Actions
When setting up security, specify which actions a user or group can perform on a selected resource. In a
FactoryTalk
network directory, specify from which computer or group of computers a user can perform the action. A group of common actions are installed by default with the
FactoryTalk Services Platform
. However, different sets of actions apply to different resources in the directory. Additional securable actions might appear, depending on which FactoryTalk
products are installed. For details about using those actions, see the documentation for your FactoryTalk
products.A user needs the following actions in order to expand or interact with an HMI Server:
- Create Children
- Delete
- List Children
- Read
- Write
If any action of the user is denied, a lock icon will appear on the HMI server indicating that the user will no longer be able to interact with the HMI server in FactoryTalk View Studio.
Read
Controls whether a user or group can see the resource in the
Explorer
from a computer or group of computers.Resource type | Result of Denying "Read" |
|---|---|
Network directory or local directory | Prevents users from seeing the directory or its contents. |
Application | Prevents users from seeing the application or its contents. Denying Read does not prevent users from reading tag values from data servers in the application. |
Area | Prevents users from seeing the area or its contents. Denying Read does not prevent users from reading tag values from data servers in the area. |
System folder | Prevents users from seeing the System folder or its contents. Denying Read does not prevent users from reading tag values for devices in the Networks and Devices tree. |
Networks and Devices tree | Prevents users from seeing the Networks and Devices tree and its contents. Denying Read does not prevent users from reading tag values for a particular device. |
Individual network or device in the Networks and Devices tree | Prevents users from seeing the network or device and its contents. Denying Read does not prevent users from reading tag values for a particular device. |
Write
Controls whether a user or group can write to the resource from a computer or group of computers.
Resource type | Result of Denying "Write" |
|---|---|
Network directory or local directory | Prevents users from modifying the properties of any item in the directory. For example, denying Write prevents users from modifying the description of an application, area, or the properties of a data server. However, if Create Children is allowed, the user or group can create applications in the directory, add areas to an application, and add data servers to areas. |
Application | Prevents users from modifying the properties of any item in the application. For example, denying Write prevents users from modifying the description of the application, the descriptions of areas within the application, or the properties of data servers within the application or its areas. However, if Create Children is allowed, the user or group can add areas or data servers to an application and can add data servers to areas. |
Area | Prevents users from modifying the properties of any item in the area. For example, denying Write prevents users from modifying the description of the area, or the properties of data servers within the area. However, if Create Children is allowed, the user or group can add areas or data servers within the area. |
System folder | Prevents users from modifying the properties of any item in the System folder. For example, denying Write prevents users from modifying policy settings, and the properties of user accounts, such as an account's description or group memberships. Denying Write also prevents deleting user and group accounts, if the accounts have group memberships associated with them. This is because the group memberships are updated automatically when an account is deleted, and updating group memberships is controlled by the Write action. |
Networks and Devices tree | Prevents users from defining, modifying, or removing logical names for networks or devices. Denying Write does not prevent users from writing tag values to devices. |
Individual network or device in the Networks and Devices tree | Prevents users from defining, modifying, or removing logical names for the network or device. Denying Write does not prevent users from writing tag values to devices. |
Configure Security
Controls whether a user or group can change the security permissions for the resource, while working from a computer or group of computers, by using
FactoryTalk Administration Console
and selecting Security
for the resource.Denying
Configure Security
has the same effect on all types of securable resources. For example, if a user is denied Configure Security
for an area, the user cannot change the security settings of the area, such as allowing or denying users permission to perform actions in the area, while working from the specified computer or group of computers.Similarly, denying
Configure Security
on the Users and Groups
folder prevents users from setting security permissions for the Users and Groups
folder. Denying Configure Security
on the Users and Groups
folder does not
limit the access users have to resources in the system.Create Children
Controls whether a user or group can create a new, related resource beneath an existing resource in the
FactoryTalk Administration Console
directory tree while working from a computer or group of computers.Resource type | Result of Denying "Create Children" |
|---|---|
Network directory or local directory | Prevents users from creating applications or areas. |
Application | Prevents users from creating areas or data servers in the application. |
Area | Prevents users from seeing the area or its contents. Denying Read does not prevent users from reading tag values from data servers in the area. |
System folder | Prevents users from creating user, computer, or group accounts. Denying Create Children has no effect on policies. |
Networks and Devices tree | Create Children is not available because users cannot add items to the Networks and Devices tree. Networks and Devices is populated automatically, based on the networks and devices that are available to your local computer. |
Individual network or device in the Networks and Devices tree | Create Children is not available because users cannot add items to the Networks and Devices tree. Networks and Devices is populated automatically, based on the networks and devices that are available to your local computer. |
List Children
Controls whether a user or group can list the children of the resource from a computer or group of computers.
Denying
List Children
has the same effect on all types of securable resources. For example, if List Children
access is denied to an application, the user or group can see the application, but not its contents while working from the specified computer or group of computers.Unlike the
Read
action, List Children
does allow the user to see the resource that contains other resources, for example, the application that contains areas or data servers.Execute
Controls whether a user or group can perform an executable action from a computer or group of computers. The
Execute
action is used primarily for Product Policy Feature Security
settings. Instead of using the
Execute
action, each FactoryTalk
product can use its own actions to secure its executable features. For details about what, if anything, the Execute
action does in a particular FactoryTalk
product, see the documentation for that product.Delete
Resource type | Result of Denying "Delete" |
|---|---|
Network directory or local directory | Prevents users from deleting any item in the directory, for example, applications, areas, data servers, or user accounts. |
Application | Prevents users from deleting the application, or any item within it, for example, areas, or data servers. |
Area | Prevents users from deleting the area, or any item within it, for example, data servers within the area. |
System folder | Prevents users from deleting any item in the System folder, for example, user, computer, or group accounts. If a user, computer, or group account has group memberships associated with it, deleting the account also requires Write permission, because updating the group memberships of accounts is controlled by the Write action. |
Networks and Devices tree | The Delete action is not available because users cannot remove items from the Networks and Devices tree. Networks and Devices is populated automatically, based on the networks and devices that are available to your local computer. |
Individual network or device in the Networks and Devices tree | The Delete action is not available because users cannot remove items from the Networks and Devices tree. Networks and Devices is populated automatically, based on the networks and devices that are available to your local computer. |
Tag actions: Write Value
Controls whether a user or group can write to tags in data servers from a computer or group of computers. Configure this action on the network directory or local directory, an application, or an area.
The
Write Value
action does not prevent users from writing values to tags in specific hardware devices. Write Value
prevents writing values to all of the tags managed by a data server.If additional
FactoryTalk
products are installed, they might install additional Tag actions. For details about these actions, see Help for your FactoryTalk
products.User Action Groups
This category contains the added action groups. If no action groups were added, this category does not appear.
Provide Feedback