Transcript maxDNA Overview

MODULE FIVE
SECURITY
Security for the maxDPU4E/F is implemented at three levels.
User Level (password protected)
When running the maxVUE runtime application a security field would
usually be available in the upper right corner of the screen as a part of the
vertical toolbar. The user can click on the security button to raise a popup
where he/she can establish a different security level by supplying the proper
password.
© Metso Automation Inc. 2005
POINT SECURITY
SECURITY
© Metso Automation Inc. 2005
Runtime Security Change Popup
POINT SECURITY
The appearance and behavior of the maxVUE Security Level Popup changed in
Release 2.
The relationship of the security levels to each other has also
changed. The new Popup is shown below.
There are still 10 security levels numbered 0 – 9. Level 0 implies no
security privileges. This may be referred to as “do nothing mode”. Level 9
is the bypass level, and allows the user to perform any write actions. The
“default Engineer” and “default Operator” levels still apply and are set via
the Security Edit program. Levels 1 – 8 are no longer considered
hierarchical as they were in previously supplied MCS Systems. In other
words level 1 is not necessarily lower than level 2, etc. Security Edit
program provides a means to make the present system behave similar to
the legacy systems. Please refer to Security Section of the System
Resources User’s Guide for a complete explanation.
© Metso Automation Inc. 2005
POINT SECURITY
Security Levels
This new button will change the maxSTATION’s Security level to the default
level that corresponds to the current Windows XP Professional user. If the user is
a member of the maxSTATION Engineer or Operator group then the default
Engineer/Operator level will be selected. Otherwise the default is set to 0. The
default Engineer and Operator levels are set via the MCS SecurityEdit program.
The initial values after installation are 3 for Engineer and 1 for Operator.
Depending on the current security level when the Default Login button is
pressed, a password may be required to actually change to that level.
Password Dialog Box for Security Change
© Metso Automation Inc. 2005
POINT SECURITY
Default Login button
Changing security levels
From
Current Level
9
0
Any non-zero
Any non-zero
Any non-zero
© Metso Automation Inc. 2005
To
Selected Level
any
Any
default level for
currently logged in
user
A higher level
Any non-zero lower
level
Password required
No
Yes
No
Yes
(unless selected
level is the default )
Yes
(unless the
Password Entry
mode is set to allow
lowering of security
levels without
entering a
password..
POINT SECURITY
May or may not require a password, and depends on the current and
selected passwords, and the Password Entry mode selected via the
MCS Security Edit program. The following table describes when a
change of password is required.
0-Guest
1-LabData
2-Technician
3-Operator1
4-Operator2
5-Supervisor
6-Tuner
7-Engineer1
8-Engineer2
9-Bypass
© Metso Automation Inc. 2005
POINT SECURITY
The user should be careful to return the security level when leaving the
screen to avoid granting inappropriate privilege to the next user. The user
level names can be redefined by the administrator but are predefined by
default to be:
The administrator also assigns the security passwords and the
default level for the engineer and operator logons.
© Metso Automation Inc. 2005
POINT SECURITY
The user level permissions can also be assigned by the
administrator but are pre-assigned in 5 schemes. The only level,
whose permissions cannot be reassigned is #9 (default level
name is Bypass) which has the clearance to bypass all security
and do anything that may be done.
MCSSecurityEdit
This program can be found in the MAX Administrative Tools section of the Start,
Programs Menu popup as the Security Edit function
You will then be presented with a dialog pop up such as the following
© Metso Automation Inc. 2005
MCSSecurityEdit Dialog Box.
A new checkbox has been added to the Security Edit dialog screen that
effects whether passwords are required when a MAXStation user
changes Security Levels. The checkbox is contained in the section titled
Password Entry as shown above. When it is checked, password entry
will not be required when changing to a security level that is lower than
the current level. In this mode security level changes will behave like the
older MCS Supplied systems. When the box is unchecked, a password
will be required when selecting a level less than the current, except for
the situations shown in the table below.
From
Current Level
9
Any
© Metso Automation Inc. 2005
To
Selected Level
any
0
Password required
No
No
Attribute Classification
Each native attribute has been assigned to one of six classifications (0-5),
according to the way it is commonly used. Attributes created in custom functions
can be assigned to any existing category or to custom categories with index
numbers 8 through 15 (8 total) which can be created by the administrator. Index
numbers 6 and 7 are reserved. Below is a list of the Attribute Classifications.
0-ModeChange
1-Target/Commands
2-Acknowledge
3-AlarmLimit
4-Tune/Adjust
5-Configuration
6,7-Reserved
8…15- Custom
© Metso Automation Inc. 2005
Schemes
A set of 16 Schemes is stored in the maxDPU4E. A scheme is a
matrix (10 by 16) of attribute classifications and user levels. One is
assigned/applied to each individual function block. These schemes
are used to define the block’s present condition. A scheme identifies
which security levels are permitted to manipulate each attribute
classification. Five-scheme (0 – 4) have been predefined as of
release 2.0. These, too, may be edited by the administrator. The sixth
and all others are delivered with no permissions for anyone but level
9 (Bypass), which always has total access. These may be used to
extend the variety of permission level assignments.
0-Most Normal Points
1-Non-Critical Alarms/No Operator Mode Change
© Metso Automation Inc. 2005
2-Calibration Points
3-Locked Mode Points
4-Secure Points
5...15-Bypass Only (Custom definable)
Changes may be made by the system administrator and then, using
maxDPUTOOLS can only be downloaded or ignored. There is no
partial security download. The schemes are stored in two atomic
functions, which exist in all maxDPU4E/F version 2.0, and beyond.
Once downloaded they are hidden and inaccessible but very much in
control of who may access what.
The default security schemes are listed below. The maxDPUTOOLS
default is to assign Scheme 0, which the administrator (or person
with bypass security level) can change as needed.
© Metso Automation Inc. 2005
Most Normal
Points
1
2
3
4
5
6
…
16
Scheme 0
ModeChange
Targt/Cmnds
Acknowledge
AlarmLimit
Tune/Adjust
Configuration
G
u
e
s
t
L
a
b
D
a
t
a
T
e
c
h
n
i
c
i
a
n
0 1 2
O
p
e
r
a
t
o
r
1
O
p
e
r
a
t
o
r
2
3
x
x
x
4
x
x
x
S
u
p
e
r
v
I
s
o
r
5
x
x
x
T
u
n
e
r
E
n
g
I
n
e
e
r
1
E
n
g
I
n
e
e
r
2
B Non-Critical
y
Alarms/No
p Operator Mode
a
Change
s
s
6 7 8 9
x x x x
x x x x
x
x x x
x x x x
x x x
x
x
1
2
3
4
5
6
…
16
Scheme 1
ModeChange
Targt/Cmnds
Acknowledge
AlarmLimit
Tune/Adjust
Configuration
G
u
e
s
t
L
a
b
D
a
t
a
T
e
c
h
n
i
c
i
a
n
0 1 2
The matrix for Schemes zero and one
© Metso Automation Inc. 2005
O
p
e
r
a
t
o
r
1
O
p
e
r
a
t
o
r
2
S
u
p
e
r
v
I
s
o
r
3 4 5
x
x x x
x x x
x
T
u
n
e
r
E
n
g
I
n
e
e
r
1
E
n
g
I
n
e
e
r
2
B
y
p
a
s
s
6 7 8 9
x x x x
x x x x
x
x x x
x x x x
x x x
x
x
Calibration
Points
1
2
3
4
5
6
…
16
G
u
e
s
t
L
a
b
D
a
t
a
T
e
c
h
n
i
c
i
a
n
Scheme 2
0 1 2
ModeChange
x
Targt/Cmnds
Acknowledge
AlarmLimit
Tune/Adjust
x
Configuration
O
p
e
r
a
t
o
r
1
O
p
e
r
a
t
o
r
2
3
x
x
x
4
x
x
x
S
u
p
e
r
v
I
s
o
r
5
x
x
x
T
u
n
e
r
E
n
g
I
n
e
e
r
1
E
n
g
I
n
e
e
r
2
B
y
p
a
s
s
6 7 8 9
x x x x
x x x x
x
x x x
x x x x x
x x x
x
x
Locked Mode
Points
1
2
3
4
5
6
…
16
Scheme 3
ModeChange
Targt/Cmnds
Acknowledge
AlarmLimit
Tune/Adjust
Configuration
G
u
e
s
t
T
e
c
h
n
i
c
i
a
n
0 1 2
The matrix for Schemes two and three
© Metso Automation Inc. 2005
L
a
b
D
a
t
a
O
p
e
r
a
t
o
r
1
O
p
e
r
a
t
o
r
2
S
u
p
e
r
v
I
s
o
r
3 4 5
T
u
n
e
r
E
n
g
I
n
e
e
r
1
E
n
g
I
n
e
e
r
2
B
y
p
a
s
s
6 7 8 9
x x x x
x x x x x x x
x x x
x
x x x
x x x x
x x x
x
x
Secure Points
1
2
3
4
5
6
…
16
Scheme 4
ModeChange
Targt/Cmnds
Acknowledge
AlarmLimit
Tune/Adjust
Configuration
G
u
e
s
t
L
a
b
D
A
T
A
T
e
c
h
n
i
c
i
a
n
0 1 2
O
p
e
r
a
t
o
r
1
O
p
e
r
a
t
o
r
2
S
u
p
e
r
v
I
s
o
r
3 4 5
T
u
n
e
r
E
n
g
I
n
e
e
r
1
E
n
g
I
n
e
e
r
2
B
y
p
a
s
s
6 7 8 9
x x x 1
x x x 2
x x x
x 3
x x x 4
x x x 5
x x x 6
x …
x 16
Bypass
Scheme
ModeChange
Targt/Cmnds
Acknowledge
AlarmLimit
Tune/Adjust
Configuration
G
u
e
s
t
L
a
b
D
a
t
a
T
e
c
h
n
i
c
i
a
n
0 1 2
O
p
e
r
a
t
o
r
1
S
u
p
e
r
v
I
s
o
r
3 4 5
The matrix for Schemes four and five through fifteen
© Metso Automation Inc. 2005
O
p
e
r
a
t
o
r
2
T
u
n
e
r
E
n
g
I
n
e
e
r
1
E
n
g
I
n
e
e
r
2
B
y
p
a
s
s
6 7 8 9
x
x
x
x
x
x
x
x
MCSSecuritySchemesEditor
This program can be found in the MAX Administrative Tools section of the
Start, Programs Menu popup.
© Metso Automation Inc. 2005
There are three presentations, which sort and display the 3 dimensional matrix
each way. (see next page). By selecting a TAB at the top of the page you can see
each of the remaining 2 dimensions for the selected type. The window in the
upper right displays and allows editing of the tab names in all cases except the
reserved first 8 attribute classifications. The SecuritySchemes.mdb database file
is stored in Custom\database. It is password protected to avoid random
unauthorized editing using access. This scheme is used and downloaded to ALL
maxDPU4E/Fs.
MCSSecurity SchemesEditor with a Schemes view
© Metso Automation Inc. 2005
MCSSecurity SchemesEditor with a Attribute Security Class view
© Metso Automation Inc. 2005
MCSSecurity SchemesEditor with a Security Level view
© Metso Automation Inc. 2005
maxDPUTOOLS Security Application
As mentioned earlier in this document the security schemes are sent
to the maxDPU4E/F. Every function block in the configuration will
have a security scheme applied to it. This can be accomplished
through the off-line configurator (maxDPUTOOLS) or the on-line
configurator (Point Browser).
© Metso Automation Inc. 2005
Security Scheme assignment for a Point (top) and Atom (bottom).
© Metso Automation Inc. 2005
The Scheme can also be changed using the Point Browser function.
Security Scheme assignment for an Atom using Point Browser
© Metso Automation Inc. 2005
POINT SECURITY
END
© Metso Automation Inc. 2005
© Metso Automation Inc. 2005
© Metso Automation Inc. 2005
© Metso Automation Inc. 2005
© Metso Automation Inc. 2005
© Metso Automation Inc. 2005
© Metso Automation Inc. 2005
POINT SECURITY
END
© Metso Automation Inc. 2005