Scribd
Upload
73 views

Tech Note 999 - Wonderware Application Server Security Troubleshooting Essentials Part 2 Security Classification & Operational Permissions

This document discusses security classifications and operational permissions in Wonderware Application Server. It explains that attribute security classifications like Operate, Secured Write, and Configure determine who can access attributes, while operational permissions assigned to security groups control specific access. The Operate classification allows editing in on-scan or off-scan, Secured Write requires re-entering a password, and Configure only allows off-scan editing. Examples demonstrate how security groups, roles, and users work together using these classifications and permissions.

Uploaded by

profilemail8
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
73 views

Tech Note 999 - Wonderware Application Server Security Troubleshooting Essentials Part 2 Security Classification & Operational Permissions

This document discusses security classifications and operational permissions in Wonderware Application Server. It explains that attribute security classifications like Operate, Secured Write, and Configure determine who can access attributes, while operational permissions assigned to security groups control specific access. The Operate classification allows editing in on-scan or off-scan, Secured Write requires re-entering a password, and Configure only allows off-scan editing. Examples demonstrate how security groups, roles, and users work together using these classifications and permissions.

Uploaded by

profilemail8
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

Tech Note 999


Wonderware Application Server Security Troubleshooting Essentials Part 2: Security Classification
& Operational Permissions

All Tech Notes, Tech Alerts and KBCD documents and software are provided "as is" without warranty of any kind. See the Terms of Use for more information.

Topic#: 002829
Created: December 2013

Introduction
This Essentials Guide is the 2nd in a projected series.

This Tech Note discusses the relationship between the Security Groups and Attribute Security Classification. In addition, we introduce a
utility which unifies the security group information covered in this Tech Note into a single page and provides Galaxy search functionality
as well.

Application Versions
Wonderware Application Server 2012 and later

Application Server Security Model Review


The attributes on an ArchestrA Automation Object (AA Object) have a configurable security classification setting. This provides the ability
to define who can control the attributes of an AA Object.

In a real world Galaxy, there are typically a large amount of AA Objects. Roles and Security Groups functionality provides the ability to
efficiently assign/modify users and their associated security classification on the attributes of AA Objects.

Roles: Generalize users' functional groups, such as Operator, System Engineer, Application Engineer, etc. One Role can be granted
permissions to multiple Security Groups.

Security Group: Groups AA Objects together with those that have same set of Operational Permissions.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 1: APPLICatION SErVEr SECurItY MODEL

The following table shows the AA Object Attributes' Security classification specifications and their corresponding Security Groups'
Operational permissions.

Security Operational
Perspective
Classification Permission

FreeAccess No privileges are required. Any user can write to an attribute that has this setting

Allows user to change the value of an attribute during On-Scan or Off-Scan mode Note: Deployment needs the Operate
Operate Operate
Operational Permission

Secured Write Requires the logon user to retype password in order to make the changed value go through. Operate

Besides the above Secured Write, you must provide the second user's authentication.
Verified Write Operate, Verify
Note: Two users must have Operate and Verify Operational permissions.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

Tune Allows user to write a value to the attribute at the On-Scan or Off-Scan mode. Tune

Configure Allows user to write a value to the attribute only at the Off-Scan mode. Configure

Read Only Regardless of user's permission, the attribute value cannot be changed at Runtime.

The following graphic shows Security classifications in the center red frame, and the Operational permissions at the right.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 2: SECurItY CLassIfICatION aND OPEratIONaL PErmIssIONs

The following section demonstrates usage of Operate, Secured Write and Configure specifications in detail.

Operate
file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]
Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

Allows user to change the value of an attribute during On-Scan or Off-Scan mode.

Environment

UDA UDA_Operate and with Operate type of Security Classification.

UDO UDO4Test_Operate (AA Object) contains UDA_Operate.

Security Group GroupOperator contains UDO4Test_Operate (AA Object).

Role OperateRole

User OperA

Setup
1. Only OperateRole is granted the access to GroupOperator.

2. Only OperA is associated to OperateRole.

3. In GroupOperator, uncheck all options except Can Modify "Operate" Attribute.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 3: SELECt CaN MODIfY "OPEratE" AttrIButEs OPtION

Verify
1. Deploy UDO4Test_Operate with Off-Scan and open it with the Object Viewer. The object icon in this example indicates the

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
deployment is in Off-Scan state (Figure 4 below).

FIgurE 4: OBJECt VIEwEr SHOws EaCH AttrIButE's SECurItY CLassIfICatION

2. Change the User to OperA and set the value on UDA_Operate to False (Figure 5 below).

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 5: UsEr OPErA CaN SEt tHE VaLuE

3. Change the User to Administrator.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 6: ADmINIstratOr CaNNOt SEt tHE UDA_OPEratE VaLuE: ADmINIstratOr Is NOt IN OPEratEROLE

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
4. (Optional) Repeat this procedure in On-Scan Deployment state.

Summary
Operate Security Classification can set attribute value in both On-Scan and Off-Scan deployments if the user is in the correct Role.

Secured Write
Requires the logon user to type the password in order to make the changed value goes through. The Operate Permission is required.

Environment

UDA UDA_SecuredWrite and with Secured Write type of Security Classification.

UDO UDO4Test_SecuredWrite (AA Object) contains UDA_SecuredWrite.

Security Group GroupSecuredWrite contains UDO4Test_SecuredWrite (AA Object).

Role SecuredWriteRole.

User OperB_Sec

Setup 1
1. Only SecuredWriteRole is granted the access to GroupSecuredWrite.

2. Only OperB_Sec is associated to SecuredWriteRole.

Setup 2
Same as the Setup 1 but uncheck Operate Operational permission from GroupSecuredWrite.

Verify 1
1. Deploy UDA4Test_SecuredWrite (AA Object) and open it with Object Viewer.

2. Change the User to OperB_Sec and set the value on UDA_SecuredWrite.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 7: AftEr CLICKINg tHE OK ButtON IN tHE "ENtEr UsErNamE aND PasswOrD" DIaLOg, tHE VaLuE Of UDA_SECurEDWrItE SEts tO TruE
SuCCEssfuLLY

3. Change the User to Administrator and set the value on UDA_SecuredWrite.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 8: THE SECurED WrItE SECurItY CLassIfICatION DENIEs tHE WrItE REQuEst: UsEr ADmINIstratOr Is NOT IN SECurEDWrItEROLE

Verify 2

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
The Operate Operational Permission is required.

1. Remove the Operate Operational permission from GroupSecuredWrite (Security Group).

FIgurE 9: UNCHECK CaN MODIfY "OPEratE" AttrIButEs

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
2. Repeat the verification shown in Figure 5 (above). You will see the Write Access Denied Error (Figure 10 below).

FIgurE 10: WrItE ACCEss DENIED

Summary
Secured Write Security Classification needs the Operate Operational permission even if the user is in the correct Role.

Configure
Allows the user to write a value to the attribute only at the Off-Scan mode.

Environment

UDA UDAConfigure and with Configure type of Security Classification.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

UDO UDO4Test_Configure (AA Object) contains UDA_Configure.

Security Group GroupConfigure contains UDO4Test_Configure (AA Object).

Role ConfigureRole.

User ConfigUser

Setup
1. ConfigureRole is granted the access to GroupConfigure.

2. ConfigUser is associated to ConfigureRole.

3. Deploy UDO4Test_Configure (AA Object) with On-Scan mode

4. In GroupConfigure, uncheck all options except Can Modify Configure Attribute.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 11: LEaVE CaN MODIfY "CONfIgurE" AttrIButEs OPtION CHECKED

Verify
1. Open UDO4Test_Configure (AA Object) in the Object Viewer.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
2. Change value of UDAConfigure. The Security Error 8017 Error will be returned.

FIgurE 12: SEtAttrIButE FAILURE

Summary
Configure Security Classification only works while in Off-Scan Deployment state.

GRSecurityLayout Utility
This Read-Only Utility provides a quick way to view and search the Galaxy Security Settings on Security Groups with AA Objects and
Operational permissions, Roles and Users, within a single page.

Download the GRSecurityLayout Utility

Note: This Utility is developed with Wonderware Galaxy Repository Access (GRAccess) Toolkit. Therefore, like the IDE, running this
Utility will consume one Dev_Session_Count License Feature count which is listed in ArchestrA.lic. The Utility's main functions are as
follows:
file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]
Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

Galaxy User Oriented Tree-View: Shows each Galaxy user's Runtime Security Relationships.

FIgurE 13: UsEr -BasED SECurItY VIEw

Wildcard Search AA Objects and their belonging Security Groups: In a real world Galaxy, there are usually a large number of
AA Objects. Quickly finding any AA Object's associated Security Groups is very important during the Security Design and
file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]
Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
Verification procedures.

FIgurE 14: WILDCarD SEarCH REturNs SECurItY GrOuP LIst THat CONtaINs ALL AA OBJECts CONtaININg tHE VaLuE

Search the Users and Security Groups that have the given Operational permission.

In Figure 15 (below), we search all the Security Groups that contain the Configure Operational permission and the users in these
file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]
Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
Security Groups.

FIgurE 15: SEarCH BY SECurItY GrOuP

Search the Users and Security Groups that do not have the given Operational permission.

In Figure 16 (below), we search all the Security Groups that do not contain the Configure Operational permission and the users in
file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]
Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
these Security Groups.

The "-" (dash character) in the search criteria means Not Contain.

FIgurE 16: FILtEr usINg tHE DasH CHaraCtEr

Quick retrieve AA Objects, Templates and Instances, within any selected Security Group.
file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]
Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 17: HIgHLIgHt ANY SECurItY GrOuP LEVEL IN tHE TrEE VIEw tO sEE tHE CONtaINED AA OBJECts (TEmPLatE Or INstaNCE)

Quick retrieve AA Objects' attribute names and their corresponding Security Classification (Figure 18 below).

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions

FIgurE 18: AA OBJECt, UDO4TEst_SECurEDWrItE's AttrIButE NamEs, aND COrrEsPONDINg SECurItY CLassIfICatION

References
Wonderware Application Server 2012 R2 – IDE.PDF

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]


Application Server Security Troubleshooting Essentials Part 2: Security Classification & Operational Permissions
A. Rantos, E. Xu

Tech Notes are published occasionally by Wonderware Technical Support. Publisher: Invensys Systems, Inc., 26561 Rancho Parkway South, Lake Forest, CA 92630. There is also
technical information on our software products at Wonderware Technical Support.

For technical support questions, send an e-mail to [email protected].

Back to top

©2013 Invensys Systems, Inc. All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or
mechanical, including photocopying, recording, broadcasting, or by any information storage and retrieval system, without permission in writing from Invensys Systems, Inc.
Terms of Use.

file:///C|/inetpub/wwwroot/t002829/t002829.htm[12/17/2013 9:52:41 AM]

You might also like