You can define rules for user groups and workstations and thereby restrict their rights. For example, some messages can only be processed by those users responsible for them. Nevertheless, events and their assigned messages can still be visible in grayed out form for these users to be able to get a full understanding of a situation. Before adding authorization rules, ensure that the following requirements are fulfilled:

  • A hierarchical role concept exists.
  • At least one role is defined such that all messages and events can be processed, for example the Supervisor role.
  • At least one relevant person is always present and logged in on the system.

Creating Simple Permission Rules

You can restrict the rights of specific user groups.

  • The User and Authorization Management perspective is displayed.
  1. In the Permissionable Objects tree, right-click a user group and select Permission Rules > Create Simple Permission Rule.
  1. Enter a comment.
  1. In the Prohibit section, click Add.
  1. To filter the Reference list, use the filter term in the Filter field.
  1. Select all commands that you want to prohibit for this group.
  1. Configure the Prohibit section accordingly. You have the following options:
  • Deny Rights/Function Groups
  • Prohibit Perspectives
  • Deny Gestures/Actions/Orders
  • Deny Preference Groups
  • Deny (to See) Preferences
  • Deny Data Channel
  • Deny Universal View (Plugin)
  1. Click Finish.
  1. To display the new rule in in the Authorization rules view, click  Refresh.

Creating Area Permission Rules

You can restrict an operator from viewing events or messages from a specific area by creating an area permission rule. You can select an area and apply the permission rule to the selected area.

The area permission rule has to be applied for each area and is not inherited.

  • The User and Authorization Management perspective is displayed.
  1. In the Permissionable Objects tree, right-click a user group and select Permission Rules > Create Area Permission Rule.
  1. Enter a comment.
  1. Select an area to apply the permission rule.
  1. Click Finish.
  1. To display the new rule in the Authorization rules view, click  Refresh.

Creating Keyword Permission Rules

Keyword permission rules are created automatically after importing or creating disciplines after a server restart. However, you can also create keyword permission rules manually in the User and Authorization Management and Administration perspective. You can restrict the rights to process events, perform operation procedure steps and view messages. You can select keywords and subkeywords that have been defined beforehand from a list. A keyword is a combination of discipline and attribute. The permission rule then only applies to the selected keyword. The subkeyword depends on the keyword and further describes the keyword.

Make sure when configuring keyword permission rules that no messages are excluded from processing. Every keyword has to be assigned to at least one user group.

  • The User and Authorization Management perspective is displayed.
  1. In the Permissionable Objects tree, right-click a user group and select Permission Rules > Create Keyword Permission Rule.
  1. Enter a comment.
  1. Select a keyword.
  1. Select a subkeyword.
  1. Click Finish.
  1. To display the new rule in the Authorization rules list, click  Refresh.

Creating Originating Object Permission Rules

To prevent the message from being displayed in the same room, you can create a single object permission rule for each affected workstation. You can specify the hold-up device as the triggering object in this rule and select a suitable keyword, for example hold-up.

You can restrict the rights of an individual workstation, like preventing state changes from being displayed for a keyword or triggering objects in conjunction with a keyword. For example, in case of a silent alarm, it does not make sense to display the alarm message on workstations in the same room, if a hold-up alarm is actuated in a room.

Make sure not to exclude all objects from an individual workstation.

  • The User and Authorization Management perspective is displayed.
  1. In the Permissionable Objects tree, right-click a workstation and select Create Originating Object Permission Rule.
  1. Enter a comment.
  1. Select an originating object, for example a TBS object.
  1. Select a keyword.
  1. Click Finish.
  1. To display the new rules in the Authorization rules list, click  Refresh.

Creating OIS Commands Permission Rules

You can restrict the rights of specific user groups to perform commands to subsystems. Moreover, you can define the object for which the rule is to be applied. When defining permission rules, inheritance principle applies. Permission rules defined for a specific user group are automatically inherited by subordinate users. Permission rules defined for a specific object in the System Tree are automatically inherited by subordinate objects. Depending on the complexity of the subsystem hierarchy, you can override the previously defined permission rules.

  • The User and Authorization Management perspective is displayed.
  1. In the Permissionable Objects tree, right-click a user group and select Permission Rules > Create OIS Commands Permission Rule.
  1. Enter a comment.
  1. In the Subsystem text field, select an object type to apply the permission rule.
  • Subsystem Container
  • Group of OIS Controllers
  • OIS Controller
  • OIS Component
  1. In the Permission Level text field, select a permission level. Permission levels depend on the specific subsystem, for example FS20, SIGMASYS. Each subsystem can specify which command belongs to which permission level. For detailed information refer to the OIS Web User Manual (OIS Tools start page > Help). Keep in mind to use user_group when searching for permission levels in the OIS Web User Manual. The higher the permission level, the more commands you can see. The permission level value has the following range:
  • 0 – Permission Level (lowest): This is the default value. No commands are shown.
  • 1 – Permission Level: Basic permission level
  • 2 – Permission Level: Moderate permission level
  • 3 – Permission Level: High permission level
  • 4 – Permission Level: Highest permission level
  1. Click Finish.
  1. To display the new rules in the Authorization rules list, click  Refresh.

Example:

  • After creating a general permission rule for the Commissioning Engineer user group, members of this user group inherit the permissions assigned to the group. In the System Tree, the permission rule applies to all objects inside of the Subsystem Container node.
  • After creating a specific permission rule for the Commissioning Engineer user group, members of this user group inherit the permissions assigned to the group. In the System Tree, the permission rule applies to OIS component only. It overrides the rule defined for the Subsystem Container node and grants permission level 3 for the C_FS20_92 OIS component.