The name of the role. Each name must be unique.

The name of the Windows™ user group associated with this role. You can enter a group name on its own (for example, "PlantOperators"), or you can restrict the group's accessibility by including a local computer name or domain name (for example, "ComputerName\PlantOperators" or "DomainName\PlantOperators").

You can only associate Windows user groups with up to 1024 Citect SCADA roles. Duplicated Windows user groups are not supported.

For more information, see Integrate Windows User Groups.

The privilege assigned globally to the role. Enter a value of 16 characters or less.

In the privilege field you can separate numbers with commas or you can enter a range separated by two periods, for example, 1..8

As you configure your system, you can assign privileges to the various elements, such as graphics objects, alarms, accumulators, commands, and so on. For example, a role with a Global Privilege of 3 will be able to send any command that is assigned a privilege of 3, or action any alarm with a privilege of 3, or click any button that is assigned a privilege of 3, etc. Unless you are using areas, if you do not specify a global privilege, the role cannot access any command with a privilege assigned.

Note: (For users using windows authentication) When you have completed the fields in this dialog and if you have not already done so, add the users to the group in Windows security that you want to have the privileges of this role.

The areas the user assigned the associated role is permitted to view. Enter a value of 16 characters or less.

Remember, you need to still assign privileges to the elements in these viewable areas, such as graphics objects, alarms, accumulators, commands, etc. If you do not, the user will have full access to them. For example, if you do not assign a privilege to a command in one of these areas, the user will be able to send it regardless of whether you want them to or not.

To make an element (such as a button on a expression) view only for a particular user, assign it an expression and a privilege. Add the area to the user's list of Viewable Areas, but don't give the user the necessary privileges in that area (or the necessary global privilege).

Multiple areas can be defined using groups.

If you do not specify “Viewable Areas”, the user will have viewable access to area 0. See Privilege and Area combinations for more information.

From the drop-down select True or False. Determines what person or group will be restricted from performing remote MsgRPC and ServerRPC calls.

True - person or group allowed to run MsgRPC and ServerRPC

False - person or group not allowed to run MsgRPC and ServerRPC.

If field is left blank the following compiler warning will be generated:

"'Allow RPC' permission is not defined (defaulting to FALSE)"

Allow RPC will default to FALSE.

From the drop-down select True or False. Determines whether a user or group will be allowed to run the Exec Cicode function.

True - user or group allowed to run Exec.

False - user or group not allowed to run Exec.

In the Example project, Allow Exec is set to TRUE for the Engineer role. Note that this is used in conjunction with the Citect INI parameter [Security]BlockExec. Therefore, the parameter also needs to be set as [Security]BlockExec=0 so that users with this role can run the Exec Cicode function. For more information about the parameter, refer to the Parameters help.

If the field is left blank, Allow Exec will default to FALSE.

Determines if the user is authorized to manage user accounts. From the drop-down select TRUE or FALSE.

If TRUE the user is able to:

• Add, modify, and delete users at runtime.
• Modify other users passwords without having to know the user's old password.

If FALSE the user will only be able to change their own password. To do this they will need to know their old password.

In the Example project, Manage Users is set to TRUE for the Engineer role.

Any useful comment.

A Cicode command that is executed when the user assigned this role logs in. You can use any Cicode command or function. Enter a value of 254 characters or less.

A Cicode command that is executed when the user assigned this role logs out. You can use any Cicode command or function. Enter a value of 254 characters or less.