Security > Configure Security > Privileges > Privilege and Area Combinations

Privilege and Area Combinations

Outlined below are four general rules regarding the use of privileges and areas within Citect SCADA.

  1. Global privileges apply to every area.
  2. Assigning a privilege to an area within a role means any user assigned that role will gain viewable access to that area automatically. However the user can only operate system elements in that area that have a matching privilege. As a result of the first rule, if users are assigned a global privilege they will also be able to view every area.
  3. Area 0 includes every privilege a role may have been assigned in other areas. In other words, if granted a privilege 3 for use in another area that role can also control those system elements in Area 0 that have a privilege set as 3.
  4. All users can view Area 0.

The table below outlines numerous scenarios, and the resulting security that is applied to an alarm when accessed by a user assigned to an "operator" role.

Alarm Properties

Operator Role Properties

Result

Area = 0 <All areas>

Privilege = 0 <None>

View Areas = 0 (blank)

Global privileges = 0 (blank)

Privilege 1 Areas = 0 (blank)

Privilege 2 Areas = 0 (blank)

...

No privileges are assigned to the alarm, or the operator role. An operator will be able to view and acknowledge the alarm.

Area = 0 <All areas>

Privilege = 1

View Areas = 0 (blank)

Global privileges = 0 (blank)

Privilege 1 Areas = 0 (blank)

Privilege 2 Areas = 0 (blank)

...

The alarm is assigned level 1 privileges. An operator will be able to view the alarm, but cannot acknowledge it as the operator role does not have the necessary level 1 privileges.

Area = 0 <All areas>

Privilege = 1

View Areas = 0 (blank)

Global privileges = 1

Privilege 1 Areas = 0 (blank)

Privilege 2 Areas = 0 (blank)

...

An operator can view the alarm and acknowledge it, as the operator role has been granted matching global privileges (level 1 access). The operator will also be able to view and control other system elements that have level 1 privileges across all areas of the plant.

Area = 1

Privilege = 0 <None>

View Areas = 0 (blank)

Global privileges = 0 (blank)

Privilege 1 Areas = 0 (blank)

Privilege 2 Areas = 0 (blank)

...

An operator cannot view the alarm, as it is now assigned to Area 1 and the operator role has no permissions for Area 1.

Area = 1

Privilege = 0 <None>

View Areas = 1

Global privileges = 0 (blank)

Privilege 1 Areas = 0 (blank)

Privilege 2 Areas = 0 (blank)

...

The View Areas property has been adjusted so that users assigned to the operator role can view Area 1. They can acknowledge the alarm as it has no privilege restrictions.

Area = 1

Privilege = 1

View Areas = 1

Global privileges = 0 (blank)

Privilege 1 Areas = 0 (blank)

Privilege 2 Areas = 0 (blank)

...

An operator can view the alarm in Area 1, but cannot acknowledge it as the operator role does not have the required level 1 privileges.

Area = 1

Privilege = 1

View Areas = 1

Global privileges = 1

Privilege 1 Areas = 0 (blank)

Privilege 2 Areas = 0 (blank)

...

An operator can view the alarm and acknowledge it as the operator role now has global privileges for level 1.

Area = 1

Privilege = 1

View Areas = 0 (blank)

Global privileges = 0 (blank)

Privilege 1 Areas = 1

Privilege 2 Areas = 0 (blank)

...

An operator can view the alarm and acknowledge it as the operator role now has level 1 privileges for the matching area (Area 1).

Area = 2

Privilege = 1

View Areas = 0 (blank)

Global privileges =1

Privilege 1 Areas = 0 (blank)

Privilege 2 Areas = 0 (blank)

...

The alarm is now in Area 2, however, an operator can still view the alarm and acknowledge it as the operator role has global privileges for level 1.

See Also

Published June 2018