Experion PKS/PMD

PMD/PlantScape Server
PMD Users and security
Overview

• When the automation system is based on open data communication

nets, its data security must be attended to separately. Temporary
remote connections to the customer system, for example, are
established through the open data communication net.

• One purpose of security is to set clear boundaries between

departments and to prevent direct operation across departments.
Security is also used to determine separately users who have rights to
operate across the department.

• Security allows you to restrict users’ possibility to have an effect on

the process. For example, you can restrict the user’s possibility to
change tuning parameters.

• By means of security, clear user roles and rules can be created to the
system.
Pulp, Paper, and Printing
14-05-03 2
Targets to be secured

• Computer security (login to Windows, clearing the desktop, clearing

the Start menu)

• Net device security (routers, switches, etc.)

• Data security (pin data)

• Display security

• Directory security

Pulp, Paper, and Printing

14-05-03 3
Users

Pulp, Paper, and Printing

14-05-03 4
Other users

• PlantScape
– The setup creates the following users:
• ps_user
• mngr
• engr
• oper
– the PMD setup does not cause any changes to these users, and no
changes are needed because PlantScape users are not within the compass
of the PMDSecurity.
– Limit the use to the minimum.

• Other Windows users

– Local operating system administrators are not within the compass of the
PMDSecurity.
– Limit the use to the minimum.

Pulp, Paper, and Printing

14-05-03 5
Formation of user names

• User management requirements set by the workgroup environment

– User names must be department-specific to implement department-specific
security solutions.
– It is imperative that user names and passwords are uniform within a
department.

• Workgroup environment computers

– From the Windows point of view, independent workstations. Each
workstation is provided with a separate user management.

• User name notation must be as follows:

– ”dddd_uuuun”
• ”dddd” stands for the department name (a max. of 8 characters)
• ”_” separates the department symbol and user name
• ”uuuu” user name (a max. of 4 characters)
• ”n” indicates the shift number
• The user name can have the maximum length of 14 characters.

Pulp, Paper, and Printing

14-05-03 6
Formation of user names

• DEPARTMENT_Guest (1 piece)
– The password is the same as the user ID.
– Belongs to the PMDGuests and Power Users groups.
– The user has no access to the desktop, but has access to the Start menu
to open HMIWeb only and to log out from the system. Separate scripts are
used for the definition.

• DEPARTMENT_User1... DEPARTMENT_User9 (9 pieces)

– User passwords must be changed when the system is delivered to the
customer.
– Belongs to the PMDOperators and Power Users groups.
– The users have no access to the desktop, but has access to the Start menu
to open HMIWeb only and to log out from the system or shut down the
computer. Separate scripts are used for the definition.

Pulp, Paper, and Printing

14-05-03 7
Formation of user names

• DEPARTMENT_Engr1… DEPARTMENT _Engr2 (2 pieces)

– The engineers set user-specific passwords.
– Belongs to the PMDEngineers and Power Users groups.

• DEPARTMENT _Mngr (1 piece)

– The project manager or main engineer sets a project-specific password.
Particularly take care that the password settings/changes are not
coordinated in any way between various projects.
– Belongs to the PMDManagers, Honeywell Administrators and
Administrators groups.

• DEPARTMENT _Admin (1 piece)

– Belongs to the PMDAdministrators, Honeywell Administrators and
Administrators groups.

Pulp, Paper, and Printing

14-05-03 8
Formation of user names

• DEPARTMENT_HWSRV (1 piece)
– Honeywell Service user ID. The user ID and the password are stored in the
TOSE Delivery and Production Information system.
– Belongs to the PMDAdministrators, Honeywell Administrators and
Administrators groups.

• DEPARTMENT _RUser (1 piece)

– The Remote User is used for Remote HMI Server connections only.
– Belongs to the PMDGuests and Power Users groups.
– The user has no access to the desktop, but has access to the Start menu
to open HMIWeb only and to log out from the system. Separate scripts are
used for the definition.

Pulp, Paper, and Printing

14-05-03 9
Groups

Pulp, Paper, and Printing

14-05-03 10
Tasks and restrictions of the groups

• PMDGuests
– The user group is intended for guests and other casual users for viewing
data.
– Rights and restrictions:
• The group has the right to call up trends, but is not allowed to create
them.
• The group has the right to call up reports, but is not allowed to create
them.
• The group is not allowed to configure the system, but is allowed to
acknowledge alarms!

Pulp, Paper, and Printing

14-05-03 11
Tasks and restrictions of the groups

• PMDOperators
– The user group is intended for normal process operation.
– Rights and restrictions:
• The group has the right to normal process control operations through
custom displays and faceplates.
• The group has the right to alarm acknowledgement.
• Control parameter modifications and system configuration are not
included in the group’s tasks.
• The user group operates the HMIWeb user interface with the
PlantScape oper user rights.

Pulp, Paper, and Printing

14-05-03 12
Tasks and restrictions of the groups

• PMDEngineers
– The tasks of the user group include system maintenance and planning.
– Rights and restrictions :
• The group is provided with more comprehensive user rights than that
defined for normal process operation.
• Writing right (W) to all process areas.
• Changing process control parameters is not included in the group’s
tasks.
• Rights to system configuration are secured through the Design Module
accounts and by using the PlantScape mngr account.

Pulp, Paper, and Printing

14-05-03 13
Tasks and restrictions of the groups

• PMDManagers
– The tasks of the users in the group include system maintenance and
planning, process control and management of user rights.
– Rights and restrictions:
• Full rights to process operation
• Critical writing rights (CW) to all process areas
• Rights to system configuration are secured through the Design Module
computer accounts and by using the PlantScape mngr account.

Pulp, Paper, and Printing

14-05-03 14
Tasks and restrictions of the groups

• PMD Administrators
– The tasks of the users in the group include the management of the
operating system: user and resource definitions, for example.
– Rights and restrictions:
• The rights of the group comply with that of the PMDManagers group.
• Additionally, the group belongs to the PlantScape Honeywell
Administrators.

Pulp, Paper, and Printing

14-05-03 15
Production and assembly

• The production (or subcontractor) installs the programs and makes

the following changes to the users:
– The password of the PMDAdmin user is changed to comply with the
project’s definitions.
– The password of the operating system’s Administrator user is changed to
comply with the buyer’s definitions in TOSE.
– The password for the computer BIOS is changed according to the buyer’s
definition.

• System assembly and start-up

– For Windows workgroup computers the user names and passwords must
be set in a manner that the PMD users of the customer computers
(HMIWeb and DM) are also created for the server. The user passwords
must be the same in all computers of the department. Passwords can be
changed in a controlled manner to all system computers by using the
Login & Password Utility.

Pulp, Paper, and Printing

14-05-03 16
Login & Password Utility

Included from R500.0311. Name of the program LoginPW.exe. Path:

C:\Program Files\Honeywell\PMDC\PDS\User Interfaces

NOTE!
It is recommended
to remove users
that not used from
all the
operator and
engineering
stations in
department

Pulp, Paper, and Printing

14-05-03 17
System delivery to the project

• During the project, such users and passwords are used that are known only by
the personnel of the said project. Passwords and their replacements must not
be coordinated between the projects in any way.

• When starting the project, the main engineer creates the users required by the
customer for the computers and sets/changes project-specific passwords for
all users. User groups are assigned the desired rights to process areas.

Pulp, Paper, and Printing

14-05-03 18
System delivery to the customer

• User definitions
– Check the user definitions with the customer.
– Make necessary changes as per case.
– Change the passwords of all users remaining in use (incl. administrator)
so that project-specific passwords are discarded.
– Password change is documented in the deed of conveyance to ensure that
the change will be done and documented.
– The main engineer or project manager takes care that the Honeywell
service user and password are stored in the TOSE information system. The
service user notation is dddd_HWSRV.

Pulp, Paper, and Printing

14-05-03 19
Steps to configure security

1. Creating the application

• While creating the application blocks, the process area is defined for each
block and similarly for displays and certain faceplates. Additionally, block pins
are provided with fixed protection levels.

2. Display security
• Department name, process area and protection level are defined for a display. A
display’s protection level stands for the user authorization level which is
transmitted to the pins included in the display.

3. Security configuration
• A group is assigned rights to a certain process area. The definition indicates
the highest authorization level. The authorization level includes the respective
lower levels. (R = R) (W = W and R) (CW = CW, W and R).

Pulp, Paper, and Printing

14-05-03 20
Creating the application

• Blocks that are not provided with a faceplate always connect to the process
area ”DEFPROAREA”. The process area cannot be set.
• The desired process area can be set for blocks that are provided with a
faceplate.

• Block pins are provided with fixed protection levels, which cannot be modified
by the application designer. The standard pin protection levels can be checked
by using the PDS Viewer.

Pulp, Paper, and Printing

14-05-03 21
Display security

• A display can be provided with a protection level setting.

• Display protection levels can be used to restrict user authorizations to the pin
data included in the display.
• The primary task of the display protection is, however, not to protect data.
• The Station issues the message “Area not assigned to operator/station” , if the
user has no authorization to open the display. The message must be
acknowledged by the user.

For example; the display is provided with

the Write protection level and the user has
only Read rights to the said process area.
In this case the user may open the display, but
has no right to change the pin data of the display.
Although the display would contain
pin data with a protection level that is lower than
that of the display.

Pulp, Paper, and Printing

14-05-03 22
Display security

Display process Display User’s User’s Right to Right to

area protection process area authori- enter view the
level zation data display
* Open * * Yes Yes
Process area 1 > Open Process area 1 No right No No
Process area 1 Read Process area 1 Read No Yes
Process area 1 Read Process area 1 >= Write Yes Yes
Process area 1 Write Process area 1 Read No Yes
Process area 1 Write Process area 1 >= Write Yes Yes
Process area 1 Critical Process area 1 <= Write No Yes
Write
Process area 1 Critical Process area 1 Critical Yes Yes
Write Write

Pulp, Paper, and Printing

14-05-03 23
Security configuration

• Configuration file management

– Security data is configured to the server only.
– Notepad serves as the configuration tool.
– The file to be configured is “PMDSD.ini”. The file is located in the server’s
shared directory “C:\Program files\Honeywell\PMDC\Security\PMDSD\”.
– Security creates a copy of the configuration file to all system computers.
The file is named according to the department ”dddd_PMDSD.ini”. The
users should not mix up this copy with the configuration file.
– The configuration file consists of rows, with one security definition on
each row. The definitions must be presented in quotes (” ”).

Pulp, Paper, and Printing

14-05-03 24
Security configuration

• A row consists of the following definitions

1. Namespace = constant in the system ”PROCESS_AREAS”.
2. Area = Process area which the definition is made for. ”DEFPROAREA” must be always
defined because blocks that are not provided with faceplates are executed on the said
process area.
3. Account = Local user or local group. For example ”PMDOperators”.
4. Rights = The authorization level to be set. The rights are defined according to the highest
right. The authorization levels are the following:
• None = No rights whatsoever for the process area in question.
• Read = The user has the right to read the process area data and view the displays.
• Write = The user has the writing right to the process area (he/she can change set
point values, for example).
• Critical Write =The user can change critical values of the process area, such as
tuning parameters.

Pulp, Paper, and Printing

14-05-03 25
Upgrade and back-up

• When the operating system parts of the workstations (HMIWeb and

DM) are upgraded the administrator user is applied. The PlantScape
and HMIWeb/DM customer software is also upgraded by using the
administrator user.
• The operating system parts of the server computers are upgraded by
using the administrator user, but upgrades related to MS SQL Server,
PlantScape and HMIWeb/DM software are carried out by using the
ps_user.

Pulp, Paper, and Printing

14-05-03 26