Example: Securing access to alarms and events

This example outlines a set of security requirements for alarms and events and shows how to set permissions to implement a security plan.
The example application is called "Packaging Line" and includes:
  • A user group called "Floor Supervisors"
  • A computer group called "Floor Supervisor Computers"
  • An area called "Alarm Servers" that contains both a Tag Alarm and Event Server and a
    Rockwell Automation
     Device Server (
    FactoryTalk Linx
    )
  • An area called "HMI Server" that contains an HMI Server called "Packaging Line 1." The HMI Server manages several graphic displays that include embedded alarm and event objects, such as Alarm and Event Summary and Alarm and Event Banner.
    ftae_securityexample
Planning security requirements
Assume that we are developing a network distributed application.
Suppose we want to allow all of the users in the user group called "Floor Supervisors" to be able to perform the following actions from any of the computers included in the computer group called "Floor Supervisor Computers."
We create a plan that includes the following security requirements for the Packaging Line application:
Requirement 1.
 Allow Floor Supervisors to view alarm server properties. Prohibit Floor Supervisors from adding, modifying, and deleting alarm servers.
Requirement 2.
 Allow Floor Supervisors to export alarm messages. Prohibit Floor Supervisors from importing alarm messages.
Requirement 3.
 Allow Floor Supervisors to display information in alarm and event objects during runtime, including: display alarm messages, available servers, and configuration settings. Prohibit Floor Supervisors from creating or modifying alarm and event object configuration settings.
Requirement 4.
 Allow Floor Supervisors to perform alarm actions from alarm and event objects during runtime, including acknowledging alarms, enabling and disabling alarms, resetting latched alarms, and suppressing and unsuppressing alarms.
Security permissions summary for user group: Floor Supervisors
Permission
Allow
Deny
View alarm server properties
BigBullet
Export alarm messages
BigBullet
View alarm and event information in graphic displays during runtime
BigBullet
Interact with alarms in graphic displays during runtime
BigBullet
Add, modify, and delete alarm servers
BigBullet
Import alarm messages
BigBullet
Create or modify alarm and event object configuration settings
BigBullet
Implementing security requirements
  1. Run
    FactoryTalk Administration Console
     and open a Network Directory, or run
    FactoryTalk View Studio
     and open the application you want to work with.
  2. In the
    FactoryTalk
     Explorer window, right-click the application icon, and then click
    Security
    .
  3. In the
    Security Settings
     dialog box, select
    View permissions by: User.
    If the
    Floor Supervisors - Floor Supervisor Computers
     pair is not visible in the Users-Computers list, add it. (Click the
    Add
     button, select
    Floor Supervisors and Floor Supervisor Computers
    , and then click
    OK
     to continue.)
  4. When the
    Floor Supervisors - Floor Supervisor Computers
     pair is visible in the Users-Computers list, click to select it.
    Just above the
    Action
     list, verify that the security options you are about to select do apply to
    "Permissions for Floor Supervisors from Floor Supervisor Computers."
    ftae_security1
  5. In the
    Action
     list, expand the
    Common
     category, and then set the following permissions:
    • Configure Security--Deny
       (prevents users in the group from changing security settings for this application)
    • Create Children--Deny
       (prevents users in the group from adding new servers or areas to this application)
    • Delete--Deny
       (prevents users in the group from deleting this application and from deleting servers or areas within this application)
    • Execute--Leave blank
       (applies to product policy features available from the
      System
       >
      Policies
      >
      Product Policies
       folders)
    • List Children--Allow
       (makes areas and servers contained within the application visible to users in the group; allows alarm and event objects to display information, including alarm messages, suppressed alarms, alarm names, alarm states, and server status)
    • Read--Allow
       (makes the application contained within the directory tree visible to users in the group; allows displaying properties for alarm and event objects)
    • Write--Deny
       (prevents users in the group from modifying the properties of areas and servers contained in this application; prevents users from creating or configuring alarm and event object properties; prevents users from clearing alarm counts)
      ftae_security2
  6. In the
    Action
     list, expand the
    Alarming
     category, and then set the following permissions to allow Floor Supervisors to issue alarm commands during runtime from alarm and event objects:
    • Acknowledge--Allow
       (allows users in the group to acknowledge alarms during runtime)
    • Enable/Disable--Allow
       (allows users in the group to enable and disable alarms during runtime)
    • Reset--Allow
       (allows users in the group to reset latched alarms during runtime)
    • Shelve--Allow
       (allows users in the group to shelve and unshelve alarms during runtime)
    • Suppress--Allow
       (allows users in the group to suppress and unsuppress alarms during runtime)
      ftae_security3
  7. On the
    Permissions
     tab, review your settings, and then click
    OK
     to close the dialog box.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal