Rules for Privilege Scope

A "rule" is defined as a limit placed on a privilege. The operator may have the privilege of acknowledging an alarm for a pump, but only pumps under one context (station or site) within the Tag Browser. Or, only when signed-in at a certain workstation.

Tag Scope Rules

Security rules can be thought of as a simpler form of Realm Filtering. They are especially useful when you have organized your tags into parent-child hierarchies that group similar parts of the application together. For example, a city utility may have grouped all of the tags for the eastern half of the city under one Context tag named EasternZone. All of the tags for the western side are grouped under a Context tag named WesternZone. For operators who work in the EasternZone, you can restrict tag-related privileges within their job description role to apply only to tags in that zone, even though all tags are protected by a single privilege.

Detail from the Accounts dialog, showing with one privilege subject to tag scope rule.
                  The square in the selection box of Filtration Control indicates that it is limited by a rule.

The example in the previous figure shows an example "Eastern Zone Operations" role. The role contains two custom privileges, Filtration Control and Filtration Monitoring. Filtration control is meant to be applied to I/O tags and is therefore limited by a scope rule to tags in the Eastern Zone context. (Examples follow, showing how the rule is applied.) The custom privilege, Filtration Monitoring, is meant to be applied to pages and therefore is not limited by a tag-scope rule.

Use the Manage Rules dialog (following figure) both to add and to remove rules. Removing the privilege (then re-adding it) is an inefficient way to remove rules.

Privileges that can be limited by tag-scope rules:

By definition, tag-scope rules are meant for privileges that affect tags. They should never be used for other privileges and in more recent versions of VTScada, cannot be. For a broader method of limiting operator access to portions of the application, refer to Realm Filtering.

Custom (User-defined) Privileges (*)  

Alarm Inhibit

Edit Data

Alarm Acknowledge

Edit Roster Contacts

Alarm Shelve

HDV Pen Modify

Batch Run

Manual Data

Control Outputs

Note Add

Control Lock Add/Remove

Questionable

Control Lock Admin

Recipe Edit

Control Token Request/Release

Tag Parameter View

Control Token Admin

Tag Modify

(*) Use care with custom privileges. Apply tag rule scope restrictions only to those that are being used with tags, and never to those being used to restrict access to pages.

Steps to apply rule-scope:

  1. Find the privilege in the list of Additional Privileges.
    If the privilege has not been granted to the account or role, add it. (Assign Privileges)
  2. Expand the menu for that privilege as shown:

Step 1 of adding a rule to a privilege.

  1. In the Manage Rules dialog, click the plus button to open the New Rule dialog.

Use the New Rule dialog for both Tag Scope rules and Workstation Scope.

  1. In the New Rule dialog, use the Tag Selection button to open the Tag Browser.
  2. Select the tag (or better, the parent context) for which the rule is to apply.
  3. Optionally, select more tags for which the rule should apply.
  4. Click OK through all dialog boxes to exit.
  5. Click Apply in the Accounts dialog to save your work.
    The square instead of a check mark indicates that the privilege is granted conditionally.

Workstation Rules

You can also create a rule such that the privilege is valid only when the user is signed in on a named workstation. For example, if you have created a Manager account, with permissions to modify user accounts, you may wish to restrict that privilege so that it may only be used at a given workstation. Even if someone were to guess the manager's password, they would not be able to modify accounts unless they were also at that person's workstation.

Take care that the workstation you select is or will be available. Don't lock yourself out!

Workstation rules are not intended for use with Internet or Mobile client connections. It is not possible to determine the name of the remote device. The rule scope will apply to the VTScada Thin Client Server, affecting all connections.

The steps to apply a workstation rule to a privilege are the same as those to apply a tag scope rule, excepting only that you will choose one or more workstations instead of one or more tags.