C12 - Security V2-1

Course T301, Engineering an 800xA System - Advanced

12-1

Chapter 12 Security

TABLE OF CONTENTS Chapter 12 Security...................................................................................................................................................................... 12-1

12.1 General information ......................................................................................................................................................... 12-3 12.1.1 Description ................................................................................................................................................................ 12-3 12.1.2 Objectives.................................................................................................................................................................. 12-3 12.1.3 Reference Documentation......................................................................................................................................... 12-3

12.2 Introduction ...................................................................................................................................................................... 12-4 12.3 Windows Groups and 800xA User Groups ..................................................................................................................... 12-5

12.3.1 Add Users in Organizational Units........................................................................................................................... 12-6 12.3.2 Windows Users and Groups ..................................................................................................................................... 12-7 12.3.3 Users and 800xA User Groups in the User Structure .............................................................................................. 12-8

12.4 Log Over ........................................................................................................................................................................ 12-11 12.4.1 Log Over and Authentication Configuration.......................................................................................................... 12-12

12.5 User Roles – Indexes, What you can see....................................................................................................................... 12-14 12.5.1 Modify User Roles - Indexes.................................................................................................................................. 12-14

12.6 Permissions – Operations, What you can do................................................................................................................. 12-15 12.6.1 Modify Permissions - Operations .......................................................................................................................... 12-16

12.7 Security Definition Aspect............................................................................................................................................. 12-18 12.7.1 Evaluation Order ..................................................................................................................................................... 12-19

12.8 Granted Permissions View............................................................................................................................................. 12-20 12.9 Security Report............................................................................................................................................................... 12-22

Course T301, Engineering an 800xA System - Advanced

12-2

Engineering an 800xA System - Advanced

12-3

12.1 General information

12.1.1 Description

This chapter describes configuration of Windows Users and Groups and the relation to 800xA User Groups.

12.1.2 Objectives

On completion of this chapter you will be able to:

• Create Windows Users and Groups.

• Create and configure group policies in an Organizational Unit.

• Create 800xA User Groups.

• Associate Windows Groups to 800xA User Groups.

• Synchronize the members between Groups and User Groups.

• Configure Log over.

• Relate and modify User Roles – Indexes.

• Relate and modify Permissions – Operations.

• Relate Required and Granted Permissions.

• Create and configure Security Definition Aspects.

• Describe the Security Evaluation Search Order.

• Create a Security Report.

12.1.3 Reference Documentation

IndustrialIT 800xA System, Security Manual

Industrial IT 800xA System, On-Line Help

Engineering an 800xA System - Advanced Chapter 12 Security

12-4

12.2 Introduction

IndustrialIT 800xA Security Model

The IndustrialIT 800xA Security model is based on extensions to Windows security model, adding certain features and capabilities that allow products and systems built on the architecture to comply with relevant regulatory requirements. Security is a function of the IndustrialIT 800xA, and no separate installation procedure is necessary.

Security checks in the IndustrialIT 800xA System are based on the Windows user identity and Core System group running the software.

Security controls Users or Users Groups permissions to perform different operations on an IndustrialIT 800xA System, a structure or part of a structure, or an Aspect Object:

• The user’s credentials, as provided by Windows.

• The node where the user is logged in. This makes it possible to give a user different permissions depending on where he or she is located, e.g. close to the process equipment, in a control room.

• The operation the user wants to perform.

• The Aspect Object that the user wants to perform the operation on.

These parameters are checked against a security descriptor.

Related to the security is the usage settings are User Roles. User Roles adapt the user interface for different types of users, i.e. user groups. Some operations require an application engineer or system engineer role to be performed.

However, having the correct user role does not give the user the permission to perform the operation. The permission is completely controlled by the security configuration of the system.

Permissions decide what you can do!

User role decide what you ca see

Functions in the IndustrialIT 800xA Security Model

• Audit trail The Audit function is setup by a security descriptor. Logging the audit will allow the administrator to track security related events - for example attempts to access secured objects etc.

• Authentication

• Log over

• Digital signature


12-5

12.3 Windows Groups and 800xA User Groups

The security system in 800xA is based on the Windows user accounts. The User must be member of a Windows 2000 Group and an 800xA User Group

• It’s recommended that the Windows 2000 Groups and an 800xA User Groups tree structure maps the plant roles and plant areas.

• Create the Windows Groups in an Organizational Unit

Since the 800xA system user credential concept is built on Windows domains, local user accounts must never be created and used on the client machines. Clients will always connect to the 800xA system using domain accounts. The only exception is for single-node systems where domains are not used. In this case all users and groups are local.

Before setting up IndustrialIT users and user groups, verify that you have created a domain by setting up a domain controller and DNS server.


12-6

12.3.1 Add Users in Organizational Units

This procedure requires you to be logged in as domain administrator. A default domain administrator is created when you set up the domain controller and domain.

• Log in with a Domain Admin account

• Start>Programs>Administrative Tools>Active Directory Users and Computers.

• Create the Users in Organizational Units. Create the users with similar plant roles in one OU, independent of different plant area responsibility.

• Add the User as a member to appropriate Groups. It’s recommended to create a structure that maps the roles in a plant and plant areas.

NOTE! Later it will be easier to associate the 800xA User Groups with these windows 2000 Groups and Users.

OU Hierarchy in a Domain

Windows Group Policies can be applied to an OU to prevent or allow the members of the group policy access to icons and programs on the desktop. It can also handle access rights to services and log-on or log-off privileges.

Creation steps:

• Select the organizational unit Operators on the Domain Controller.

• Open the context menu and select Properties Select the Group Policy tab.

• Add a new group policy object.

• Edit the new group policy object.

Read in the Security Manual to learn more about Windows Security settings and group policies for operators.


12-7

12.3.2 Windows Users and Groups

Configuration in the Active Directory

One user account must be reserved for use by 800xA system services. This account will NOT be used for installation, administration, configuration, or any other system-related procedures.

A second administrator account must be created and used to complete the 800xA system software installation and post installation procedures.

Create other user accounts for other 800xA system activities such as application engineer, system engineer, and operator.

Administrator users in the domain should also be added to the local administrator group on all 800xA system nodes.

Create the IndustrialITAdmin Group. All 800xA administrators (including the 800xA Service user described below) must be a member of the IndustrialITAdmin group.

Create the IndustrialITUser Group. All 800xA users must be a member of the IndustrialITUser group.

Create a new user for 800xA services. Make this user a member of the IndustrialITAdmin Group, the IndustrialIT User Group, and the local administrator group on every system node.

All 800xA system services will run under this account. Make the name easy to recognize (for example: 800xAService).

Organizational Unit IndustrialIT

Organizational Unit Operators


12-8

12.3.3 Users and 800xA User Groups in the User Structure

User Group Aspects

User Group Definition.

• User Group Configuration, Associated windows group.

• Members, Synchronize users-add/remove members of this group.

• User Roles, Add/remove user roles for this group.

User Aspects

User Definition.

• User Group Configuration, Associated windows group.

• Groups, Add/remove members of this group.

• User Roles, View roles from all groups where the user is a member.

Workplace Profile Values.

• Plant Explorer settings, Filter aspects and objects.

Graphic Profile Values.

• Graphics behavior configuration, Faceplate auto lock.

Status Viewer Profile Values.

• Status Viewer behavior configuration.

12.3.3.1 Default User Groups

Everyone

• A group that contains all the IndustrialIT 800xA users.

Operators

• A group of all Operators. Performs process operations.

Application Engineer

• A group of all application engineers. Performs application engineering.

System Engineers

• A group for all system engineers. Performs system engineering.

Administrators

A group with the security system disabled, i.e. a member of this group has full access to everything in the aspect system.


12-9

12.3.3.2 Add Users and 800xA User Groups

Log in with an IndustrialITAdmin account and create Users Groups that maps the roles and areas in the plant.

• Operators area A

• Operators area B

• Engineer A

• …

Associate 800xA Users Groups with appropriate Windows Groups.

Synchronize the members with the Windows Groups (user may be created or deleted).

A single user can also be added or removed manually.

Add one User Role to the User Group.


12-10

User may also be assigned via the Configuration Wizard.

• Start the Configuration Wizard select system configuration / users

• Assign the User to appropriate User Groups


12-11

12.4 Log Over

The log over function enables a fast and temporary switch between users in a running workplace. For example if an operation requires a permission not held by an operator, another user (e.g. a system engineer) that holds the required permission, can log on to perform that operation. The log over changes the permissions and user roles but keeps all open windows with their present contents. The permitted actions in the open windows are controlled by the permissions of the logged over user.

Log over is a toggle function, i.e. change user and then revert user.

Right click on User, type domain\user and password.

NOTE! The log over only affects the System permission. Windows security is still the same as the user logged in. This means

that the access to files is still controlled by the user logged in.


12-12

12.4.1 Log Over and Authentication Configuration

Before log over, authentication and digital signature can be activated; an overall system setting must enable it. Select the System Domain object in the Admin Structure.

Select the System Settings aspect and change the property Advanced Access Control and Advanced Signature to True.

Log over Critical Aspect Views

Aspect views that do not support log over can be configured so that they must be closed before the user is allowed to perform a log over operation. This is configured per aspect category in the Admin Structure or Aspect System Structure.


12-13

If a log over critical aspect view is open when the user selects Change User, a Close Views dialog box appears. In this dialog box the user can close the log over critical views.

Some applications will start and run as the logged on user, even if a log over is done. The following applications do not support log-over:

• AfwImportExport.exe

• AfwConfigWizard.exe

• Afw.NLS.TranslationTool.exe

• AfwSetVariable.exe

• AfwUhOp.exe

• PgDisplayTool.exe

• AfwWorkplaceApplication.exe

Use Windows File security to protect the applications above from being launched by unauthorized users.


12-14

12.5 User Roles – Indexes, What you can see

Index defines levels of operations (index) on the aspect or object.

To each Index its possible to select an User Role (creating a role map).

Mr. X log-on as an user and get user roles from the 800xA user groups.

Granted user roles are checked against the role map

12.5.1 Modify User Roles - Indexes

The connection between indexes and needed user roles is done in the category definition aspect.

No User Role selected means allowed for everyone.

To be able to modify an Object type in the AC 800M/C Connect, the library has to be open.

Aspect Category or Object Type


12-15

12.6 Permissions – Operations, What you can do

Operation defines levels of operations on the object, aspect or OPC property.

To each Operation it’s possible to select a Permission (creating a required permission map).

Mr. X log in as an user, users and user groups get permissions via the Security Definition Aspect.

Granted permissions are checked against the permission map

Each aspect system is responsible for performing relevant security checks on the operations it provides. Afw provides a set of functions for this purpose. The designer of an aspect system must decide which operations to provide, register these with the aspect directory, and include relevant calls at appropriate places in the aspect system code to verify, that the current user is granted the right to use the operation. Similarly, he or she must include calls to log the operation Afw defines a list of operations that can be performed on Aspect Objects. Additional operations can be defined for specific aspect types – this is part of the information that an aspect system registers with the Aspect Directory. Operations are mapped into permissions per aspect category. For each aspect type it is thus possible to create several categories with different security settings. The Afw OPC Server performs security checks and audit logging on all OPC accesses. This relieves aspect systems designers from having to implement security checks and audit logging on read and write operations on properties that are published through OPC. An end user of the system normally works only with permissions, configuring the security settings for each object or group of objects. It is only when you design new categories that you need to consider setting up new or different mappings into operations.


12-16

12.6.1 Modify Permissions - Operations

The connection between permissions and operations is done in the category definition

aspect.

No Permission selected means allowed for everyone.

To be able to modify an Object type in the AC 800M/C Connect, the library has to be open!

Set Read/Write Permission in the Control Module, Function Block or Control Connection aspect.

To be able to modify the read/write permissions on the Function Block / Control Module in the AC 800M/C Connect, the library has to be open!

Aspect Category or Object Type


12-17

12.6.1.1 Default Permissions

Read Permits a user to read information.

Configure Permits a user to configure an aspect.

Operate Permits a user to operate the system. Normally given to the Operator Group.

Tune Permits a user to tune a process.

Shutdown Permits a user to shutdown an area. Not used in the default setting.

Security Configure Permits a user to change/add permission on Aspect Objects.

Batch Configure Permits a user to configure a batch operation.

Administrate Permits a user to do administration of the Aspect Object System itself, for example add new IndustrialIT 800xA users.

Read Permits a user to read information.

Configure Permits a user to configure an aspect.

Operate Permits a user to operate the system. Normally given to the Operator Group.

Tune Permits a user to tune a process.

Shutdown Permits a user to shutdown an area. Not used in the default setting.

Security Configure Permits a user to change/add permission on Aspect Objects.

Batch Configure Permits a user to configure a batch operation.

Administrate Permits a user to do administration of the Aspect Object System itself, for example add new IndustrialIT 800xA users.

Create synchronization package

Permission to create a synchronization package.

Load synchronization package

Permission to load or roll back a synchronization package.


12-18

12.7 Security Definition Aspect

• Security is checked to see if a user can be granted an operation on an object, aspect or an OPC property

• Security definition aspects sets the Permission type:

o Read.

o Operate.

o Configure.

o …

• Security definition aspects sets the access:

o Denied.

o Allowed.

• Security definition aspects sets from which Node:

o One or several nodes.

o All nodes.

• Security definition aspects sets Range:

o Object, valid for this object.

o Structure, valid for this object and down in the structure.

o None, security definition aspect disabled.

• Security definition aspects sets the User:

o User.

o 800xA User Group.

• Several Security Definition aspects can define the security for the same Aspect Object.

Milko Chemical Solid Processing Liquid Processing

Mixing Unit BV1 Mixing Unit BV2

BV2TemperatureControl BV2QuantityControl

BV2ProductTransfer BV2Agitation BV2MilkSupply

FIC201

FIC201FlowTransmitter FIC201Valve

FIC201Control

Read


12-19

12.7.1 Evaluation Order

Security aspects are evaluated in a certain order until the access is granted or denied. The evaluation order is as follows:

• Node specific entries with range Object and Deny.

• Node specific entries with range Object and Allow.

• Entries with range Object and Deny.

• Entries with range Object and Allow.

• Entries with range Structure and Deny.

• Entries with range Structure and Allow.

• Structure searched in order defined by domain security

• Finally is the security on the domain searched.

If a user is a member of two groups, one of which is granted permission and one, which is denied permission, the result will always be denied, since “deny” entries are evaluated before “allow” entries.

If no matching entry is found, user is denied permission.

Search continues only if Search Option is “Continue search”. The evaluation order of structures and which structures to be searched are configured in the Security Definition aspect that sets the system default security. If no valid security setting is found in the structures in the Evaluation Search Order list, the system goes on to the Default Settings in the System Object in the Admin structure

Evaluation order

System Object with Security Definition Aspect


12-20

12.8 Granted Permissions View

When making the security configuration in a system it might be convenient to see how the security for an object is set for a specific person or group of persons. You can easily do this in the following way:

• Select Properties view on the object

• Click on Change User.


12-21

• Select the User Group or a Member (User).

Granted permission for the System Engineer User Group


12-22

12.9 Security Report

In the system you will find a Security Report aspect. You can use this aspect to get a printed report showing the security settings of the system and to compare a new security report with an old one so that you can see changes in the security settings of the system.

To add a Security Report aspect follow the step below:

• Add a Security Report to any object in any structure.

• Create New Aspect, select a Security Report aspect.

• Press the Update button to get an updated security report.

• Click the Print button to get the security report printed.

Information in a security report

• Security definition aspect configuration

• User group and user configuration

• Audit configuration

• Aspect Category configuration

C12 - Security V2-1

Documents

Transcript of C12 - Security V2-1