Assign permissions to users and groups.

ReferenceModules SecurityUIRuntimeUsers | Users | Permissions | Policies | Secrets | Monitor

Security Permissions (Reference) define access control groups that determine what users can edit in the Designer and execute during runtime. Permission groups provide:

  • Module-level access control
  • Designer editing restrictions
  • Runtime operation permissions
  • Hierarchical security levels
  • Role-based authorization

Permissions are assigned to users through group membership, allowing granular control over solution access.

Pre-Defined Permission Groups

Seven standard groups are configured by default:

GroupTypical UseDefault Permissions
AdministratorFull system controlUnrestricted access
GuestAnonymous accessView-only, minimal rights
UserBasic authenticated accessStandard operations
EngineeringSolution developmentEdit modules, test
SupervisorOperations oversightMonitor, reports, alarms
MaintenanceSystem upkeepDiagnostics, tag values
OperatorDaily operationsDisplays, acknowledge alarms

Configuration Properties

PropertyDescriptionRequired
NameUnique group identifierYes
EditDesigner editing permissionsYes
RunRuntime execution permissionsYes
LevelHierarchical tier (0-255)No
CategoryGroup classificationNo
DescriptionDocumentation textNo

Edit Permissions

Controls access to Designer modules:

PermissionDescriptionAffects
UnrestrictedAll editing rightsComplete Designer access
EditTagsModify existing tagsUNS tag properties
CreateTagsAdd new tagsUNS structure
SecurityUser managementUsers, permissions, policies
ScriptsCode editingTasks, classes, expressions
DatasetsDatabase configurationQueries, tables, connections
DisplaysScreen developmentPages, popups, symbols
ReportsReport designForms, WebData
HistorianData logging setupTables, triggers
AlarmsAlarm configurationItems, groups, areas
DevicesCommunication setupChannels, nodes, points
StartupRuntime configurationExecution settings
PublishDeploy solutionsBuild and distribute
SettingsSolution propertiesGlobal configuration
NotesDocumentationSolution notes

Run Permissions

Controls runtime operations:

PermissionDescriptionImpact
UnrestrictedAll runtime rightsComplete control
TestExecute test modeDebug capabilities
StartupStart server modulesScripts, datasets, devices
ShutdownStop applicationTerminate runtime
ClientStartStart client modulesDisplays, local devices
ClientShutdownStop clientClose displays
StartToolsLaunch diagnosticsPropertyWatch, TraceWindow
ToolsSetValuesModify via toolsWrite tag values
CreateUsersAdd runtime usersDynamic user creation
SwitchApplicationChange contextAlt-Tab, taskbar access
WebAccessWeb client loginHTML5 display access

Configuring Permissions

Access Requirements

  1. Login as Administrator
  2. Navigate to Security → Permissions
  3. Administrator password required for changes

Setting Group Permissions

  1. Select permission group row
  2. Configure Edit permissions:
    • Check modules user can modify
    • Uncheck restricted areas
  3. Configure Run permissions:
    • Enable allowed operations
    • Disable restricted functions
  4. Save changes

Permission Inheritance

Users inherit combined permissions from all assigned groups:

User: John
Groups: Operator, Maintenance
Result: Union of both group permissions

Example combinations:

  • Operator + Maintenance = Displays + Diagnostics
  • Engineering + Supervisor = Development + Monitoring
  • User + WebAccess = Basic rights + Web client

Runtime Permission Checks

Checking Current Permissions

csharp

// Current user's groups
string permissions = @Client.Permissions;

// Check specific permission
bool canEdit = @Security.HasPermission("EditDisplays");
bool canShutdown = @Security.HasPermission("Shutdown");

// Check multiple permissions
bool isAdmin = @Client.Permissions.Contains("Administrator");

Conditional UI Elements

csharp

// Show/hide based on permissions
if (@Security.HasPermission("StartTools"))
{
    btnDiagnostics.Visible = true;
}

// Enable/disable functions
btnShutdown.Enabled = @Security.HasPermission("Shutdown");

Security Levels

Hierarchical access control using Level property:

Level RangeTypical Use
0-25View only
26-50Basic operator
51-75Advanced operator
76-100Supervisor
101-150Engineer
151-200Manager
201-255Administrator

Usage:

csharp

// Check user level
if (@Client.Level >= 100)
{
    // Show supervisor features
}

Best Practices

  1. Principle of least privilege - Grant minimum required permissions
  2. Use groups not individuals - Manage through group membership
  3. Document group purposes - Clear role descriptions
  4. Regular audits - Review permission assignments
  5. Test permission sets - Verify restrictions work
  6. Separate development/operations - Different groups for each
  7. Protect Administrator - Limit admin group membership

Common Permission Sets

Operator Standard

  • Edit: None
  • Run: ClientStart, WebAccess
  • Use: Daily operations

Maintenance Technician

  • Edit: EditTags
  • Run: StartTools, ToolsSetValues
  • Use: Troubleshooting

Shift Supervisor

  • Edit: Alarms, Reports
  • Run: Unrestricted except Shutdown
  • Use: Operations management

System Engineer

  • Edit: Unrestricted except Security
  • Run: Test, StartTools
  • Use: Development and testing

Troubleshooting

Cannot edit module:

  • Check Edit permissions
  • Verify group membership
  • Confirm logged in correctly
  • Not using Guest account

Runtime function disabled:

  • Review Run permissions
  • Check user's groups
  • Verify permission spelling
  • Test with Administrator

Permission not working:

  • Clear permission cache
  • Restart runtime
  • Check group assignment
  • Review permission conflicts

In this section...