Using CitectSCADA > Securing Projects > Configuring Security > Privilege and Area combinations

Privilege and Area combinations

Outlined below are four general rules regarding the use of privileges and areas within CitectSCADA.

  1. Global privileges apply to every area.
  2. Assigning a privilege to an area within a role, means any user assigned that role will gain viewable access to that area automatically. However the user can only operate system elements in that area that have a matching privilege. As a result of the first rule, if users are assigned a global privilege they will also be able to view every area.
  3. Area 0 includes every privilege a role may have been assigned in other areas. In other words if granted a privilege 3 for use in another area that role can also control those system elements in Area 0 that have a privilege set as 3.
  4. All users can view Area 0.

These rules will assist you in understanding how the various privilege and area combinations between system elements and roles will affect your security. The table below outlines numerous scenarios, and the resulting security for a simple on/off button.The first two columns Area and Privilege refer to the button.

Area Priv Role Area Priv Security

No

No

Conveyor Operator

No

No

Operator can view and control the system element.

No

Yes

Conveyor Operator

No

No

Can view the system element but cannot operate it as role does not have the necessary privilege

No

Yes

Conveyor Operator

No

Yes (matching)

Can view the system element and control it as role been granted the matching global privilege. Role will be able to control those system elements that also have the matching privilege in other areas of the plant.

Yes

No

Conveyor Operator

No

No

Role cannot view the system element, as it is no longer assigned to Area 0.

Yes

No

Conveyor Operator

Yes (matching)

No

Role can view and control the system element, as no privilege restriction has been set.

Yes

Yes

Conveyor Operator

Yes (matching)

Yes (not matching)

Can view the system element in the relevant area but cannot operate it as role does not have the necessary associated privilege.

Yes

Yes

Conveyor Operator

Yes (matching)

Yes (matching)

Can view the system element and control it within the relevant area, as role has been assigned a matching associated privilege.

See Also