PRiSM Security Configuration and considerations
Agenda Security overview Authentication Adding a User Security Groups Security Roles Asset Roles
Security Overview
Three Aspects of Security Authentication Who can log into PRiSM Security Groups What items can they view Security Roles What actions can they do
Authentication
PRiSM Users Windows active directory Active directory user Active directory user group Local machine accounts PRiSM Server only Security considerations PRiSM Stores only the windows system identifier (SID) Not usernames Not passwords
Authentication Process 1. Collect SID from client machine 2. Compares SID to PRiSM database List of authorized users and groups List of authorized user groups 3. Active directory server authenticates password 4. Connection is established
Web Authentication PRiSM Server Client Computer Active Directory Server Service PRiSM Client (Desktop) Archive edna Database SQL Oracle PRiSM Web (Browser) LDA P Web Service SID
Client Authentication - Web PRiSM Server Client Computer Active Directory Server Service PRiSM Client (Desktop) SID Archive edna Database SQL Oracle PRiSM Web (Browser) LDAP Web Service
Client Authentication - Local LDAP PRiSM Server Client Computer Active Directory Server Service PRiSM Client (Desktop) SID Archive edna Database SQL Oracle PRiSM Web (Browser) Web Service
Anonymous Authentication Prompted only if current use not authorized in PRiSM database Can modify shortcut with /a command
Adding a User
Administer Users File // Administer Users
Add User
Configure Security Group and Role
Security Groups
Security Groups Restricted View Access Assets Templates Projects Real time services
Full Access Group Grants access to all items Cannot be edited or deleted
New Security Group Administrator defined
Details Group Name Name shown when configuring a user *2.7.2 and below require additional configuration
Assets Allowed Assets Drag and drop from hierarchy to pane on right Add every asset or folder the user will have access to Deleting Click ID Press Delete
Assets Access in Client Users will be able to view all assets
Assets Access in Web Users will be able to view allowed assets only For the most part
Templates Allowed Templates Check Allow
Templates Access Application Users will be able to view allowed templates only
Templates Access Application Users will be able to associate allowed templates only Users can still view projects with associated to restricted templates
Project Access Access to projects determined by asset and template access Asset (Default configuration) Both Asset and Template Either Asset or Template
Project Access Example Asset Only The user has been given asset to Allowed Asset Allowed Template Allowed Asset Project No Template Project Allowed Template Project Restricted Template Restricted Asset Project No Template Project Allowed Template Project Restricted Template
Project Access Example Both Asset and Template The user has been given asset to Allowed Asset Allowed Template Allowed Asset Project No Template Project Allowed Template Project Restricted Template Restricted Asset Project No Template Project Allowed Template Project Restricted Template
Project Access Example Either Asset or Template The user has been given asset to Allowed Asset Allowed Template Allowed Asset Project No Template Project Allowed Template Project Restricted Template Restricted Asset Project No Template Project Allowed Template Project Restricted Template
(Non-derived Template) Useful with Both Asset and Template or Either Template or Asset configurations For project access grants the lack of a template is considered the project s template
Real Time Services Access Users will be able to view allowed real time services only Points Data
Service vs Service Type Service Access to specific services Service Type Access to all services Current Future
RTS Access Application Project point additions
RTS Access Application Historical Data Import
RTS Access Application Trending Actual (Source RTS) cannot be used All users will always have access to prism history
Members List of users assigned to the security group
Security Roles
Administrator Administrator Full system access All explicit roles Additional roles
User User Access Projects Templates Alarms Annunciators User Restrictions System settings Service configuration User management Asset management Notification management
Read Only Read Only Access View Projects View Templates View Alarms View Annunciators Read Only Restrictions System settings Service configuration User management Asset management Notification management
Custom Custom Roles Administrator configured No limit in count
Role Details Client login Allows user to log into PRiSM Client Web login Allows user to log into PRiSM Web Modify Projects Create, edit, and delete projects Modify Templates Create, edit, and delete templates Clear Alarms (Manage Alarms) Change alarm status or clear alarms
Role Details Quick Train The allows users to quick train projects Also requires modify projects Modify Annunciator Panel Create, edit, and delete annunciator panels Modify System Preferences Edit system preferences in PRiSM client Edit system preferences in PRiSM web Modify User Preferences Edit user preferences in PRiSM client Edit user preferences in PRiSM web
Role Details Modify Real Time Services This allows users to configure RTSs Service administration and agent administration Modify Web Services This allows users to define external web data services Modify Local Configuration This allows users to open the local configuration file though the about screen and the local hosts file from the edna Configuration Screen Modify User Libraries This allows users to access system calculation libraries
Role Details Manage Notifications This allows access to the general notification settings, notification format, and manage notification only account subscriptions. Manage Assets This allows access to the asset management screen and controls access to create new folders when changing project s asset folder. Manage Users This allows access to the user management screen for managing users, roles, and security groups and notification-only user accounts.
Additional Administrator Role Access Administrator Automatic model building Digital point definitions
Asset Roles
Asset Role Allows a user s role to be different in specific assets Example usage User s default access is read only In a specific asset has user access Training sandbox for learning prism No disruption to production projects
Asset Role Create Asset Role
Asset Role Configuration asset role
2015 Schneider Electric Software, LLC. All rights reserved.