87
Setting up security Chapter 5
Rockwell Automation Publication VIEWSE-UM006K-EN-E
121
In the Security Settings dialog box, you might also see actions for other
FactoryTalk products, for example, RSLinx Enterprise. For details about
product-specific actions, see the product documentation.
To do this
In this component or tool
You need these security permissions
Open an existing network distributed,
network station, or local station
application and view its contents.
FactoryTalk View Studio
FactoryTalk View SE Administration
Console
Common Read
Common List Children
Run an existing network distributed,
network station, or local station
application and write to tags.
FactoryTalk View SE Client
Common Read
Common List Children
Tag Write Value
At least one security code (A to P) set up in
the Runtime Security editor. For details, see
Setting up FactoryTalk accounts in
FactoryTalk View SE on page 96.
.
The Common actions Read and List Children allow basic access to a network or local system. To increase access,
add security permission, as shown in the remainder of this table.
Open an existing application and
modify its properties.
FactoryTalk View Studio
FactoryTalk View SE Administration
Console
Common Read
Common List Children
Common Write
Create an application and modify its
properties.
Add new areas, HMI servers, data
servers, or Tag Alarm and Event
Servers to an application.
FactoryTalk View Studio
Common Read
Common List Children
Common Create Children
Common Write
Modify the properties of existing HMI
servers, data servers, or Tag Alarm
and Event Servers.
FactoryTalk View Studio
Common Read
Common List Children
Common Write
Create or modify HMI project
components, for example, graphic
displays or derived tags files.
Add HMI project components into an
application.
FactoryTalk View Studio
Common Read
Common List Children
Common Create Children
Common Write
Common Delete
Delete areas, HMI servers, data
servers, or Tag Alarm and Event
Servers from an application.
FactoryTalk View Studio
Common Read
Common List Children
Common Write
Common Delete
Secure access to application
resources, for example, the areas in
an application.
FactoryTalk View Studio
Common Configure Security
Create and administer FactoryTalk
user and computer accounts.
FactoryTalk View Studio
Common Configure Security
Common Create Children
Common Write
Common Delete
67
Chapter 5 Setting up security
122
Rockwell Automation Publication VIEWSE-UM006K-EN-E
Add user accounts to FactoryTalk
View (in the Runtime Security editor).
Secure FactoryTalk View commands
and macros (in the Runtime Secured
Commands editor).
IMPORTANT: to perform these tasks,
,
the necessary permissions must be set
up at the application level.
FactoryTalk View Studio
Common Configure Security
Common Write
Delete a network distributed, network
station, or local station application.
Application Manager
Common Read
Common List Children
Common Delete
Rename a network distributed,
network station, or local station
application.
Application Manager
Common Read
Common List Children
Common Write
Copy a local station application.
Application Manager
Common Read
Common List Children
Common Write
To back up and restore applications, in addition to having the following permissions, users must be allowed to back
up and restore FactoryTalk Directory contents:
Back up a network distributed
application.
FactoryTalk View Studio
Common Read
Common List Children
Common Write
Restore a network distributed
application.
FactoryTalk Administration Console Common Read
Common List Children
Common Write
Back up and restore a local station
application
Application Manager
Common Read
Common List Children
Common Write
Example
–
Using the Common actions to set up
security for user groups in a FactoryTalk View SE
network distributed application
The following table shows how a system administrator might assign the
Common actions to four groups of FactoryTalk View users
—
Administrators,
Engineers, Supervisors, and Operators
—
to give them appropriate levels of
access to a network distributed application.
For information about overriding inherited permissions, see Understanding
inherited permissions on page 118.
RasterEdge.com General FAQs for Products copy and email the secure download link to the assistance, please contact us via email (support@rasteredge & profession imaging controls, PDF document, image to
pdf edit hyperlink; add a link to a pdf in acrobat RasterEdge Product Licensing Discount s). After confirming the informations provided, we will send you an email that contains price(s) at a discount and the online order link for new licensing.
add links to pdf; change link in pdf
141
Setting up security Chapter 5
Rockwell Automation Publication VIEWSE-UM006K-EN-E
123
To set up this level of access
For this group
Set up these permissions at
the Network Directory
And then override
inherited permissions
Full access.
This includes the ability to:
Create applications
Add areas and servers
Create HMI project components
Set up permissions for all resources
the FactoryTalk Directory manages
Create new user accounts
Add Runtime Security accounts
Secure HMI project components
For a complete list of tasks users with full
access can perform, see the previous
table in this example.
Administrators
Allow Common actions:
Configure Security
Create Children
Delete
List Children
Read
Write
Allow Tag action:
Write Value
No changes.
Retain inherited permissions
at all lower-level resources.
Same access as Administrators, except
members of this group cannot:
Set up security for the Users and
Groups sub folder of the System
folder.
Create users at the FactoryTalk
Directory.
However, members of this group can add
d
Runtime Security accounts, assign
security codes to them, and use the
Runtime Secured Commands editor.
Engineers
Allow Common actions:
Same as Administrators
Allow Tag action:
Write value
Explicitly deny these
Common actions on the
Users and Groups folder (in
the System folder):
Configure Security
Delete
Create Children
Retain all other inherited
permissions.
Run-time access (see Operators group,
next), plus, members of this group can:
Modify existing applications.
Modify HMI server properties.
Create HMI project components.
Supervisors
Allow Common actions:
Read
List Children
Tag action:
Write Value
Explicitly allow these
Common actions on the
application:
Delete
Write
Create Children
Retain all other inherited
permissions.
Run-time access. Members of this group
p
can only:
Load existing applications.
However, members of this group cannot
modify HMI server properties, nor view
HMI project components. HMI servers
show in the Explorer window as locked.
Run applications in the
FactoryTalk View SE Client.
Write to tags at run time.
IMPORTANT: to restrict access to
individual HMI tags, in the Runtime
Security editor, assign security codes to
this group.
Operators
Allow Common actions:
Read
List Children
Allow Tag action:
Write Value
No changes.
Retain all inherited
permissions at lower-level
resources.
RasterEdge Product Renewal and Update 4. Order email. Our support team will send you the purchase link. HTML5 Viewer for .NET; XDoc.Windows Viewer for .NET; XDoc.Converter for .NET; XDoc.PDF for .NET;
adding links to pdf in preview; add links pdf document
12
Chapter 5 Setting up security
124
Rockwell Automation Publication VIEWSE-UM006K-EN-E
Tip:
In addition to the Common actions listed, each group in
this example is allowed the Tag action Write Value,
which governs general access to HMI and data server
tags.
You can also set up run-time security for individual HMI
tags. For details, see Assigning security codes to HMI
tags on page 104.
.
32
Rockwell Automation Publication VIEWSE-UM006K-EN-E
125
Chapter 6
Working with network distributed
applications
This chapter describes:
What a FactoryTalk View Site Edition network distributed application
is.
Key network distributed application concepts.
How to create a network distributed application.
How to add areas and servers to a network distributed application.
How to set up HMI server properties.
How to monitor the status of an HMI server.
How to delete HMI servers.
How to rename and delete network distributed applications.
In FactoryTalk View Studio, you can create FactoryTalk View Site Edition
local station, network station, and network distributed applications. Here is
what a network distributed application looks like in the Explorer window:
Network station applications are described in Working with network station
applications on page 149. Local station applications are described in
Working with local station applications on page 167.
About network
distributed
applications
49
Chapter 6 Working with network distributed applications
126
Rockwell Automation Publication VIEWSE-UM006K-EN-E
Parts of a network distributed application
A typical FactoryTalk View SE network distributed application (also called a
distributed application) consists of:
Areas, including nested areas, that divide the application into
manageable parts or organize it in a way that makes sense for the
process it is controlling.
You can also use areas to separate servers that use the same names, for
example, two HMI servers running projects that contain the same set of
graphic displays or tags.
One or more HMI servers, that provide FactoryTalk View components
and services to application clients.
FactoryTalk View applications must contain at least one HMI server. A
network distributed application can contain up to 10 HMI servers,
running on different computers on a network, or up to 10 redundant
HMI server pairs.
HMI project components such as graphic displays, HMI tags, and data
log models.
One or more data servers, providing clients with access to information
in programmable controllers, devices, and other data servers that
comply with the OPC-DA 2.05a specification, with or without the use
of HMI tags.
In a network distributed application, you can use multiple RSLinx
Enterprise and OPC data servers (including RSLinx Classic), running
on different computers. You can also set up a redundant pair of host
computers for each data server in the application.
RSLinx Enterprise servers can be set up to subscribe to alarms detected
in devices such as ControlLogix controllers. For more information, see
Setting up FactoryTalk alarms on page 261.
Tip:
Every vendor’s OPC data server is different. Some
contain their own tag databases, like the tag database in
an HMI server, while others reference the tag databases
or addresses that exist in controllers, as is the case with
RSLinx and Logix5000.
A list of users, plus the security codes that allow or deny these users
permission to access secured HMI project components at run time.
Optionally, one or more FactoryTalk Tag Alarm and Event Servers, to
provide alarm monitoring and control for tags in devices that do not
have built-in alarm detection. For more information, see Setting up
FactoryTalk alarms on page 261.
42
Working with network distributed applications Chapter 6
Rockwell Automation Publication VIEWSE-UM006K-EN-E
127
The software programs behind a network distributed application
—
the
FactoryTalk Network Directory, the HMI servers, the HMI clients, and the
data servers
—
can be located on different computers on the network.
However, all the computers participating in a network distributed application
must point at the same Network Directory. For details, see Setting up the
FactoryTalk Directory on page 77.
About FactoryTalk systems
FactoryTalk View SE and other Rockwell Automation software products use
a set of common FactoryTalk services to support certain functions, such as
diagnostic messages and access to real-time data.
These services, including FactoryTalk Directory, are installed with the
FactoryTalk Services Platform when you install FactoryTalk View SE. For
an overview of FactoryTalk services, see FactoryTalk Services Platform on
page 26.
An automation and control system that uses FactoryTalk services, and
integrates FactoryTalk products and components, is known as a FactoryTalk
system.
Finding more information about FactoryTalk
services
This manual contains information about developing FactoryTalk View SE
applications, including information about how FactoryTalk View uses
FactoryTalk services.
For additional, detailed information about FactoryTalk systems, services,
concepts, and components, see the FactoryTalk Help.
To open the FactoryTalk Help:
Select Start > All Programs > Rockwell Software > FactoryTalk Tools >
FactoryTalk Help.
You can also open the FactoryTalk Help by clicking Help in dialog boxes
used to set up FactoryTalk components and services.
This section presents some of the common terms and concepts that are used
to describe FactoryTalk View SE network distributed applications.
Key network
distributed
application
concepts
35
Chapter 6 Working with network distributed applications
128
Rockwell Automation Publication VIEWSE-UM006K-EN-E
FactoryTalk Network Directory
The FactoryTalk Directory centralizes access to application resources
components, such as graphic displays and tags, for all FactoryTalk products
participating in a control system.
For example, to access graphic displays in a network distributed application,
HMI clients use FactoryTalk Directory to find out which computers on the
network are hosting the HMI servers that provide the displays.
FactoryTalk Network Directory (also called the Network Directory) manages
FactoryTalk View SE network distributed and network station applications.
All of the computers participating in a particular network distributed
application must share a common Network Directory, located on a network
server.
For more information about FactoryTalk Network Directory, see Setting up
the FactoryTalk Directory on page 77.
Note: Do not run FactoryTalk Directory, or any other application
software, on the same computer as a Windows domain
controller.
FactoryTalk Security
FactoryTalk View SE applications can use FactoryTalk Security services to
authenticate and authorize application users.
During FactoryTalk View SE installation, Windows users with
administrative privileges on the computer are set up with full, initial access to
FactoryTalk View SE applications managed by a FactoryTalk Local or
Network Directory on the same computer.
In FactoryTalk View Studio, you can create FactoryTalk user and group
accounts, and then determine which accounts have access to resources such
as the Local Directory, or the application.
For an overview of FactoryTalk Security services, see Setting up security on
page 85. For details, see the FactoryTalk Security Help.
About FactoryTalk Security permissions
If FactoryTalk Security services are used to secure parts of an application, to
perform certain tasks, users must have the necessary security permissions.
38
Working with network distributed applications Chapter 6
Rockwell Automation Publication VIEWSE-UM006K-EN-E
129
For example, to create or modify the properties of an application, you must at
least be allowed the Common actions Read, List Children, Write, and Create
Children, at the FactoryTalk Directory that manages the application.
If you receive a FactoryTalk Security message while trying to perform such a
task, contact your system administrator about permissions you might require.
For an overview of FactoryTalk Security services, see Setting up security on
page 85. For details, see FactoryTalk Security Help.
HMI servers
HMI servers are software programs that supply information to clients as they
request it.
An HMI server stores HMI project components such as graphic displays, and
serves these components to clients. An HMI server also manages a database
of tags, detects HMI tag alarms, and logs historical data.
In FactoryTalk View Studio, first you create a network distributed
application, and then you add one or more HMI servers to the application.
Each area or sub-area in a network distributed application can contain only
one HMI server. For information about:
Adding an HMI server to an, see Adding an HMI sever on page 135.
Setting up redundant HMI servers, see Setting up HMI server
redundancy on page 142.
Specifying which components will run when an HMI server starts, see
Selecting startup and shutdown components on page 142.
HMI projects
HMI projects contain graphic displays, data log models, HMI tags, HMI tag
alarms, and other services. An HMI project is created when you add a new
HMI server to a network distributed application.
The HMI project is loaded by the HMI server, either when the first client
connects to the server, or when the operating system initializes. For more
information, see Choosing how the server starts on page 141.
HMI clients
HMI clients are software programs that obtain information from, or write
information to HMI servers or data servers. FactoryTalk View Studio, the
37
Chapter 6 Working with network distributed applications
130
Rockwell Automation Publication VIEWSE-UM006K-EN-E
FactoryTalk View SE Administration Console, and the FactoryTalk View SE
Client are all HMI clients.
Areas
All FactoryTalk View applications have one system-defined area called the
application root area, which has the same name as the application. The
application root area can contain one HMI server, and one or more data
servers.
In a network distributed application, you can create additional areas to divide
the application into manageable, logical parts, or to organize it in a way that
makes sense for the process it is controlling.
For example, an area might represent a portion of a process, or a region
within the process facility. An automotive plant could be divided into areas
called Press and Fabrication, Body Shop, Paint Shop, Engine, and
Transmission; a bakery could be divided into areas called Ingredients,
Mixing, Baking, and Packaging.
Alternatively, a plant with identical production lines could be divided into
areas called Line 1, Line 2, Line 3, and so on. To add a new production line
to the application, you could create a new area, and then copy the identical
HMI server project into the area.
Each area you add to a network distributed application can contain one or
more sub-areas, and one or more data servers. Each area or sub-area can
contain only one HMI server.
An area or sub-area can contain multiple data and alarm servers, but it is best
practice for each area to contain only a single data or alarm server.
About the home area
In an application, the area that contains a given application component, such
as a graphic display, is called the home area.
When you refer to an application component without specifying the area,
FactoryTalk View SE uses the home area to locate the component.
For example, if an object in a graphic display refers to a tag without
specifying an area, FactoryTalk View assumes that the tag and the display
are in the same home area.
If the tag cannot be found in an HMI server or a data server in the display’s
home area, an error is logged when the display is run.
Documents you may be interested
Documents you may be interested