1 YOKOGAWATE33Q4T30-01E

Security Policy

CS1000/3000 Fundamental Course Textbook

PART-H Security Policy

H-1. Security OverviewH-2. HIS SecurityH-3. User SecurityH-4. User GroupH-5. Window AuthoritiesH-6. Mode Selection KeyH-7. Function Block SecurityH-8. Operation Mark

2 YOKOGAWATE33Q4T30-01E

Security Overview (1)

In the CS 1000/CS 3000 security policy, “operation and monitoring” is defined as follows:

• OperationSetting data to function blocks, changing function block status and other operations.

• MonitoringDisplaying function block data, acknowledgment of received messages and alarms or calling up windows.

The security policy is set to prevent illegal operations and other problems and ensuring the safety of the system.The security policy restricts the scope of operation and monitoring permitted for an operator, and masks certain alarms of which the operator need not be notified.

3 YOKOGAWATE33Q4T30-01E

Security Overview (2)

General-purpose Windows applications follow the security policy of Windows. The user of CENTUM is different from the user of Windows.

The following two types of policies are available in CS 1000/CS 3000.

• HIS Security PolicyHIS security policy stipulates the scope of operation and monitoring allowed on the Human Interface Station. Regardless of the logon users, the operation performed to a device or to a function block data item may be restricted.

• User Security PolicyUser security policy stipulates the scope of operation and monitoring for the users.Each user is restricted to operate or monitor a certain scope of devices and function block data items.

The scope of operation and monitoring permitted for an operator is determined by a combination of HIS security and user security settings.

4 YOKOGAWATE33Q4T30-01E

Flow of Security Check

HIS operation

HIS security check

Scope of operation and monitoring

check for the HIS

User security check

• Window operation and monitoring• Function block operation and monitoring Operation record

OperationHistory

Security check

Operation

Scope of operation and monitoring

check for a user group

Privilege levels of operation and monitoring check

for a user

5 YOKOGAWATE33Q4T30-01E

HIS Security

The security level setting means to select either monitoring only machine or monitoring and operation machine (default).

The security level regarding operation and monitoring as well as the operation and monitoring scope can be set for the HIS itself. The HIS security check has a precedence over the user security check. The operation and monitoring scope of the HIS is unrelated with the operation and monitoring scope set for each user group.

6 YOKOGAWATE33Q4T30-01E

User Security

User name: User recognitionPassword: User identificationUser group: Monitoring and operation scopePrivilege level: Monitoring and operation authority

The operations performed by the user are held as the operation record. The operation record can be confirmed by the historical message report.

The operators performing the operation and monitoring functions are classified based on their privilege level (authority). This classification is called user.

The following attributes are assigned to each user:

7 YOKOGAWATE33Q4T30-01E

User Privilege Levels

*1 Maintenance means the engineering work such as initiation of the builder.

The users’ operation and monitoring rights on HIS are defined according to privilege levels.For each window, operation and monitoring rights can be defined. Whether the user with a certain privilege level is permitted to operate the specified data item can also be defined. The following default privilege levels are available (security level 4).

See Supplement X. Function Block Security.

8 YOKOGAWATE33Q4T30-01E

Default User Names

The HIS offers the following default user names.The privilege level of the user who accesses from the User-in Dialog becomes valid when the mode selection key position of the operation keyboard is OFF.

*1: When the user group for OFFUSER is changed to NONEGRP and the HIS is started, the operation and monitoring will be disabled.*2: User cannot user-in as PROG.

Password is not required for OFFUSER but required for ONUSER and ENGUSER, the password is user definable. The user group can be changed for any user.

9 YOKOGAWATE33Q4T30-01E

Switching UsersIn the HIS, switching the OFFUSER to a different user is called user-in, and the user switching back to the OFFUSER is called user-out.To perform user-in or user-out, call up the User-In dialog box from the System Message window and enter a user name and the password.

Change password button

OFFUSER

USER A USER B

User-in operation

User-out operation

User–in at HIS startup

When an automatic user out-time is defined, the user automatically changes to the OFFUSER when the automatic user-out time elapsed.

10 YOKOGAWATE33Q4T30-01E

User Group

The following attributes are assigned to each user group:

• User group name: User group recognition• Monitoring scope: Monitoring range• Operation and monitoring scope: Operation and monitoring range• Windows scope: Window names for operation and monitoring• Acknowledgement: Acknowledgment range • Process message receiving: Monitoring range of the generated messages

The range is set by the plant name. If the plant name is not used, set by the station name and the control drawing.

The users are classified into groups based on their operation and monitoring scopes. This classification is called user group.

11 YOKOGAWATE33Q4T30-01E

Default User Group

The following built-in default user groups are managed by CS 1000/CS 3000 security policy.

The user group name may be defined on the Security Builder.

12 YOKOGAWATE33Q4T30-01E

Concepts of Scope and Privilege

Operation & monitoring scope of users, OPS*-A in Group-AB using HIS0124 and their privileges.

Operation & monitoring scope of HIS0124.

EquipmentA

Users in Group-AB:OPS1-A: OPS2-A: OPS3-A:

Whole Plant

EquipmentB

EquipmentC

EquipmentD

EquipmentE

Operation & monitoring scope of user Group-AB.

MonitoringOperation and monitoringOperation, monitoring and maintenance

13 YOKOGAWATE33Q4T30-01E

Window Authorities

The table below shows operation and monitoring authorities on windows, indicating which user can perform operation and monitoring using which types of windows:

• Users of privilege level S1 or S2 cannot start System View from the system message window, but can start and operate System View from [Start Menu].• Users of privilege level S1 can operate and monitor general windows. However, they can only monitor important windows and system operation windows excluding System View.• Users of privilege level S2 can operate and monitor general and important windows. However, they can only monitor system operation windows excluding System View.• Users of privilege level S3 can operate and monitor all windows.

14 YOKOGAWATE33Q4T30-01E

Function Block Security

The attributes of function blocks contain security levels, tag mark types and alarm processing levels. The attributes can be defined to each function block in engineering. There is no restriction on the combination of security levels, tag mark types and alarm processing levels.

The tables on operation and monitoring authority are fixed and cannot be edited.

The tables below show the relationship of the function block’s data items and the privilege levels in operation and monitoring rights.

R: Monitoring W: Operation

15 YOKOGAWATE33Q4T30-01E

Function Block Security

The operation and monitoring authorities for three different function security levels are shown below:

Level 2

Level 6

Level 4(Default)

16 YOKOGAWATE33Q4T30-01E

Mode Selection Key

In the case of the operation key When the engineering key is selected.

Changes between The key can be switched the ON, OFF positions. to any position.

The following two mode selection keys are used to switch the security level:

When the HIS is connected with an operation keyboard, the privilege level of the user may be changed temporarily using the mode selection key on the keyboard. The privilege level changed on the keyboard has higher priority than the level set in the user-in dialog box.

• Operation key (Privilege level S2)The key can be switched between the ON and OFF positions only.• Engineering key (Privilege level S3)The key can be switched to any position.

17 YOKOGAWATE33Q4T30-01E

Operation Mark

To attach or remove an operation mark on a function block may temporarily enable or disable the operation restriction on the instrument faceplate. When an operation mark is attached to a function block, a comment label can be added to the function block or the operation authorities on the function block can be changed temporarily during plant operation. When the operation mark is removed, operation authorities return to the original setting.

Operation marks have the following attributes:

• Operation mark type • Color • Comment label • Attachment/removal attribute

INHIBITColor and comment label may be defined with HIS Setup function. If the builder file is downloaded, that file replaces the current file.

18 YOKOGAWATE33Q4T30-01E

Types of Operation Marks

The security levels exerted by operation marks and the types of operation marks are displayed as follows.

Not used in default.

19 YOKOGAWATE33Q4T30-01E

Install or Remove Operation Mark

The unauthorized user is prohibited to install / remove the operation mark. The setting of installing/removing is performed in Operation Mark Builder. The relationship between user’s privilege level and the operation rights on installing/removing mark authority is shown below: