Security Manager User Guide
Security Manager User Guide
Security Manager User Guide
Security Manager
User Guide
AVEVA Solutions Limited
Disclaimer
AVEVA Instrumentation provides instrument sizing calculations for estimation purposes only, end users of the
software should not rely on the calculations produced by the software for design purposes. End users should seek
the advice of certified equipment suppliers prior to specifying or purchasing equipment.
a) AVEVA does not warrant that the use of the AVEVA software will be uninterrupted, error-free or free from viruses;
b) AVEVA shall not be liable for: loss of profits; loss of business; depletion of goodwill and/or similar losses; loss of
anticipated savings; loss of goods; loss of contract; loss of use; loss or corruption of data or information; any
special, indirect, consequential or pure economic loss, costs, damages, charges or expenses which may be
suffered by the customer, including any loss suffered by the customer resulting from the inaccuracy or invalidity of
any data created by the AVEVA software, irrespective of whether such losses are suffered directly or indirectly, or
arise in contract, tort (including negligence) or otherwise;
c) AVEVA's total liability in contract, tort (including negligence), or otherwise, arising in connection with the
performance of the AVEVA software shall be limited to 100% of the licence fees paid in the year in which the
customer's claim is brought.
In the event of any conflict between the above clauses and the analogous clauses in the software licence under
which the AVEVA software was purchased, the clauses in the software licence shall take precedence.
Copyright
All intellectual property rights, including but not limited to, copyright in this manual and the associated software,
(including source code, object code, and any data) belongs to or is validly licensed by AVEVA Solutions Limited or
its subsidiaries.
All rights are reserved to AVEVA Solutions Limited and its subsidiaries. The information contained in this document
is commercially sensitive, and shall not be copied, reproduced, stored in a retrieval system, or transmitted without
the prior written permission of AVEVA Solutions Limited. Where such permission is granted, it expressly requires
that this Disclaimer and Copyright notice is prominently displayed at the beginning of every copy that is made.
The manual and associated documentation may not be adapted, reproduced, or copied, in any material or
electronic form, without the prior written permission of AVEVA Solutions Limited. The user may also not reverse
engineer, decompile, copy, or adapt the associated software. Neither the whole, nor part of the product described in
this publication may be incorporated into any third-party software, product, machine, or system without the prior
written permission of AVEVA Solutions Limited, save as permitted by law. Any such unauthorised action is strictly
prohibited, and may give rise to civil liabilities and criminal prosecution.
The AVEVA products described in this guide are to be installed and operated strictly in accordance with the terms
and conditions of the respective licence agreements, and in accordance with the relevant User Documentation.
Unauthorised or unlicensed use of the product is strictly prohibited.
Copyright 2000 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
The AVEVA Instrumentation user interface is based on the Microsoft® Office Fluent™ user interface.
Trademarks
AVEVA and Tribon are registered trademarks of AVEVA Group plc or its subsidiaries. AVEVA product names are
trademarks or registered trademarks of AVEVA Solutions Limited or its subsidiaries. Unauthorised use of
trademarks belonging to AVEVA Group plc or its subsidiaries is strictly forbidden.
Fluent is a trademark of Microsoft Corporation and the Fluent user interface is licensed from Microsoft Corporation.
The Microsoft Office User Interface is subject to protection under U.S. and international intellectual property laws
and is used by AVEVA Solutions Limited under license from Microsoft.
AVEVA Solutions Ltd, High Cross, Madingley Road, Cambridge, CB3 0HB, United Kingdom.
Instrumentation Security Manager User Guide
Revision Sheet
Contents Page
Security Manager
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1:1
What is Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1:1
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1:1
AVEVA Instrumentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1:1
Guide Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1:2
1 Introduction
The purpose of the AVEVA Instrumentation Security Manager User Guide is to help users
learn how the Security Manager application works. The guide describes the basic steps
required to add security users to an AVEVA Instrumentation project/database.
Refer to the System Requirements for running AVEVA Instrumentation Security Manager.
Note: By default, AVEVA Instrumentation Security is disabled for all new AVEVA
Instrumentation databases. Security must be enabled from AVEVA Instrumentation
Security Manager.
The Security Manager application enables an Administrator or 'Super User' to setup access
and security rights on objects in an AVEVA Instrumentation SQL Server database. Security
Manager includes the following features:
• Enable security on Security Manager 'objects', including application modules.
• Allow users read-only access to all or only a subset of objects and areas.
• Allow users read-write access all or only a subset of objects and areas.
• Disable access to all or to a subset of objects and areas.
Security rights can be assigned to a specific user by name (the user’s login), or can be
controlled via a user-defined role name. For example, three roles may be set up:
1. Engineers
2. Designers
3. Technicians
All engineers working on the Security Manager project could be made members the role
'Engineers' and that role can be given read-write access to all Instruments and Datasheets,
but given read-only access to Drawings etc.
All designers working on the Security Manager project could be made members the role
'Designers' and that role can be given read-write access to all Cables, Equipment and
Drawings, but given read-only access to Datasheets etc.
Plant operations personnel may only requires read-only data access (i.e. they cannot make
design changes), therefore a 'Technicians' role would be given read-only access to all
Security Manager objects. With read-only access the user can still print reports.
Full, read-only and no access can also be set based on project plant areas. For example,
users with a specific role may be grant full access to some areas, read-only access to some,
areas and no access to others.
Note: By default, Security is disabled for all new SQL Server databases. To enable security
a user must run Security Manager and enable security.
The Security Manager Administrator can create new Users and Groups. Currently all
'Objects' are pre-defined and cannot be changed or new 'Objects' added.
3 Security Setup
Refer to:
• Select and Login to a Project
• Enable Basic Security Settings
• Toolbar Menu
• Create New Project
• Create SQL Server Project from Backup
• Set Authentication Type
• Edit Projects
• Import Security Settings
• Changing the Administrator Password
• Groups
• Define Security Users
• Add New User to SQL Server Project
• Define Object Security
• Define Area Access Control
• Set AI Reports Password
• Package Projects
• Resolve Database Collation Conflicts
Note: The Select an AVEVA Instrumentation Project window is not displayed if only one
project exists. If only one project exists, this project is automatically selected and the
login/password window(s) are displayed (see below).
Note: Clicking New displays the Create a New AVEVA Instrumentation Project window.
Refer to Create New Project for further information.
Highlight a project in the list and click Select. The login procedure then depends on the
authentication type of the project (see Set Authentication Type).
• If Windows Authentication (the default option) is the authentication method being used
for the project, the Login window is then displayed (see below).
• If SQL Server Authentication is the authentication method being used for the project,
the SQL User Login window is displayed:
Enter valid SQL server login details and click OK. The Login window is then displayed
(see below).
• If AVEVA Project Authentication is the authentication method being used for the
project, the Authentication Type window is displayed:
AVEVA Project Authentication can only be used to authenticate user access to project
engineering modules. Therefore one of the other methods must be used when carrying
out a procedure that requires administrator rights, such as accessing the Security
Manager module for a project.
Select the required method and then click OK.
If Windows Authentication is selected, the Login window is then displayed.
If SQL Server Authentication is selected, the SQL User Login window is displayed as
described above. Enter the required details and click OK to access he Login window.
In the login window enter login details for a project user with administrator rights.
A default administrator user is automatically created for each project. If the default
administrator user login details have not been changed, the User Name is “administrator”
and the Password is “Password”.
Note: AVEVA recommend that the default password for the administrator is changed to
protect the integrity of Security Manager. Refer to Changing the Administrator
Password for further information.
By default, Security is disabled on all new Security Manager SQL Server databases to make
sure compatibility is maintained with earlier releases of Security Manager. If security is not
enabled, all users will have read and write access to all data.
When the Security Enabled checkbox is checked, the Grid Locks checkbox becomes
active. Checking the Grids Locks checkbox locks the data grids of the selected project,
preventing more than one user editing the same information at the same time. If another
user attempts to edit the same information, they are prevented from doing so, and a
message is displayed warning them that the information is currently being edited by another
user.
Project Used to Create New Project, Create SQL Server Project from
Backup, Add New User to SQL Server Project, Edit Projects,Set
Authentication Type, Package Projects, Set AI Reports Password
and Exit the application.
Help Used to open the help file and display the current version number.
Add Group Used to add a new security group. See Add a New Group.
Delete Group Used to delete an existing security group. See Delete a Group.
Note: The Create a New AVEVA Instrumentation Project window is also displayed when
the user clicks New on the Select an AVEVA Instrumentation Project window.
For details of how to create a new project, refer to the AVEVA Instrumentation Installation
Guide.
Note: The utility is designed to run on the computer that the SQL Server is installed on. All
the paths provided by the user must be to physical drives on the computer and not to
mapped drives.
Select the backup file by either completing the field manually or by clicking Browse to
display the Select Backup File window.
Navigate to, and highlight the required file and then click Open to return to the Restore
Wizard utility. The field will be populated with the selected file.
Click Next.
The next screen of the wizard is used to choose where the project is to be restored to, and
enter authentication details.
Complete the Server Name and Database Name fields with the required details.
In the Authentication section, select either Use Windows Authentication or Use SQL
Server Authentication as required.
Clicking Use SQL Server Authentication activates the User Name and Password fields
which the user must then complete with valid SQL server login details.
Click Next.
The next screen is used to specify the restore options
Complete the Data File path and Log File path fields.
Note: If the path is the same for both fields, complete the Data File path field only. The
Log File path field will automatically default to the same path.
Both fields can be populated manually or by clicking the button to the right of the fields to
display the Browse for Folder window, enabling the user to navigate to the required path.
When both fields are populated, click Finish to complete the restore. When the restore is
complete a message is displayed in the bottom-left corner of the Restore Wizard utility
window, as follows:
Note: The user login on the SQL Server must have a ‘sysadmin’ role in order to change the
authentication type or the Project authentication password.
To change the authentication type, select Project > Authentication Type from the main
menu bar to display the Authentication Type window:
Select the required authentication type from the window and click OK.
In AVEVA Project Authentication mode, while users will login to projects using project-
specific user names and passwords (see Add a User), they are all also automatically logged
into the SQL server using a single SQL user called IDOAdmin.
A password is required for this user if it has not already been specified. Therefore, if AVEVA
Project Authentication is selected, the following window is then displayed:
Note: The ISOAdmin SQL user only has sufficient rights to provide users with access to
project engineering modules. Therefore when performing administrative tasks such
as creating and restoring projects and accessing the Security Manager module, one
of the other authentication methods must be selected.
To change the AVEVA Project Authentication password, refer to Change the AVEVA Project
Authentication Password.
Enter the current password, the new password, and the new password again to confirm it in
the fields provided, and click OK to complete the procedure.
To save changes, select a different cell from the one in which the last change was made and
then close the Projects window. If any changes were made, the Save window is then
displayed:
Click Yes to continue. The Select an AVEVA Instrumentation Project window is displayed.
Select the required project in the list and click Select. The security settings from the
selected project then overwrite those of the current project.
Enter a new password and click Save. The Password Confirmation window is then
displayed:
The user must confirm the new password by entering it again in the field and clicking OK. If
the passwords do not match, a message window will be displayed requesting that the user
try again.
Click OK to return to the User window and re-try entering the passwords.
3.10 Groups
All AVEVA Instrumentation SQL Server seed databases have four default Groups pre-
created:
The four default Groups cover the common user types on any project: Instrument
Engineers, Instrument Designers, Process Engineers and a special 'Everyone' Group which
is the default Group for any user accessing the database.
Each of these Groups has pre-set or default access rights to various Security Manager
objects based on typical project requirements. These access rights can be modified by a
Security Manager Administrator. Refer to Setting Security on Objects.
Enter a Name for the new group and optionally a Description of it. Completing the
Description field is optional but AVEVA recommend it is completed.
Click Save. The Group window is closed and the new group name is displayed AVEVA
Instrumentation Security Manager window.
After a new Group is created, the Security Manager administrator will need to assign access
rights to that Group using the Security Objects options. Refer to Setting Security on Objects.
Note: If security is enabled (see Enable Basic Security Settings), when a Windows user or
an SQL user connects to an Engineering module, if that user has not be added to the
list of project users in Security Manager before, it is automatically added then.
Continue at:
• Initial User Setup
• Add a User
• Edit a User
• Delete a User
All Security Manager SQL Server seed databases have a single default user named
'Administrator'.
The default, the Administrator user is defined as a Security Manager Administrator. Users
with this level of access may edit the Security settings for the current database.
Note: If security is enabled (see Enable Basic Security Settings), when a Windows user or
an SQL user connects to an Engineering module, if that user has not be added to the
list of project users in Security Manager before, it is automatically added then.
The User Name of automatically added users will be the domain name and the user
name, e.g. “Domain\Username”. The Full Name will be the user name prefixed with
“auto-”, e.g. “auto-Domain\Username”.
To add a new user if the project is using Windows or SQL Server Authentication, click the
button to the right of the User Name field. The Select Username window is then displayed:
Select a domain name, then a user name from that domain from the lists in that window.
Note: If SQL Server Authentication is being used for the project, new users must also be
added as logins on the SQL server, if that is not already the case. A utility is provided
in the Security Manager for this purpose. Refer to Add New User to SQL Server
Project.
If using AVEVA Project Authentication, the button is not displayed. Instead enter the
required user name and password in the fields provided:
Unless AVEVA Project Authentication is being used, the Password field on the User
window is only enabled if the user is an Administrator.
A user can by marked as Is Read Only. This stops the user from editing any data in all
application modules.
Marking the user as Is Administrator enables the user to run Security Manager as an
Administrator. Every Administrator must have a Password. The Password field is enabled if
Is Administrator option is checked.
The Security Group controls the access level to each Security Manager application (e.g
Security Manager Engineer, Designer, Wiring Manager) and/or objects within each module
(e.g Instruments, Cables, Datasheets etc). Refer to Groups for more information.
To assign the user to a Security Group double-click on the Group name in the Not Member
of Group list. The selected Group is then moved to the Member of Group list.
To unassign the user from a Security Group double-click on the Group name in the Member
of Group list.
Select the required project(s) from the displayed list, complete the User Domain Login
Name field and select the required Access Rights from the drop-down list.
Click Save. A message is then displayed confirming that the user has been added. Click
Exit to close the window.
Read-Write or Full Access allows a user to add, edit and delete data
Read-Only (no Write) allows a user to read data only and create reports
Click on an Application Object. The application node expands to show the application's
Security Objects that the Administrator can control access to:
For example, Datasheets, Datasheet Design (changing the forms in the database),
Importing Datasheet Catalogue etc.
The right-hand pane then displays the current Security Groups defined in the database and
lists these Groups:
No Permission Group Groups in this list have no access to the current Object
Permission Group Groups in this list have access rights as defined by the
Access Type column
To add a Group to the Permissions Group column, double-click on the Group name in the
No Permission Group column.
To remove a Group from the Permission Group column double-click on the Group name in
the Permission Group column.
To change the Access Type, select the Access Type from the list in the Access Type field:
Note: The Access Type is defined for the Group in the Permission Group list only.
Example
To prevent Engineers from editing Datasheets:
1. Add a new group from the Groups list (e.g. 'EngineersNoDSH').
2. Go to the Security Object 'Datasheet' for Security Manager Engineer
3. Double-click on the new Group Name (e.g. 'EngineersNoDSH').
4. Change the Access Type to ‘Read-Only’.
To also prevent Engineers from exporting Datasheet data to Excel, select ‘Read Only
(No Excel Export)’.
5. Go to the User list.
6. Add the new Group Name (e.g. 'EngineersNoDSH') to the User.
Full Access allows a user to add, edit and delete data in the area
Read-Only (Allow allows a user to view object data, create reports and
Connections) make connections to objects in the area (e.g. users may
assign a supply in the area to a load in a full access
area)
The right-hand pane then displays the current Security Groups defined in the database and
lists these Groups:
No Permission Group Groups in this list have no access to the current area
Permission Group Groups in this list have access rights as defined by the
Access Type column
To add a Group to the Permissions Group column, double-click on the Group name in the
No Permission Group column.
To remove a Group from the Permission Group column double-click on the Group name in
the Permission Group column.
To change the Access Type for the area, select the Access Type from the list in the Access
Type field:
Enter the required password in the New Password field and again the Confirm New
Password field, then click OK. If a valid password is entered a message is then displayed
confirming that the password has been set.
To change the password, select Project > Set AIReports Password again. The Set
AIReports Password window is then displayed as follows:
Enter the current password, the new password, and the new password again to confirm it in
the fields provided, and click OK to complete the procedure.
Click on the links to download the objects, and then install them from the downloaded .msi
files.
Once the SMOs have been installed, select Project > Package Project again.
The Project Packager window is then displayed:
Select the location that the package file is to be saved to by clicking the ... button. The
following window is then displayed:
Browse for the required location, enter the file name in the File name field, and click Save.
The selected location and file name are then displayed in the Output file field of the Project
Packager window:
Click OK to close the message. Click Cancel to close the Project Packager window.
Follow the instructions and select the Resolve DB Collation option again.
When the conflict is successfully resolved, the following message is displayed:
Whether it was successful or unsuccessful, a log entry will be generated for the operation in
the Windows Event Viewer, which may be useful for future analysis of the issue.
Index
A I
Add a New Group . . . . . . . . . . . . . . . . . 3:16 Import Security Settings . . . . . . . . . . . . 3:12
Add a User . . . . . . . . . . . . . . . . . . . . . . 3:18 Initial User Setup . . . . . . . . . . . . . . . . . 3:17
Add New User to SQL Server Project . . 3:22 Introduction to Security Manager . . . . . . 1:1
Authentication Type . . . . . . . . . . . . . . . . 3:9
AVEVA Project Authentication Password 3:11 L
C Login . . . . . . . . . . . . . . . . . . . . . . . . . . . 3:1
D S
Define Area Access Control . . . . . . . . . 3:27 Security Manager Features . . . . . . . . . . 2:1
Define Object Security . . . . . . . . . . . . . 3:23 Select and Login to a Project . . . . . . . . . 3:1
Defining Security Users . . . . . . . . . . . . 3:17 Set Authentication Type . . . . . . . . . . . . . 3:9
Delete a User . . . . . . . . . . . . . . . . . . . . 3:21 Setting Security on Objects . . . . . . . . . 3:25
E
Edit a User . . . . . . . . . . . . . . . . . . . . . . 3:21
Edit Projects . . . . . . . . . . . . . . . . . . . . . 3:11
Enable Basic Security Settings . . . . . . . . 3:4
G
Group Setup . . . . . . . . . . . . . . . . . . . . . 3:15