Library of Process Objects v4.

0 Area Based Security Configuration

This document covers configuring FactoryTalk Security Users/Areas. It also shows some examples of
creating domain security areas. The information in this document supports the PlantPAx manuals
PROCES-UM003B and PROCES-UM001.

Chapter 3 of the document PROCES-UM003B covers how to create an Architect HMI project starting with
the Rockwell Automation® Library of Process Objects template and the sample HMI framework template.
The Library of Process Objects template “Process Library v4.0 FactoryTalk View SE” (faceplates, Global
Objects, Images and macros), and the sample HMI Framework template “P2fTemplate” (includes
framework displays for headers, button bars, alarming, overview display) can be downloaded as a zip file
from the Product Compatibility and Download Center (PCDC).

Click http://www.rockwellautomation.com/rockwellautomation/support/downloads.page to access the

PCDC.

After downloading the two templates, the document UM003 describes how to import the templates into
a new Architect project, customize the template frame work displays, and configure the HMI security
privileges.

Chapter 3 of UM003 shows how to first drag-and-drop the framework template into the Architect project
and then how to drag-and-drop individual library objects that are needed for project specific process
strategies (repeating the import for each object as needed). The complete library can also be easily
imported into the project with a single drag-and-drop of the FactoryTalk View SE folder from the Library
Management pane into the PlantPAx_HMI project folder.

Chapter 3 of UM003 next explores basic features of the template framework displays for navigation,
alarming and system status and how to customize them in FactoryTalk View Studio SE software.

Using a sample Studio 5000® Logic Designer application (acd file) consisting of two sub areas, Area01 and
Area02, the UM003 document shows how to how to configure the alarm displays and banners for the
different sub areas in the controller code. Next it demonstrates how modify the overview display by
adding simple pump and analog display objects and configuring them to the different process areas
(Area01, Area02). The next section covers how to configure the new multi-monitor client feature of
Studio for the different sub areas.

Lastly, chapter 3 of UM003 describes how to configure basic FTStudio HMI Tag “A to G” security. Version
3.5 (or below) of the Library of Process Objects used the “A to P” security codes in the faceplates to
control access to features and HMI attributes. The section titled “Configure HMI Security” describes how
to assign basic FTStudio HMI security privileges to the plant personnel using this model. Without security
privilege, personnel cannot access faceplates for specific areas of the plant.

In the previous versions of the library (V3.5 and earlier) the faceplates used all the security codes “A to
P”. The drawback with using security codes “A to P” in the faceplates was that there were no available
spare codes for customer use to customize their security model. Also, the security codes had to be
assigned per user but starting with the Library of Process Objects v4.0 library release each objects (and
faceplate) has a configurable “Area Name for Security” value, which can be used to assign the object (or
faceplate) to a specific process area of the facility. This frees up most of the “H to P” codes for customer
assignable security and makes assigning users to groups much easier. With V4.0, the user groups are
assigned the “roles” (the appropriate security codes) using new “Security Tags” and the users are simply
assigned to groups. The new “Security Tags” can be simply imported into the v4.0 application from a
library supplied import file.

The Library of Process Objects v3.5 used the following user groups. Each group used various security
codes (A to P):

• HMI_ Operators (Various Codes)

• HMI_ Operating Supervisor (Various Codes)
• HMI_ Maintenance (Various Codes)
• HMI_ Maintenance Supervisor (Various Codes)
• HMI_ Engineering (Various Codes)
• HMI_ Manager (Various Codes)
• HMI_ Admin (Various Codes)

For the new V4.0 Area-based Security feature (runtime security) the new Library of Process Objects v4.0
recommends the same seven User Groups per HMI but each group is only assigned a single security code:

• HMI_ Operators (Only Code A)

• HMI_ Operating Supervisor (Only Code B)
• HMI_ Maintenance (Only Code C)
• HMI_ Maintenance Supervisor (Only Code D)
• HMI_ Engineering (Only Code E)
• HMI_ Manager (Only Code F)
• HMI_ Admin (Only Code G)

Configurable Object Area

In version v4.0 of the Library of Process Objects, the Add-on-Instructions (AOI’s) for the objects have
included a parameter for a configurable object area (tag parameter Cfg_Area), which can be used to
assign the object to an area of the facility. Only users with the privileges for the assigned area can modify
the HMI application. For example, an engineer in Area 1 cannot modify pump attributes in Area 2, unless
assigned security for Area 2.

Document UM003 explains how to configuring an object area tag parameter (Cfg_Area) manually using
Studio 5000® Logic Designer to modify the tags in the controller application file (acd file). A section
describes how to configure manually a group of area strings that are inside the desired Add-On
Instruction(s) using the HMI Tag Update tool.
New Configurable Faceplate Area
Note : Document UM003 does not cover the “Library of Process Objects v4.0” new Area Based Security
feature.

Each library faceplate and object has a configurable “Area Name for Security” value, which can be used
to assign the faceplate to an area of the facility. Only users with the privileges for the assigned area can
modify the HMI application. For example, an engineer in Area 1 cannot modify faceplate attributes in
Area 2, unless assigned security for Area 2.

This following security “quick-start” steps will cover:

 Importing the security-based macros in to the application

 Configuring the security accounts
 Importing the HMI tag file with new security HMI tags
 Defining the security user groups
 Assign the corresponding A-P codes to the user groups
 Defining the users
 Defining and configuring multiple process areas
 Assigning the users to groups
Importing the new security-based Macros
Import the macros provided in the v4.0 Library release into the application (Library of Process Objects
4.0\HMI\View SE\Mcr). For Area Based Security the two macros “NavToFaceplate” and “NavtoQuick”
are used.

The macro “NavToFaceplate” is used to pass parameters to the display faceplates.

For reference note that the two macros “NavToFaceplate with line of site” and “NavToQuick with line of
site” can be used to add Line of Sight Security to the application (for more details see PlantPAx manuals
PROCES-UM003B and PROCES-UM001.

The macro “NavToFaceplate with line of site” uses the command “If CurrentComputerHasGroup( )
Then…” to check the location of the login.
Creating the User Groups

In this section we will create the user groups as recommended by the v4.0 Library release.
Double-Click on Runtime Security. Then click on the Security Accounts button on the Runtime Security
window.

Click to Add button to open the window to add the new user groups.
Click on Create New.

Click on User group.

Name the new user group HMI_Operators and click OK. Later we assign (only) the security code A to this
user group. This is a new feature of the v4.0 Library. The v3.5 (and earlier) version of the Library assigned
various security codes to each user group. This used up all the available “A to P “codes and made
maintaining groups difficult.

Again Click on Create New and then Click on User group.

 Name the new user group HMI_Operating_Supervisor and click OK. Later we assign (only) the security
code B to this user group.

Repeat the above steps to add the following five (5) user groups:

• HMI_Maintenance (Only Code C)

• HMI_Maintenance Supervisor (Only Code D)
• HMI_Engineering (Only Code E)
• HMI_Manager (Only Code F)
• HMI_Admin (Only Code G)
Verify that all the user groups have been added as shown below.

Assign the corresponding A-P codes to the user groups

In this section we will assign the corresponding A-P codes to the user groups.
Double-Click on Runtime Security. Then click on the Security Accounts button on the Runtime Security
window.
Click the + to expand the FactoryTalk View Security Codes.

Scroll and select the User “HMI_Operators”. Expand the FactoryTalk View Security Codes. Click the box
to allow the security code A and click OK.
Repeat the above steps to assign the security codes to the following six (6) user groups:
.
• HMI_Operating Supervisor (Only Code B)
• HMI_Maintenance (Only Code C)
• HMI_Maintenance Supervisor (Only Code D)
• HMI_Engineering (Only Code E)
• HMI_Manager (Only Code F)
• HMI_Admin (Only Code G)

Importing the new Area-based HMI Tags

Using the Tag Import and Export Wizard, import the HMI tags (.CSV file) provided in the v4.0 Library
release (Library of Process Objects 4.0\HMI\View SE\ FTViewSE_ProcessLibrary_Tags_4_0_00.CSV).

After importing the HMI tags, double-click on the HMI tags and verify that the two HMI Tag folders exist:
Const and Security.
For reference: Using the A-P codes assigned to the HMI user groups, you can determine which groups
have permission for each security task. Simply add or remove that group’s security code in the Initial
Value field of the corresponding HMI tag. By importing the tags all of the v4.0 recommended
assignments have been configured.

Note that for each object instance in your PLC code, you will assign an area in Cfg_Area. This area should
correspond to the Area groups that were created in your FactoryTalk User Groups. This tag, along with
the Line of Site macros that we imported earlier, will be compared to the “{cfg_Area}_Advanced” and
“{cfg_Area}_Basic” user groups to grant or deny permissions on the faceplates for these objects.

Library v4.0 added one new controller tag per Object (Cfg_Area):
FactoryTalk Security Areas
Example of an application with two process areas without a Domain Controller:

And …

Example of the two area configuration without a Domain Controller. Note the groups for the two areas:
Area01_Advanced, Area01_Basic, and Area02_Advanced, Area02_Basic.
Domain Controller Area (example)

Example of an application with two process areas with a Domain Controller. The Domain in this example
is named “System”. Each Cfg_Area parameter now includes the Domain name (“System” in this example).

And …

Example of the two area configuration without a Domain Controller. Note the groups for the two areas:
System\Area01_Advanced, System\Area01_Basic, and System\Area02_Advanced, System\Area02_Basic.
Example of Area-based Security Domain Controller Setup:
Defining Users, Areas, and Roles.
Example of Domain Controller Setup:
Assignment of Members to Users, Areas, Roles

For more information on setting up domain controllers see the Library of Process Objects 4.0 release
document “Process-um001b.pdf”. Reference the document for creating Domain Groups and Users, and
for setting up the FactoryTalk Users and Groups defining the HMI Security.

Creating FactoryTalk users

When creating FactoryTalk users, you will simply assign the user to the correct HMI security group(s) as
well as any Area groups that they should have access to.
Expand the Users and Groups folder in the Explorer window.

Right-click on Users and select New and FactoryTalk Users … from the dropdown windows.
Enter Oper_User as the user name then click on the Group Membership tab.

Click on Add.
Select the group named HMI_Operators and click OK.

Click OK again.
Add The Remaining Users
Add remaining users and associate them with the appropriate group(s) ….
Repeat adding the following users and assigning them as members of the groups shown below:

• Oper_Supervisor_User assigned to HMI_ Operating Supervisor

• Maint_User assigned to the group HMI_Maintenance
• Maint_Supervisor_User assigned to the group HMI_Maintenance Supervisor
• Eng_User assigned to the group HMI_Engineering
• Mngr_User assigned to the group HMI_Manager
• Admin_User assigned to the group HMI_Admin

Adding New User Group Area(s) – For multiple security areas

To add a new User Groups Area (example Area01) simply right-click on User Groups and select New and
User Group.
Add the two new groups named “area01_Advanced” and “area01_Basic”. These two groups will be used
to define which Area01 Users have access to the basic functions on the faceplate or the advanced
functions (engineering, maintenance …).

To add another area (Area02), simply add the two new groups named “area02_Advanced” and
“area02_Basic”. These two groups will be used to define which Area02 Users have access to the basic
functions on the faceplate or the advanced functions (engineering, maintenance …).
Assigning Users to the Groups

Assign each user to the approriate user group.

With mutiple process areas defined (example Area01, Area02), note that each user needs to be assigned
not only to the HMI_{group} (example HMI_Operator) but also the “area” group. Operators will be
assigned to the HMI_Operator group and then also to the Area01_Basic group. This limits operator access
to only the faceplate operator controls.

With mutiple process areas defined (example Area01, Area02), Engineers will be assigned to the
HMI_Engineering group and then also to the Area01_Advanced group. This allows the engineer access to
also the advanced engineering features on the faceplates.