Example: line of sight
FactoryTalk Security
allows security to differ based on machine location. Computer accounts are used to authenticate, and authorize or deny access to actions from individual computers in the FactoryTalk
automation system. For example, use computer accounts to ensure that certain operations are performed only from computers that are located within direct view of equipment that is being controlled. This is sometimes referred to as line-of-sight security.
IMPORTANT:
Do not use where line-of –sight security is required, because the location of the computer from which the user is operating the system cannot be established reliably. This can have unexpected results. For example, if the remote user’s computer has restricted write security, the local user could be denied access unexpectedly because the remote computer’s session persists after the remote user logged off.
Windows
Remote DesktopTo plan security for the system, start by making lists of users. Divide the users into groups, and plan what resources they need to access. Next, plan what actions users are allowed to perform on those resources, and from which computers or groups of computers. Configure security for computer accounts only in a
FactoryTalk
network directory. In a FactoryTalk
local directory, all securable actions are confined to the local computer only.Imagine a simple scenario in which a bakery needs to secure its application in a
FactoryTalk
Network Directory. In this example, each area of the application is secured to provide access to these users and computers:- The bakery's users are divisible into groups named Operators, Shift Leaders, and Supervisors.
- There are multiple groups of operators, with each group responsible for operating its own area of the bakery (Ingredients, Mixing, Baking, and Packaging).
- Operators perform day-to-day operations with the machinery in the bakery, and can read and write values to and from controllers in their own area. They can also read values from controllers in other areas of the bakery, but cannot modify values in those controllers.
- Operators must be located within line of sight of the heavy machinery they are operating.
- Shift leaders perform all of the same activities that operators do. Shift leaders can modify values in any area of the bakery, but only from computers located within line of sight of the equipment. Shift leaders can also view what is happening anywhere in the control system from any computer.
- Supervisors are not located on the plant floor and cannot operate individual machines. They can only view what is happening anywhere in the control system.
Each group of users has different security needs:
Who | Needs access to these resources | For what actions | From where |
|---|---|---|---|
Operators Ingredients | Ingredients | Read & Write | Computers within line of sight of equipment |
Mixing, Baking, Packaging | Read | Any computer | |
Operators Mixing | Ingredients, Baking, Packaging | Read | Any computer |
Mixing | Read & Write | Computers within line of sight of equipment | |
Operators Baking | Ingredients, Mixing, Packaging | Read | Any computer |
Baking | Read & Write | Computers within line of sight of equipment | |
Operators Packaging | Ingredients, Mixing, Baking | Read | Any computer |
Packaging | Read & Write | Computers within line of sight of equipment | |
Shift Leaders | All | Read & Write | Computers within line of sight of equipment |
All | Read | Any computer | |
Supervisors | All | Read | Any computer |
In this example, you would create the following user groups:
User group | Members |
|---|---|
Operators | All user accounts for all operators |
Operators Ingredients | User accounts for operators in Ingredients area |
Operators Mixing | User accounts for operators in Mixing area |
Operators Baking | User accounts for operators in Baking area |
Operators Packaging | User accounts for operators in Packaging area |
Shift Leaders | User accounts for all shift leaders |
Supervisors | User accounts for all supervisors |
Next, create computer groups and then populate the groups with individual computer accounts. For example, the computer group "Operators Mixing" should contain only the computer accounts that belong to that area.
Finally, secure each resource. For each resource that needs to be secured, right-click the resource (for example, each area), and then select
Security
to view Security Settings
for the resource. To allow actions for a particular group of users and computers, select the group of users and computers, and then assign Allow
permissions to the corresponding actions. Assign Read
permissions before assigning Write
permissions.Permissions examples:
- In theIngredientsarea, allowReadaccess to Operators Ingredients, Mixing, Baking, and Packaging, Shift Leaders, and Supervisors from All Computers.
- In theIngredientsarea, allowWriteaccess to Operators Ingredients and Shift Leaders, only from the group of computers located within line of sight of the Ingredients area.
- In theMixingarea, allowReadaccess to Operators Ingredients, Mixing, Baking, and Packaging, Shift Leaders, and Supervisors from All Computers.
- In theMixingarea, allowWriteaccess to Operators Mixing and Shift Leaders, only from the group of computers located within line of sight of the Ingredients area.
Provide Feedback