Roles define a set of permissions that can be assigned to users of the same type. Before you create a role, determine the permissions required by the users that will be assigned to the role (based on the available privileges and areas).
To integrate Windows user groups into your Citect SCADA security, use the Windows Group property when defining a role. See Integrate Windows User Groups.
Note: Area 0 is assigned by default to every role. This means users can view any system element in Area 0 (no privileges defined).
To add a Role record:
For a description of the properties, see below.
Role Properties
Property |
Description |
---|---|
Role Name |
The name of the role. Each name must be unique. |
Windows Group |
The name of the Windows™ user group associated with this role. You can enter a group name on its own (for example, "PlantOperators"), or you can restrict the group's accessibility by including a local computer name or domain name (for example, "ComputerName\PlantOperators" or "DomainName\PlantOperators"). You can only associate Windows user groups with up to 1024 Citect SCADA roles. Duplicated Windows user groups are not supported. For more information, see Integrate Windows User Groups. |
Privileges |
The privilege assigned globally to the role. Enter a value of 16 characters or less. In the privilege field you can separate numbers with commas or you can enter a range separated by two periods, for example, 1..8 As you configure your system, you can assign privileges to the various elements, such as graphics objects, alarms, accumulators, commands, and so on. For example, a role with a Global Privilege of 3 will be able to send any command that is assigned a privilege of 3, or action any alarm with a privilege of 3, or click any button that is assigned a privilege of 3, etc. Unless you are using areas, if you do not specify a global privilege, the role cannot access any command with a privilege assigned. Note: (For users using windows authentication) When you have completed the fields in this dialog and if you have not already done so, add the users to the group in Windows security that you want to have the privileges of this role. |
View Areas |
The areas the user assigned the associated role is permitted to view. Enter a value of 16 characters or less. Note: Do not set Viewable Areas in conjunction with Global privileges, as global privileges give roles view access to areas automatically. Remember, you need to still assign privileges to the elements in these viewable areas, such as graphics objects, alarms, accumulators, commands, etc. If you do not, the user will have full access to them. For example, if you do not assign a privilege to a command in one of these areas, the user will be able to send it regardless of whether you want them to or not. To make an element (such as a button on a expression) view only for a particular user, assign it an expression and a privilege. Add the area to the user's list of Viewable Areas, but don't give the user the necessary privileges in that area (or the necessary global privilege). Multiple areas can be defined using groups. If you do not specify “Viewable Areas”, the user will have viewable access to area 0. See Privilege and Area combinations for more information. |
Allow RPC |
From the drop-down select True or False. Determines what person or group will be restricted from performing remote MsgRPC and ServerRPC calls. True - person or group allowed to run MsgRPC and ServerRPC False - person or group not allowed to run MsgRPC and ServerRPC. If field is left blank the following compiler warning will be generated: "'Allow RPC' permission is not defined (defaulting to FALSE)" Allow RPC will default to FALSE. |
Allow Exec |
From the drop-down select True or False. Determines whether a user or group will be allowed to run the Exec Cicode function. True - user or group allowed to run Exec. False - user or group not allowed to run Exec. In the Example project, Allow Exec is set to TRUE for the Engineer role. Note that this is used in conjunction with the Citect INI parameter [Security]BlockExec. Therefore, the parameter also needs to be set as [Security]BlockExec=0 so that users with this role can run the Exec Cicode function. For more information about the parameter, refer to the Parameters help. If the field is left blank, Allow Exec will default to FALSE. |
Manage Users |
Determines if the user is authorized to manage user accounts. From the drop-down select TRUE or FALSE. If TRUE the user is able to:
If FALSE the user will only be able to change their own password. To do this they will need to know their old password. In the Example project, Manage Users is set to TRUE for the Engineer role. |
Comment |
Any useful comment. |
Entry Command |
A Cicode command that is executed when the user assigned this role logs in. You can use any Cicode command or function. Enter a value of 254 characters or less. |
Exit Command |
A Cicode command that is executed when the user assigned this role logs out. You can use any Cicode command or function. Enter a value of 254 characters or less. |
Priv1 Areas. . . Priv8 Areas |
The privileges (by area) assigned to the user. Enter a value of 16 characters or less. Using this combination of areas and privileges, you can assign a user different privileges for different areas. For example, users assigned a role with privilege class 6 in areas 29 and 30 will only have access to commands in those areas that require privilege class 6. In the privilege field you can separate numbers with commas or you can enter a range separated by two periods, for example, 1..8. Note: In assigning a privilege to an area, you are making that area viewable to users assigned that role. If you do not specify areas with associated privileges, access is defined by Viewable Areas or Global Privileges only. |
Property |
Description |
---|---|
Project |
The project in which the role is included. |
See Also
Published June 2018