Restrict Access to Output Tags

The built-in Control Outputs privilege will disable writes from all I/O tags when no-one is signed in. This is a general privilege that is granted to the Operator role by default.

Feature Effect Use... Reference

Security Privileges

Control who is allowed to write to an output.

Use in all applications

Restrict Access to Output Tags
Control Locks

Prevent use and operation of selected equipment via the VTScada screens.

If the tag is protected by a privilege, users must also have that security privilege.

Only where there is a need to lock controls for all users, regardless of privilege. Control Locks
Control Tokens

Ensure that only the current token owner can write to an output tag.

Users must also have the required security privilege and the tag must not be locked.

Only one user at a time can hold a Control Token.

Only where there is a need to restrict control to one operator at a time. Control Tokens

Most sites prefer to create a set of custom privileges in order to have control over which tags are available to which operators. You can assign a custom privilege to any tag that can write values to equipment. Anyone may view a control widget linked to that tag, but only users who have the correct privilege can use it to write a value to the PLC or RTU. (A user does not need the Control Outputs privilege in addition to their custom privileges.)

You can also assign a custom privilege to protect certain operational tags. These include Modem, SMS Appliance, and Trigger tags.

When used with tags, custom privileges may be further defined by a rule scope. Under this system, an operator who has the matching privilege can use it only for tags in a defined scope. For example, the operator may be allowed to operate eastern-zone pumps, but not western-zone pumps even though the same privilege protects both.

As an alternative to creating a set of privileges for your output tags as described in this topic, you might try the following instead.

  1. Ensure that no roles (including Operator) have the Control Outputs privilege.
    This method works only if no role has the Control Outputs privilege without a scope-limiting rule.
  2. Create a set of roles matching sets of tags that operators will have access to. (Northern Operations, Generator A, Station 1, ...)
  3. For each role, assign the Control Outputs privilege, but add a scope-limiting rule to restrict that privilege to only the tags that the role-holder should be able to control. See: Rules for Privilege Scope.
  4. Assign roles to operators as appropriate.

To restrict access to output controls:

  1. Open the tag's configuration dialog.
  2. If the dialog has a Merit tab, open that.
    If the dialog has a Quality tab, open that.
  3. In the Privilege drop-down control, select the custom privilege that was created earlier for this tag.
  4. Click OK to save your work.


  • There is no privilege to apply.

Create a custom privilege to apply to the tag.