A very useful method to set security is to build structures for the plant, and set Security Definition aspects with Structure range. Create typical structures in the Location Structure by putting process equipment in buildings and rooms, or dividing the Functional Structure into process sections.
We have a production process in the A3, Area which produces in two similar production lines - Line A and Line B. In the Plant Explorer, each line includes separate production steps according to Figure 124.
A member of the System Engineer group must set the security described in this section.
Figure 124. Production Procedure Structuring in Plant Explorer
Basically each line has its own operator (operator Opr1 for Line A and operator Opr2 for line B). The security must be set in such a way that the operators are only able to operate their “own” line. We set a System Engineer as an Operator for both lines.
This is easily done by using the structure settings and three Security Definition aspects. We add one Security Definition aspect to the “top” Aspect Object A3, Area and one each to the objects “Production Line A” and “Production Line B”.
Setting the Security Definition Aspects in the Example
Security Definition Aspect for the A3, Area Aspect Object
On the “top” object for the two production lines, the A3, Area object, we configure the security setting so the System Engineers can operate both lines.
We terminate search, because we do not want the default settings to be valid.
Ending the Terminate Search means that access is denied to anyone not specified in this Security Definition aspect.
Figure 125. Security Definition Aspect Setting in the “top” Object A3,Area?
Security Definition Aspect for the Production Line A Object
In each structure we set a Security Definition aspect that defines persons/groups that must have a permission in one structure but not in the other.
For example, in a security aspect added to the Production Line A object we define the permissions in that structure. In this case we give operator Opr1 the permission to operate the objects in this structure.
By setting Continue Search, the security search goes upwards in the structure.
Figure 126. Security Definition Aspect Setting in Production Line A Object
Security Definition Aspect for the Production Line B Object
The security aspect added to the Production Line B object defines the permissions in this structure. In this case we give operator Opr2 the permission to operate the objects in this structure.
By setting Continue Search, the security search goes upwards in the structure.
Figure 127. Security Definition Aspect Setting in Production Line B Object
Introduction
A plant structure is often divided into logical sections that can be operated individually by a set of designated users. In a distributed system, multiple users operating from different geographical locations can be responsible for different sections of the plant. In such situations, to avoid the risk of more than one user operating a section simultaneously, a strict security can be applied. Setting up a strict security can be challenging and a number of scenarios must be taken into consideration. The feature Point of Control is provided to simplify this process.
Point of Control is a concept that allows dividing the plant into sections. The Operator that is in control over a section is called the Responsible User. The Responsible User has security right granted that other users in the system lack for the same section. A typical scenario is that only the Responsible User will be able to control the process in this section.
Point of Control Features
The key features of the Point of Control functionality are:
• Improved System Security
The Point of Control functionality enforces a strict security on the system to avoid the risk of many users operating a section at the same time.
• Transfer of responsibility between the users:
– Request Responsibility – Grab Responsibility – Release Responsibility
• Alarm List Responsibility Filter
Alarms can be filtered based on the current responsibility. The same filter will hide these alarms for other users.
• Audit Logging
If audit is enabled for AuditEvent_OperatorAction, the responsibility transfer between different users and nodes will be logged.
• Point of Control Summary
Displays an overview of the current status of each section. For more information about the Point of Control Summary, refer to System 800xA Operations 5.1 (3BSE036904*).
• Security Report
The Section Definition aspect and Security Definition aspect configurations are included in the Security Report.
• OPC Properties for Status
The Point of Control status for a section is exposed as standard OPC properties.
This makes it possible to create overview graphics that displays the Point of Control status for example, the currently responsible user for a section.
• Bulk Data Manager Support
The Section Definition aspects supports configuration using the Bulk Data Manager. For more information about Bulk Data Manager, refer to System 800xA Engineering 5.1 Engineering Studio Function Designer
(3BDS011224*).
Point of Control is designed to be used by Operators. Use Reserve for
Engineering tasks. Refer to System 800xA Engineering 5.1 Engineering Studio Function Designer (3BDS011224*) for more information.
Point of Control is supported only in the Production Environment. Refer to System 800xA Engineering 5.1 Engineering and Production Environments (3BSE045030*) for more information about the environments supported.
Enabling Point of Control
The Point of Control functionality is a licensed feature in the 800xA system and must be enabled before it can be used.
To enable the functionality using System Configuration Console, select Start > All Programs > ABB Industrial IT 800xA > System >
System Configuration Console > Security > Point of Control, refer to Figure 128.
By default, the Point of Control functionality is disabled.
Figure 128. Enabling Point of Control
Point of Control can be configured only by users that belong to both the System Engineer and the Application Engineer groups.