Privilege and Area combinations

Using CitectSCADA > Securing Projects > Configuring Security > Privilege and Area combinations

Privilege and Area combinations

Outlined below are four general rules regarding the use of privileges and areas within CitectSCADA.

Global privileges apply to every area.
Assigning a privilege to an area within a role, means any user assigned that role will gain viewable access to that area automatically. However the user can only operate system elements in that area that have a matching privilege. As a result of the first rule, if users are assigned a global privilege they will also be able to view every area.
Area 0 includes every privilege a role may have been assigned in other areas. In other words if granted a privilege 3 for use in another area that role can also control those system elements in Area 0 that have a privilege set as 3.
All users can view Area 0.

These rules will assist you in understanding how the various privilege and area combinations between system elements and roles will affect your security. The table below outlines numerous scenarios, and the resulting security for a simple on/off button.The first two columns Area and Privilege refer to the button.

Area	Priv	Role	Area	Priv	Security
No	No	Conveyor Operator	No	No	Operator can view and control the system element.
No	Yes	Conveyor Operator	No	No	Can view the system element but cannot operate it as role does not have the necessary privilege
No	Yes	Conveyor Operator	No	Yes (matching)	Can view the system element and control it as role been granted the matching global privilege. Role will be able to control those system elements that also have the matching privilege in other areas of the plant.
Yes	No	Conveyor Operator	No	No	Role cannot view the system element, as it is no longer assigned to Area 0.
Yes	No	Conveyor Operator	Yes (matching)	No	Role can view and control the system element, as no privilege restriction has been set.
Yes	Yes	Conveyor Operator	Yes (matching)	Yes (not matching)	Can view the system element in the relevant area but cannot operate it as role does not have the necessary associated privilege.
Yes	Yes	Conveyor Operator	Yes (matching)	Yes (matching)	Can view the system element and control it within the relevant area, as role has been assigned a matching associated privilege.