Rules for Privilege Scope
A "rule" is defined as a limit placed on a privilege. The operator may have the privilege of operating a pump, but only pumps under one context (station or site) within the Tag Browser. Or, only when signed-in at a certain workstation.
Tag Scope Rules
Security rules are especially useful when you have organized your tags into parent-child hierarchies that group similar parts of the application together. For example, a city utility may have grouped all of the tags for the eastern half of the city under one Context tag named EasternZone. All of the tags for the western side are grouped under a Context tag named WesternZone. For operators who work in the EasternZone, you can restrict tag-related privileges within their job description role to apply only to tags in that zone, even though all tags are protected by a single privilege.
Detail from the Accounts dialog, showing with one privilege subject to tag scope rule.
The square in the selection box of Filtration Control indicates that it is limited by a rule.
The example in the previous figure shows an example "Eastern Zone Operations" role. The role contains two custom privileges, Filtration Control and Filtration Monitoring. Filtration control is meant to be applied to I/O tags and is therefore limited by a scope rule to tags in the Eastern Zone context. (Examples follow, showing how the rule is applied.) The custom privilege, Filtration Monitoring, is meant to be applied to pages and therefore is not limited by a tag-scope rule.
Use the Manage Rules dialog (following figure) both to add and to remove rules. Removing the privilege (then re-adding it) is an inefficient way to remove rules.
Apply tag-based rules only to custom privileges or to the tag-related general privileges, Questionable and Manual Data. Limiting a general privilege such as Alarm Page Access to a tag is the same as denying the privilege.
Steps to apply rule-scope:
- Find the privilege in the list of Additional Privileges.
If the privilege has not been granted to the account or role, add it. (Assign Privileges) - Expand the menu for that privilege as shown:
- In the Manage Rules dialog, click the plus button to open the New Rule dialog.
- In the New Rule dialog, use the Tag Selection button to open the Tag Browser.
- Select the tag (or better, the parent context) for which the rule is to apply.
- Optionally, select more tags for which the rule should apply.
- Click OK through all dialog boxes to exit.
- Click Apply in the Accounts dialog to save your work.
The square instead of a check mark indicates that the privilege is granted conditionally.
Workstation Rules
You can also create a rule such that the privilege is valid only when the user is signed in on a named workstation. For example, if you have created a Manager account, with permissions to modify user accounts, you may wish to restrict that privilege so that it may only be used at a given workstation. Even if someone were to guess the manager's password, they would not be able to modify accounts unless they were also at that person's workstation.
Take care that the workstation you select is or will be available. Don't lock yourself out!
Workstation rules are not intended for use with Internet or Mobile client connections. It is not possible to determine the name of the remote device. The rule scope will apply to the VTScada Thin Client Server, affecting all connections.
The steps to apply a workstation rule to a privilege are the same as those to apply a tag scope rule, excepting only that you will choose one or more workstations instead of one or more tags.