8.1 Overview and Operation ........................................................................................................................................... 24
24.8.2 Log Over Configuration............................................................................................................................................ 25
24.9 Security Reports............................................................................................................................................................... 26
24.9.1 How to Create a Report............................................................................................................................................. 27
Chapter 24 - 1
24.1.2 Legend
>
Italic
Bold
Chapter 24 - 2
3BSE037410
3BSE036904
3BSE030322
3BSE034463
2PAA101888
24.2 Overview
Security configuration can be used to change what a particular user can do such as
gaining access to files, controlling a process, or configuring security itself. There are
also ways to control what can be seen in the 800xA application or even on the desktop
of a computer.
The first rule of security configuration is:
Dont make it any more complex than it needs to be to accomplish the needs of
the system!
NOTE!
Chapter 24 - 3
The aspect object that the user wants to perform the operation on
The node where the user is logged in (e.g. close to the process equipment)
Audit trail
Log over
Related to the security is the usage settings are user roles. Roles adapt the user
interface for different types of users, i.e. user groups. Some operations require an
application engineer or system engineer role to be performed.
NOTE!
However, having the correct user role does not give the user the permission to perform
the operation. The permission is completely controlled by the security configuration of
the system.
NOTE!
Chapter 24 - 4
For instance, if a user is a member of five user groups and four of them allow the
permission but in the fifth group this permission is set to deny, the permission for that
source is denied in the whole system (It is recommended to Not Allow a feature in
preference to a Deny).
Chapter 24 - 5
Organizational Units (called OUs) are objects created within the Windows Active
Directory to simplify a centralized security management.
Chapter 24 - 6
IndustrialITUser
This group is intended to contain all the users of the system. Any user accounts
that are not in this group will not work in System 800xA.
IndustrialITAdmin
All users in this group have administrative privileges in System 800xA.
System 800xA refers to these groups in the Configuration Wizard under System
Software User Settings. The Configuration Wizard can be found under:
Start > Programs > ABB IndustrialIT 800xA > System >Configuration Wizard
One user account must be reserved for use by 800xA system services. This service
account will NOT be used for installation, administration, configuration, or any other
system-related procedures.
Chapter 24 - 7
Windows Environment
Group
Group
User account
(operator)
Group
User Group
User account
(engineer)
User Group
User Group
User account
(administrator)
Its recommended that the Windows Groups and 800xA User Groups tree structure
maps the plant roles and plant areas, as shown below.
In many cases there will be different operators for different parts of the process. They
may need access to only part of the controls and need to have restrictions for other
parts.
In this case, Windows Security Groups could be created such as IndITOperatorA and
IndITOperatorB or some other descriptive name. These Windows Groups can then be
mapped to 800xA User Groups such as OperatorsA and OperatorsB. That way,
different permissions could be given to each group.
Chapter 24 - 8
Operators
Control the process and acknowledge alarms, but do not tune or configure
Application Engineers
Tunes the process and makes all application configurations
Administrators
A group with the security system disabled, i.e. a member of this group has full
access to everything.
System Engineers
Handles the physical configuration like server configurations, adding users, and
setting up security.
NOTE!
New 800xA User Groups can be created in the User Structure as well. This would be
appropriate if there are several kinds of operators for example. Keep in mind the first
principle of security: Only make security configuration as complex as it needs to be to
do the job. Dont unnecessarily complicate it.
Chapter 24 - 9
1. Start the Configuration Wizard, select System Administration and click Next.
2. Select Users and click Next.
3. Click Add Windows Account. Select the desired user/users (one at a time)
and click Add.
4. Then assign the user to one or more of the 800xA User Groups.
Chapter 24 - 10
The properties of the 800xA Users groups can be set by clicking on the group and
selecting the User Group Definition aspect. On the User Group Configuration tab,
the 800xA User group can be associated with a Windows Group.
NOTE!
Once the Windows and 800xA user groups are associated, new Windows users can be
added to the Windows Groups that have been associated. On the Members tab there
is a button to synchronize the groups, and this will cause the added Windows users to
show up in System 800xA without having to run the Configuration Wizard.
Chapter 24 - 11
Occupying one of the default roles does not mean that the 800xA user unconditionally
has permission to perform a task:
Operator role
Permissions are defined by the Security Definition aspects and Windows user identity
only.
Chapter 24 - 12
While the same context menu for the list under an Administrator account looks this
way:
The role a user has is set per User Group and defines what user interfaces he/she will
have.
Chapter 24 - 13
Role map
User Role
User Role
Role map
Object Type
Aspect Category
Index 1
Index 1
User Role
User Role
Index 2
Index 2
User Role
User Role
Index n
Index n
User Role
User Role
User Group
User Group
User
Maintenance Aspect
Mr X
Mr. X logs on as a user and gets user roles from the 800xA User Groups.
If we examine the role definitions for existing aspects we can view (and modify) what
capabilities each role provides for that aspect. Granted user roles are checked against
the role map.
Chapter 24 - 14
Aspect Category or
Object Type
A blank in the user role column indicates that all roles can do the operation. If Read
rights were removed we would not even be able to see the aspect when logged in as a
user with that role.
NOTE!
Chapter 24 - 15
24.6 Permissions
Permissions, on the other hand, are defined for aspect objects and grants certain
permissions (such as read, operate, configure) to a user. This in effect, defines what a
user can DO to an object.
A user or group is allowed or denied access to an object based on the Granted
Permission compared to the Required Permission:
Required permission
Required permission is given per Aspect Category, and defines the permission
necessary to perform an operation like Read or Modify of aspects in the category.
Granted permission
Defines the permission for a user or group on the complete system, on a structure
or on an object.
Configure
Operate
Tune
Shutdown
Chapter 24 - 16
Chapter 24 - 17
Aspect Category or
Object Type
To acknowledge an
alarm, an OPERATE
permission is required
For an OPC server the required permission for is set per property. Set Read/Write
permissions in the Control Module, Function Block or Control Connection aspect.
Chapter 24 - 18
In the tab Permissions are the default permissions specified for the entire system:
Chapter 24 - 19
A Security Definition aspect, by default, applies to every object below it in the tree. If
no Security Definition aspect exists for an object, the parent objects will be checked
and so on up the tree. If no security definition is found for the object or a parent
object, the default Security Definition aspect is applied.
Milko Chemical
Solid Processing
Liquid Processing
Chapter 24 - 20
Permissions
Authority Range
Search Option
Double-click on the user or add a new permission configuration. This will open a
Permissions dialog in which you can define the various permissions to be associated
with that object.
Select the operations which you want to grant or deny access. Select then which
800xA Users or Groups to which the permission will apply. Finally, select which
specific node, if any, the operator must be logged on to for the security definition to
apply.
In this example, OperatorX had been allowed to operate the object Production_Plant
from all the nodes.
Chapter 24 - 21
Next you should define the Authority Range from the list:
When an object is accessed by a user, and the Search Order is set to Continue
Search, the system goes into every structure where the object is present. The search
will go on according to the order in the Evaluation Search Order (as defined in the
default Security Definition aspect) list from top to bottom.
When a Security Definition aspect is found that gives security information about the
user, the search stops and the permissions configuration for that user is applied.
Chapter 24 - 22
Select the User Group and optionally the individual user (member).
Chapter 24 - 23
NOTE!
Windows security is still the same as the user logged in. This means that
the access to files is still controlled by the user logged in.
To return to the first user right-click on the user name again and select Revert To...
The revert user operation requires authentication in order to change back to the
original user.
Chapter 24 - 24
It is also possible to configure an inactive user, who is a user that the system
automatically will revert to after a certain amount of inactive time. This could be a
user with limited permission (read only).
Select which user should be the inactive user and enter the password. Set the time for
automatic revert to inactive user in the Revert to Inactivity field.
Chapter 24 - 25
If we have a more complex need for access to controls, and we have configured
additional Security Definition aspects, it will be necessary to check the permissions of
an object in each structure. We also have to be aware that parent objects affect the
determination of rights. This evaluation can be complex and time consuming.
NOTE!
By evaluating this report, we can assess whether or not we have conflicts. This report
also provides a way of entering our security configuration again if it is lost. The
Security report can be printed, but we can also select all the text and copy it to Word,
Wordpad or some other text editor. This would allow us to do searches on an object
name and find all the instances to compare the security settings.
Chapter 24 - 26
Chapter 24 - 27