FactoryTalk - Runtime Security - Multiple group membership

ChristPLC

Member
C
Join Date
Feb 2020
Location
Netherlands
Posts
2
So, I have a FactoryTalk ME PVPlus 7 12" panel.

I have 2 user groups, Technician and Operator.
Technician has UserCode P (ON/Y). Operator has only UserCode A.


When UserCode P is active, the visibility of a specific button is toggled, also a tag inside PLC is set.


Now, when a user is both member of the Group Technician and Group Operator, then for some odd reason it does not show the button. However the UserCode P should then be ON/YES because the user is a Technician.


Is there a way in FactoryTalk to ensure that this CurrentUserHasCode function always returns TRUE if one of the groups has it set to Yes/ON?



Or am I possibly missing something?
 
One of the issues people run into sometimes is with Allow vs Deny vs no selection. Perhaps this is where the problem lies.

Allow obviously means you are allowed access. If I am a member of the Technician group then I am assigned Security Code P. Let's assume for a moment that no other codes are specified for that group. No additional Allow or Deny.

Let's say I am also a member of the Maintenance group. That group is assigned Security Code B. If I am a member of both then I will have both Security Codes B and P. You can accumulate additional security codes by being a member of multiple groups.

Now, let's go back to the Technicians group and select Deny for Code B. Previously there was not an allow or deny for that code. Deny overrides everything else. If I am a Technician, I cannot accumulate Code B because that Technician Deny overrides the Maintenance Allow. So, make sure you are not using Deny unless you specifically need to prevent that person or group from accumulating that Security Code.

When I have issues with security, I create a text object with the letter "A" in it and I use visibility animation with CurrentUserHasCode(A). If that letter is visible, then I know they have that code. Then repeat for other codes to test.

OG
 
Operaghost said:
One of the issues people run into sometimes is with Allow vs Deny vs no selection. Perhaps this is where the problem lies.

Allow obviously means you are allowed access. If I am a member of the Technician group then I am assigned Security Code P. Let's assume for a moment that no other codes are specified for that group. No additional Allow or Deny.

Let's say I am also a member of the Maintenance group. That group is assigned Security Code B. If I am a member of both then I will have both Security Codes B and P. You can accumulate additional security codes by being a member of multiple groups.

Now, let's go back to the Technicians group and select Deny for Code B. Previously there was not an allow or deny for that code. Deny overrides everything else. If I am a Technician, I cannot accumulate Code B because that Technician Deny overrides the Maintenance Allow. So, make sure you are not using Deny unless you specifically need to prevent that person or group from accumulating that Security Code.

When I have issues with security, I create a text object with the letter "A" in it and I use visibility animation with CurrentUserHasCode(A). If that letter is visible, then I know they have that code. Then repeat for other codes to test.

OG
Click to expand...

Thanks for this tip.
I changed all items to NOT have user code P, then when multiple groups are assigned to one user it works properly. Never thought that it would use the NOT as the highest priority.
 
Last edited:
ChristPLC said:
...Never thought that it would use the NOT as the highest priority.
Click to expand...

I used to do IT work and that is pretty standard for security. It makes sure when you deny a code for a user or group, those users cannot get the allow capability from another group. Deny means deny, no matter what.

It also allows flexibility for defining individual users. I could, for example, assign a Maintenance group security codes A and B. But then add a specific maintenance person and deny them B.


OG
 

Similar Topics

4
FactoryTalk Studio Runtime Security
Hello All, I've just restored a version 4.0 app to version 11.0. Everything is working good so far. But when I tried to edit the Runtime...
Replies
0
Views
1,093
40mpg
4
celichi
FactoryTalk View ME Runtime Security [$administrator]
I have asked Rockwell (Chat only), and searched Google and the Rockwell KB, and I am still not sure what this means... [$Administrators] This...
Replies
8
Views
2,807
Nova5
N
G
Factorytalk View Studio Site Edition 8.00 Runtime Security Codes
Hi, I am looking for direction on how to get the Factorytalk View Studio Site Edition 8.00 Runtime Security users, passwords and levels (A-P) on...
Replies
0
Views
3,263
Guy Coulson
G
A
FactoryTalk View Runtime Security Questions
Good day and Happy Holidays! Everytime I restore an .APA or .MER file into project for editing, the accounts and their passwords are replaced...
Replies
1
Views
4,641
Operaghost
Operaghost
A
FactoryTalk View Studio - Runtime security problem
When I load the project into FactoryTalk View Sudio ME, under the system folder, I tried to click on "Runtime Security" option, but nothing comes...
Replies
3
Views
5,107
robw53
robw53
Back
Top Bottom