Scribd
Upload
15 views

Application Server Security Troubleshooting Essentials Part 2

This document discusses security classifications and permissions in Wonderware Application Server. It describes the relationships between security groups, attribute security classifications, and operational permissions. It provides examples of how different classifications like Operate, Secured Write, and Configure work and the permissions needed to modify attributes with each classification both in on-scan and off-scan modes. The goal is to help users understand and apply the application server's security model.

Uploaded by

Ben Sahraoui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views

Application Server Security Troubleshooting Essentials Part 2

This document discusses security classifications and permissions in Wonderware Application Server. It describes the relationships between security groups, attribute security classifications, and operational permissions. It provides examples of how different classifications like Operate, Secured Write, and Configure work and the permissions needed to modify attributes with each classification both in on-scan and off-scan modes. The goal is to help users understand and apply the application server's security model.

Uploaded by

Ben Sahraoui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Schneider Electric Software

Knowledge & Support Center

Doc Type Tech Notes

Doc Id TN580

Last Modified Date 07/07/2015

Wonderware Application Server Security Troubleshooting Essentials Part 2: Security Classification &
Operational Permissions
LEGACY TECH NOTE #

999

SUMMARY

This Essentials Guide is the 2nd in a projected series.

This Tech Note discusses the relationship between the Security Groups and Attribute Security Classification. In addition, we introduce a utility which unifies the security group information
covered in this Tech Note into a single page and provides Galaxy search functionality as well.

SITUATION

Application Versions
Wonderware Application Server 2012 and later

Application Server Security Model Review


The attributes on an ArchestrA Automation Object (AA Object) have a configurable security classification setting. This provides the ability to define who can control the attributes of an AA
Object.

In a real world Galaxy, there are typically a large amount of AA Objects. Roles and Security Groups functionality provides the ability to efficiently assign/modify users and their
associated security classification on the attributes of AA Objects.

Roles: Generalize users' functional groups, such as Operator, System Engineer, Application Engineer, etc. One Role can be granted permissions to multiple Security Groups.
Security Group: Groups AA Objects together with those that have same set of Operational Permissions.

Figure 1: Application Server Security Model

The following table shows the AA Object Attributes' Security classification specifications and their corresponding Security Groups' Operational permissions.

Security Operational
Perspective
Classification Permission
FreeAccess No privileges are required. Any user can write to an attribute that has this setting
Allows user to change the value of an attribute during On-Scan or Off-Scan modeNote: Deployment needs the Operate Operational
Operate Operate
Permission
Secured Write Requires the logon user to retype password in order to make the changed value go through. Operate
Besides the above Secured Write, you must provide the second user's authentication.
Verified Write Operate, Verify
Note: Two users must have Operate and Verify Operational permissions.
Tune Allows user to write a value to the attribute at the On-Scan or Off-Scan mode. Tune

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


Configure Allows user to write a value to the attribute only at the Off-Scan mode. Configure
Read Only Regardless of user's permission, the attribute value cannot be changed at Runtime.

The following graphic shows Security classifications in the center red frame, and the Operational permissions at the right.

Figure 2: Security Classification and Operational Permissions

The following section demonstrates usage of Operate, Secured Write and Configure specifications in detail.

Operate
Allows user to change the value of an attribute during On-Scan or Off-Scan mode.

Environment

UDA UDA_Operate and with Operate type of Security Classification.


UDO UDO4Test_Operate (AA Object) contains UDA_Operate.
Security Group GroupOperator contains UDO4Test_Operate (AA Object).
Role OperateRole
User OperA

Setup

1. Only OperateRole is granted the access to GroupOperator.


2. Only OperA is associated to OperateRole.
3. In GroupOperator, uncheck all options except Can Modify "Operate" Attribute.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


Figure 3: Select Can Modify "Operate" Attributes Option

Verify
1. Deploy UDO4Test_Operate with Off-Scan and open it with the Object Viewer. The object icon in this example indicates the deployment is in Off-Scan state (Figure 4 below).

Figure 4: Object Viewer Shows Each Attribute's Security Classification

2. Change the User to OperA and set the value on UDA_Operate to False (Figure 5 below).

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


Figure 5: User OperA can Set the Value

3. Change the User to Administrator.

Figure 6: Administrator Cannot Set the UDA_Operate Value: Administrator is not in OperateRole

4. (Optional) Repeat this procedure in On-Scan Deployment state.

Summary

Operate Security Classification can set attribute value in both On-Scan and Off-Scan deployments if the user is in the correct Role.

Secured Write
Requires the logon user to type the password in order to make the changed value goes through. The Operate Permission is required.

Environment

UDA UDA_SecuredWrite and with Secured Write type of Security Classification.


UDO UDO4Test_SecuredWrite (AA Object) contains UDA_SecuredWrite.
Security Group GroupSecuredWrite contains UDO4Test_SecuredWrite (AA Object).
Role SecuredWriteRole.
User OperB_Sec
The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


Setup 1
1. Only SecuredWriteRole is granted the access to GroupSecuredWrite.
2. Only OperB_Sec is associated to SecuredWriteRole.

Setup 2

Same as the Setup 1 but uncheck Operate Operational permission from GroupSecuredWrite.

Verify 1
1. Deploy UDA4Test_SecuredWrite (AA Object) and open it with Object Viewer.
2. Change the User to OperB_Sec and set the value on UDA_SecuredWrite.

Figure 7: After Clicking the OK Button in the "Enter Username and Password" dialog, the Value of UDA_SecuredWrite Sets to True Successfully
3. Change the User to Administrator and set the value on UDA_SecuredWrite.

Figure 8: The Secured Write Security Classification Denies the Write Request: User Administrator is NOT in SecuredWriteRole

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


Verify 2

The Operate Operational Permission is required.

1. Remove the Operate Operational permission from GroupSecuredWrite (Security Group).

Figure 9: Uncheck Can Modify "Operate" Attributes

2. Repeat the verification shown in Figure 5 (above). You will see the Write Access Denied Error (Figure 10 below).

Figure 10: Write Access Denied

Summary

Secured Write Security Classification needs the Operate Operational permission even if the user is in the correct Role.

Configure
Allows the user to write a value to the attribute only at the Off-Scan mode.

Environment

UDA UDAConfigure and with Configure type of Security Classification.


UDO UDO4Test_Configure (AA Object) contains UDA_Configure.
Security Group GroupConfigure contains UDO4Test_Configure (AA Object).
Role ConfigureRole.
The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


User ConfigUser

Setup

1. ConfigureRole is granted the access to GroupConfigure.


2. ConfigUser is associated to ConfigureRole.
3. Deploy UDO4Test_Configure (AA Object) with On-Scan mode
4. In GroupConfigure, uncheck all options except Can Modify Configure Attribute.

Figure 11: Leave Can Modify "Configure" Attributes Option Checked

Verify
1. Open UDO4Test_Configure (AA Object) in the Object Viewer.
2. Change value of UDAConfigure. The Security Error 8017 Error will be returned.

Figure 12: SetAttribute FAILURE

Summary

Configure Security Classification only works while in Off-Scan Deployment state.

GRSecurityLayout Utility
This Read-Only Utility provides a quick way to view and search the Galaxy Security Settings on Security Groups with AA Objects and Operational permissions, Roles and Users, within a
single page.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


Download the GRSecurityLayout Utility

Note: This Utility is developed with Wonderware Galaxy Repository Access (GRAccess) Toolkit. Therefore, like the IDE, running this Utility will consume one Dev_Session_Count License
Feature count which is listed in ArchestrA.lic. The Utility's main functions are as follows:

Galaxy User Oriented Tree-View: Shows each Galaxy user's Runtime Security Relationships.

Figure 13: User-Based Security View


Wildcard Search AA Objects and their belonging Security Groups:In a real world Galaxy, there are usually a large number of AA Objects. Quickly finding any AA Object's
associated Security Groups is very important during the Security Design and Verification procedures.

Figure 14: Wildcard Search Returns Security Group List That Contains All AA Objects Containing the Value
Search the Users and Security Groups that have the given Operational permission.

In Figure 15 (below), we search all the Security Groups that contain the Configure Operational permission and the users in these Security Groups.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


Figure 15: Search By Security Group
Search the Users and Security Groups that do not have the given Operational permission.

In Figure 16 (below), we search all the Security Groups that do not contain the Configure Operational permission and the users in these Security Groups.

The "-" (dash character) in the search criteria means Not Contain.

Figure 16: Filter using the Dash Character


Quick retrieve AA Objects, Templates and Instances, within any selected Security Group.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


Figure 17: Highlight Any Security Group Level in the Tree View to see the contained AA Objects (Template or Instance)
Quick retrieve AA Objects' attribute names and their corresponding Security Classification (Figure 18 below).

Figure 18: AA Object, UDO4Test_SecuredWrite's Attribute Names, and Corresponding Security Classification

References
Wonderware Application Server 2012 R2 – IDE.PDF

ATTACHMENTS

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved


The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life
Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.

Terms of Use | Privacy Policy

Copyright © 2018 AVEVA Group Plc. All rights reserved

You might also like