Security Permissions (Reference) define access control groups that determine what users can edit in the Designer and execute during runtime. Permission groups provide:
- Module-level access control
- Designer editing restrictions
- Runtime operation permissions
- Hierarchical security levels
- Role-based authorization
Permissions are assigned to users through group membership, allowing granular control over solution access.
In
Overview
Security permissions allow administrators to control user access to various functionalities within the platform. The purpose is to manage user rights for editing solution modules and performing actions during runtime. Main functionalities include predefined permission groups (e.g., Administrator, Guest) and specific edit and run permissions. Applications involve configuring user access for the solution Designer workspace, such as allowing tag editing or running diagnostic tools. Requirements include access to the platform's permission settings.
this page:
Table of Contents maxLevel
2 minLevel 2 indent 10px exclude Steps style none
Configuring Permissions
To configure, go to Security → Permissions and assign permissions by choosing options in the security settings menu. To do this, you must be logged in as an Administrator. To log in as the Admin, click the home icon at the top-left corner to access the Designer Workspace home page. Then press the Login button to open the Designer Workspace popup login. Enter the username as Administrator. By default, it does not require a password.
Return to the Security → Permissions, and select the Edit and Run permissions for each user group (Administrator, Guest).
Pre-defined Security Groups
The platform comes with a few predefined Permission groups that you can use, or you can create your own.
Administrator
Guest
User
Engineering
Supervisor
Maintenance
Operator
Pre-Defined Permission Groups
Seven standard groups are configured by default:
| Group | Typical Use | Default Permissions |
|---|---|---|
| Administrator | Full system control | Unrestricted access |
| Guest | Anonymous access | View-only, minimal rights |
| User | Basic authenticated access | Standard operations |
| Engineering | Solution development | Edit modules, test |
| Supervisor | Operations oversight | Monitor, reports, alarms |
| Maintenance | System upkeep | Diagnostics, tag values |
| Operator | Daily operations | Displays, acknowledge alarms |
Configuration Properties
| Property | Description | Required |
|---|---|---|
| Name | Unique group identifier | Yes |
| Edit | Designer editing permissions | Yes |
| Run | Runtime execution permissions | Yes |
| Level | Hierarchical tier (0-255) | No |
| Category | Group classification | No |
| Description | Documentation text | No |
Edit Permissions
Controls access to Designer modules:
| Permission | Description | Affects |
|---|---|---|
| Unrestricted | All editing rights | Complete Designer access |
| EditTags | Modify existing tags | UNS tag properties |
| CreateTags | Add new tags | UNS structure |
| Security | User management | Users, permissions, policies |
| Scripts | Code editing | Tasks, classes, expressions |
| Datasets | Database configuration | Queries, tables, connections |
| Displays | Screen development | Pages, popups, symbols |
| Reports | Report design | Forms, WebData |
| Historian | Data logging setup | Tables, triggers |
| Alarms | Alarm configuration | Items, groups, areas |
| Devices | Communication setup | Channels, nodes, points |
| Startup | Runtime configuration | Execution settings |
| Publish | Deploy solutions | Build and distribute |
| Settings | Solution properties | Global configuration |
| Notes | Documentation | Solution notes |
Run Permissions
Controls runtime operations:
| Permission | Description | Impact |
|---|---|---|
| Unrestricted | All runtime rights | Complete control |
| Test | Execute test mode | Debug capabilities |
| Startup | Start server modules | Scripts, datasets, devices |
| Shutdown | Stop application | Terminate runtime |
| ClientStart | Start client modules | Displays, local devices |
| ClientShutdown | Stop client | Close displays |
| StartTools | Launch diagnostics | PropertyWatch, TraceWindow |
| ToolsSetValues | Modify via tools | Write tag values |
| CreateUsers | Add runtime users | Dynamic user creation |
| SwitchApplication | Change context | Alt-Tab, taskbar access |
| WebAccess | Web client login | HTML5 display access |
Configuring Permissions
Access Requirements
- Login as Administrator
- Navigate to Security → Permissions
- Administrator password required for changes
Setting Group Permissions
- Select permission group row
- Configure Edit permissions:
- Check modules user can modify
- Uncheck restricted areas
- Configure Run permissions:
- Enable allowed operations
- Disable restricted functions
- Save changes
Permission Inheritance
Users inherit combined permissions from all assigned groups:
User: John
Groups: Operator, Maintenance
Result: Union of both group permissionsExample combinations:
- Operator + Maintenance = Displays + Diagnostics
- Engineering + Supervisor = Development + Monitoring
- User + WebAccess = Basic rights + Web client
Runtime Permission Checks
Checking Current Permissions
csharp
// Current user's groups
string permissions = @Client.Permissions;
// Check specific permission
bool canEdit = @Security.HasPermission("EditDisplays");
bool canShutdown = @Security.HasPermission("Shutdown");
// Check multiple permissions
bool isAdmin = @Client.Permissions.Contains("Administrator");Conditional UI Elements
csharp
// Show/hide based on permissions
if (@Security.HasPermission("StartTools"))
{
btnDiagnostics.Visible = true;
}
// Enable/disable functions
btnShutdown.Enabled = @Security.HasPermission("Shutdown");Security Levels
Hierarchical access control using Level property:
| Level Range | Typical Use |
|---|---|
| 0-25 | View only |
| 26-50 | Basic operator |
| 51-75 | Advanced operator |
| 76-100 | Supervisor |
| 101-150 | Engineer |
| 151-200 | Manager |
| 201-255 | Administrator |
Usage:
csharp
// Check user level
if (@Client.Level >= 100)
{
// Show supervisor features
}Best Practices
- Principle of least privilege - Grant minimum required permissions
- Use groups not individuals - Manage through group membership
- Document group purposes - Clear role descriptions
- Regular audits - Review permission assignments
- Test permission sets - Verify restrictions work
- Separate development/operations - Different groups for each
- Protect Administrator - Limit admin group membership
Common Permission Sets
Operator Standard
- Edit: None
- Run: ClientStart, WebAccess
- Use: Daily operations
Maintenance Technician
- Edit: EditTags
- Run: StartTools, ToolsSetValues
- Use: Troubleshooting
Shift Supervisor
- Edit: Alarms, Reports
- Run: Unrestricted except Shutdown
- Use: Operations management
System Engineer
- Edit: Unrestricted except Security
- Run: Test, StartTools
- Use: Development and testing
Troubleshooting
Cannot edit module:
- Check Edit permissions
- Verify group membership
- Confirm logged in correctly
- Not using Guest account
Runtime function disabled:
- Review Run permissions
- Check user's groups
- Verify permission spelling
- Test with Administrator
Permission not working:
- Clear permission cache
- Restart runtime
- Check group assignment
- Review permission conflicts
In this section...
| Page Tree | ||||
|---|---|---|---|---|
|
Edit Permissions
It is possible to allow or deny a user to edit different modules of the Solution Designer. The available options are shown in the image below.
Edit Permissions Properties | |
|---|---|
Property | Description |
Unrestricted | Select to allow all Edit Permissions |
EditTags | Select to allow tag editing. |
Historian | Allow edition in Historian module. |
Security | Select to allow for the Security module access. |
Alarms | Select to allow for the Alarms module access. |
Scripts | Select to allow for the Script module access. |
Datasets | Select to allow for the Datasets module access. |
Displays | Select to allow for the Displays module access. |
Reports | Select to allow for the Reports module access. |
Startup | Select to allow Startup. |
Publish | Select to allow Publish. |
Settings | Select to allow for the Settings access. |
Notes | Select to allow for the Notes access. |
CreateTags | Select to allow tag creating. |
Run Permissions
It is also possible to allow or disallow a user to perform different actions during Runtime.
Run Permissions Properties | |
|---|---|
Property | Description |
Unrestricted | The user gets permission to do everything. |
Test | Once selected, the user can run a Test. |
Startup | Once selected, the user can run a Startup with all the modules. If not, the modules script, datasets, devices, and reports will not start. |
Shutdown | Once selected, the user is able to shutdown the application |
ClientStart | Once selected, the user is able to run all the modules in a startup. If not, the modules displays and devices will not start. |
ClientShutdown | Once selected, the user is able to shutdown the application as a client. |
StartTools | Once selected, the user can run the diagnostics tool, such as: property watch, trace window and module information. If it is not selected, the user is unable to start these tools. |
ToolsSetValues | Once selected, the user gets the read-only permission in the diagnostics tool, such as: property watch, trace window and module information. |
CreateUsers | Once selected, the user is able to create new user for the project. |
SwitchApplication | If it is not selected, the user can not switch application, the taskbar disappears. |
WebAccess | When the user has this permission, he can access the Web Client through the URL found in the Runtime → Startup→ Web Client URL. If this option is not selected, the user cannot use the Web Client. |
Properties Reference
The Properties References present a reference that describes and explains the properties for Security Permissions. The table lists all properties available for the configuration item. However, not all properties described in the documentation are displayed in the data grids by default. Right-click column headers to see which property columns are currently displaying. The displayed properties appear with a check mark.
The data grids allow users to manage and organize information by showing or hiding properties in tables within configuration interfaces. To turn on or off showing a property on the data grid, right-click column headers to select properties or use the reset button to return to default settings. Check out Working with DataGrids for detailed info.
Security Permissions
Property | Description |
|---|---|
ID | Identifies uniquely the permission group. |
VersionID | Specifies the version of the permission entry's record. |
Name | Names the permission entry. |
Edit | Allows enabling or disabling specific editing permissions: Unrestricted, EditTags, Security, Scripts, Datasets, Reports, Solution Settings, Historian, Alarms, Devices, Displays, Startup. |
Run | Permits enabling or disabling specific running permissions: Unrestricted, Shutdown, ToolsSetValues, SwitchApplication, RemoteManagerAPI, ClientShutdown, CreateUsers, DataAccessAPI, RESTfulAPI. |
Level | Defines the level or tier of the permission entry. |
Category | Categorizes the permission entry into a specific group or type. |
LockState | Indicates the current lock state of the permission entry. |
LockOwner | Identifies the owner or responsible entity for the lock on the permission entry. |
DateCreated | Records the date when the permission entry was created. |
DateModified | Notes the date when the permission entry was last modified. |
Description | Describes the purpose or details of the permission entry. |
In this section:
| Page Tree | ||||
|---|---|---|---|---|
|