Workstation authorization

The workstation authorizations can be defined for all user groups (*) or alternatively for several specific groups.

The permissions in WinCC OA are specified by using the first five authorization levels (bits). See also Authorization levels.

The workstation authorizations can, however, only reduce permissions and it is not possible to, for example, assign administration permissions to a user group that has generally only visualization permission (inherited from a group). The workstation authorization is checked case insensitive. If the authorization levels are defined for one group, the permissions only apply to this one group (for the defined work station). Via the workstation authorization you can, for example, define that a user group, which generally has administration permission, may only open (visualize) the panels on this workstation. Therefore, the workstation authorization can be used to restrict the permissions of a user group or several different groups for a specific workstation (a user group opAll_tunnel1 could, for example, normally have the advanced operator authorization (this means the authorization level 3) for tunnel1 but only visualization permission on a specific workstation).

Note that in order to set workstation authorization you have to log in via the login panel.

The authorizations are defined in the Workstation authorization window shown below:

Figure 1. Workstation authorization

In the view in the upper section of the panel you can see the workstation UIs and the groups that have rights for these UIs:

Display : Shows the UI, for which the authorizations are defined.

Group : Shows the group or all(*) groups that have the authorization for the UI.

Authorization levels: Shows the authorization levels (authorization bits) of the group. All authorization bits are set to TRUE by default when creating a workstation authorization. See chapter authorization levels for more information on the levels).

The authorization level 32 is the bit for the Single Sign On (SSO) feature.

Name: Define the display name.

My computer: Adds the current computer name into the "Name" text field.

User group : Choose the user group(s) from the combo box.

Authorization bits : Define the authorization bits with a left mouse click on the columns.

Workstation settings : Allows defining workstation settings for a specific workstation. See chapter Settings Management. The button will be enabled when you select a workstation from the table. Note that individual settings for workstations can only be defined after defining basic settings.

Define settings: Allows defining basic workstation settings. Note that individual settings for workstations can only be defined after defining basic settings. See chapter Configuration Management.

EXAMPLE

The workstation authorization reduces permissions - see the description at the beginning of this chapter. The general

permissions in WinCC OA are specified by using the first five authorization levels (bits). See also Authorization levels.

In this example, the user Max has the following bits via a user group he belongs to:

11101101100000000000000000000000

This means that he possesses the authorization levels 1, 2, 3 and 5. Therefore, he has the following permissions:

Visualization, Normal operator authorization, Advanced operator authorization as well as Acknowledgement but not the level

"Administration".

on the "HOST" the user Max has the following bits via his user group:

10111111111111111111111111111111

and on the "host" the user Max has the following bits via his user group:

11011111111111111111111111111110

The user Max cannot login via SSO since his permissions (bit 32) were reduced via the workstation authorization through "host". Also the bit 2 was reduced via "HOST" and bit 3 through "host".

After the Login user Max has the rights:

10001101100000000000000000000000