1

YOKOGAWA TE33Q4T30-01E
Security Policy
CS1000/3000 Fundamental Course Textbook

PART-H Security Policy
H-1. Security Overview
H-2. HIS Security
H-3. User Security
H-4. User Group
H-5. Window Authorities
H-6. Mode Selection Key
H-7. Function Block Security
H-8. Operation Mark
2
YOKOGAWA TE33Q4T30-01E
Security Overview (1)
In the CS 1000/CS 3000 security policy, operation and monitoring is
defined as follows:
Operation
Setting data to function blocks, changing function block status and
other operations.
Monitoring
Displaying function block data, acknowledgment of received
messages and alarms or calling up windows.
The security policy is set to prevent illegal operations and
other problems and ensuring the safety of the system.
The security policy restricts the scope of operation and
monitoring permitted for an operator, and masks certain
alarms of which the operator need not be notified.
3
YOKOGAWA TE33Q4T30-01E
Security Overview (2)
General-purpose Windows applications follow the security policy of
Windows. The user of CENTUM is different from the user of Windows.
The following two types of policies are available in CS 1000/CS
3000.
HIS Security Policy
HIS security policy stipulates the scope of operation and monitoring
allowed on the Human Interface Station. Regardless of the logon
users, the operation performed to a device or to a function block data
item may be restricted.
User Security Policy
User security policy stipulates the scope of operation and monitoring
for the users.
Each user is restricted to operate or monitor a certain scope of devices
and function block data items.

The scope of operation and monitoring permitted for an operator is
determined by a combination of HIS security and user security
settings.
4
YOKOGAWA TE33Q4T30-01E
Flow of Security Check
HIS operation
HIS security check
Scope of operation
and monitoring
check for the HIS
User security check
Window operation and monitoring
Function block operation and monitoring Operation record
Operation
History
Security check
Operation
Scope of operation
and monitoring
check for a user
group
Privilege levels
of operation and
monitoring check
for a user
5
YOKOGAWA TE33Q4T30-01E
HIS Security
The security level setting means to select either monitoring only machine
or monitoring and operation machine (default).
The security level regarding operation and monitoring as well as the
operation and monitoring scope can be set for the HIS itself. The HIS
security check has a precedence over the user security check.
The operation and monitoring scope of the HIS is unrelated with the
operation and monitoring scope set for each user group.
6
YOKOGAWA TE33Q4T30-01E
User Security
User name: User recognition
Password: User identification
User group: Monitoring and operation scope
Privilege level: Monitoring and operation authority
The operations performed by the user are held as the operation record.
The operation record can be confirmed by the historical message report.
The operators performing the operation and monitoring
functions are classified based on their privilege level (authority).
This classification is called user.

The following attributes are assigned to each user:
7
YOKOGAWA TE33Q4T30-01E
User Privilege Levels
*1 Maintenance means the engineering work such as initiation of the builder.
The users operation and monitoring rights on HIS are defined
according to privilege levels.
For each window, operation and monitoring rights can be
defined. Whether the user with a certain privilege level is
permitted to operate the specified data item can also be
defined.
The following default privilege levels are available (security level 4).
See Supplement X. Function Block Security.
8
YOKOGAWA TE33Q4T30-01E
Default User Names
The HIS offers the following default user names.
The privilege level of the user who accesses from the User-in Dialog
becomes valid when the mode selection key position of the
operation keyboard is OFF.
*1: When the user group for OFFUSER is changed to NONEGRP
and the HIS is started, the operation and monitoring will be disabled.
*2: User cannot user-in as PROG.
Password is not required for OFFUSER but required for ONUSER and
ENGUSER, the password is user definable. The user group can be changed for
any user.
9
YOKOGAWA TE33Q4T30-01E
Switching Users
In the HIS, switching the OFFUSER to a different user is
called user-in, and the user switching back to the
OFFUSER is called user-out.
To perform user-in or user-out, call up the User-In dialog box
from the System Message window and enter a user name and
the password.
Change password button
OFFUSER
USER A USER B
User-in operation
User-out operation
Userin at HIS startup
When an automatic user out-time is defined, the user automatically changes to the
OFFUSER when the automatic user-out time elapsed.
10
YOKOGAWA TE33Q4T30-01E
User Group
The following attributes are assigned to each user group:

User group name: User group recognition
Monitoring scope: Monitoring range
Operation and monitoring scope: Operation and monitoring range
Windows scope: Window names for operation and monitoring
Acknowledgement: Acknowledgment range
Process message receiving: Monitoring range of the generated messages
The range is set by the plant name. If the plant name is not used,
set by the station name and the control drawing.
The users are classified into groups based on their
operation and monitoring scopes.
This classification is called user group.
11
YOKOGAWA TE33Q4T30-01E
Default User Group
The following built-in default user groups are managed
by CS 1000/CS 3000 security policy.
The user group name may be defined on the Security Builder.
12
YOKOGAWA TE33Q4T30-01E
Concepts of Scope and Privilege
Operation & monitoring scope of users, OPS*-A in Group-AB
using HIS0124 and their privileges.
Operation & monitoring scope of HIS0124.
Equipment
A
Users in Group-AB:
OPS1-A:
OPS2-A:
OPS3-A:
Whole Plant
Equipment
B
Equipment
C
Equipment
D
Equipment
E
Operation & monitoring scope of user Group-AB.
Monitoring
Operation and monitoring
Operation, monitoring and maintenance
13
YOKOGAWA TE33Q4T30-01E
Window Authorities
The table below shows operation and monitoring authorities
on windows, indicating which user can perform operation
and monitoring using which types of windows:
Users of privilege level S1 or S2 cannot start System View from the system
message window, but can start and operate System View from [Start Menu].
Users of privilege level S1 can operate and monitor general windows. However,
they can only monitor important windows and system operation windows excluding
System View.
Users of privilege level S2 can operate and monitor general and important
windows. However, they can only monitor system operation windows excluding
System View.
Users of privilege level S3 can operate and monitor all windows.
14
YOKOGAWA TE33Q4T30-01E
Function Block Security
The attributes of function blocks contain security levels, tag
mark types and alarm processing levels. The attributes can
be defined to each function block in engineering. There is no
restriction on the combination of security levels, tag mark
types and alarm processing levels.
The tables on operation and monitoring authority are fixed and cannot be edited.
The tables below show the relationship of the function blocks data items
and the privilege levels in operation and monitoring rights.
R: Monitoring W: Operation
15
YOKOGAWA TE33Q4T30-01E
Function Block Security
The operation and monitoring authorities for three
different function security levels are shown below:
Level 2
Level 6
Level 4
(Default)
16
YOKOGAWA TE33Q4T30-01E
Mode Selection Key
In the case of the operation key When the engineering key is selected.
Changes between The key can be switched
the ON, OFF positions. to any position.
The following two mode selection keys are used to switch the security level:
When the HIS is connected with an operation keyboard, the privilege
level of the user may be changed temporarily using the mode
selection key on the keyboard. The privilege level changed on the
keyboard has higher priority than the level set in the user-in dialog box.
Operation key (Privilege level S2)
The key can be switched between the ON and OFF positions only.
Engineering key (Privilege level S3)
The key can be switched to any position.
17
YOKOGAWA TE33Q4T30-01E
Operation Mark
To attach or remove an operation mark on a function
block may temporarily enable or disable the operation
restriction on the instrument faceplate.
When an operation mark is attached to a function block,
a comment label can be added to the function block or
the operation authorities on the function block can be
changed temporarily during plant operation. When the
operation mark is removed, operation authorities return
to the original setting.
Operation marks have the following attributes:
Operation mark type
Color
Comment label
Attachment/removal attribute
INHIBIT
Color and comment label may be defined with HIS Setup function.
If the builder file is downloaded, that file replaces the current file.
18
YOKOGAWA TE33Q4T30-01E
Types of Operation Marks
The security levels exerted by operation marks and the
types of operation marks are displayed as follows.
Not used in default.
19
YOKOGAWA TE33Q4T30-01E
Install or Remove Operation Mark
The unauthorized user is prohibited to install / remove the
operation mark. The setting of installing/removing is
performed in Operation Mark Builder.

The relationship between users privilege level and the
operation rights on installing/removing mark authority is shown
below: