Managing user accounts, role names, and mapping

User account privileges can be modified and users can be added or removed at any time.

  • Use Windows Authentication to create user accounts.
  • Add at least one user to any project before you can run and view it. Each user must have a role and a user account.
  • Document user account actions according to your company’s policies and standards to keep a record of activities.

You can use single sign-on (SSO) to associate passwords for different products, such as Power Operation Studio and the Advanced Reporting and Dashboards Module. Single sign-on allows the project user, when logged in to the Power Operation Runtime, to access external applications, such as dashboards. See Configure Single Sign-On (SSO) for more information.

If your system includes Advanced Reporting and Dashboards Module, you can use single sign-on (SSO) to associate a Citect user with a Power Operation username/password or a Power Monitoring Expert username/password. See Using single sign-on and passwords for details.

For safety reasons, only advanced users should be given access to features such as controls and resets. User account privileges are defined in Security > Roles, located in the Power Operation Studio.

warning

potential compromise of System availability, integrity, and confidentiality

Use cybersecurity best practices when configuring user access.

Failure to follow these instructions can result in death, serious injury, equipment damage, or permanent loss of data.

Change role names and mapping

Change role names and numbers to associate them to a role.

  1. In Power Operation Studio: Click Projects > choose a project.
  2. Click Security  >  Roles.
  3. Change role information. For default privileges, see User account roles and privileges.
  4. Click Save.

    5. warning

    unintended equipment operation

    Do not use the software or devices for critical control or protection applications where human or equipment safety relies on the operation of the control action.
    Do not use the software to control time-critical functions.
    Do not use the software to control remote equipment without proper access control and status feedback.

    Failure to follow these instructions can result in death or serious injury.

    Extensively test the deployed project to ensure that permissions are applied as intended because Power Operation lets you set user permissions on runtime graphical objects.

To add or change user accounts:

  1. In Power Operation Studio: Click Projects > choose a project.
  2. Click Security  > Users.
  3. Add or change user information. For default privileges, see User account roles and privileges.
  4. Click Save.
Change Power Operation and Plant SCADA user roles, privileges, and mapping

Use the Schneider Electric Core Services configuration file configuration.xml to map Windows Groups and Citect privilege levels. The default installation path is: C:\Program Files(x86)\Schneider Electric\Power Operation\v2024\Applications\AppServices\bin\. There are the following authentication types:

Authentication type Authenticates through Details

PlatformLegacyAD

(Default option)

 Authenticates through the web

For OsXXXX keys, the value is a semi-colon delimited list of Windows User Groups assigned for this access level. To configure Active Directory groups for WebHMI access, the Active Directory domain name cannot be included in the list of Windows User Groups. When logging into the WebHMI, Active Directory users must provide the Active Directory domain name using either a backslash or @ format. For example:

<username>@<domainname> or <domainname>\<username>

For Active Directory Domain Groups, such as <domainname>\ScadaAdmins, add the group name, "ScadaAdmins", to configuration.xml. Groups must not include the domain name within configuration.xml. This is because if a domain is specified in the username field provided, the login code will query the Domain for a user. Whether the user is part of a local Windows group or a Domain group is inferred from the login username. If the domain is absent, SCADA users and local Windows group lists are queried. For more information on default mapping, see User account roles and privileges.
PlatformAD Authenticates through Citect security roles

For example, to make Citect Priv3 equal Power Operation User, change the Value element for Priv3 to 2: <ConfigurationItem Key="Priv3" Category="Security" Application="CitectPlatform"><Value>2</Value></ConfigurationItem>. For more information on default mapping, see User account roles and privileges.
CAE Authenticates through Cybersecurity Admin Expert (CAE) For more information on authenticating through CAE, see Enabling CAE cybersecurity.
Use Windows Integrated Users

You can incorporate Power Operation users and security options with the standard Windows security system. Using the integrated Windows security feature, the Windows user can log on to Power Operation runtime with runtime privileges and areas configured within the project. For a Windows user to be able to log on to runtime, it must be linked to a Power Operation "role," which is defined in the project with associated privileges.

To link a Windows user to a Power Operation role:

  • Add the "role" that specifies the Windows security group of which the Windows user is a member.

The pre-existing AutoLogin capability is extended to include the client, when the user is a Windows user, having an associated Power Operation role.

To invoke this functionality for a Windows user:

  • Set the [Client]AutoLoginMode parameter in the Citect.ini file.

Instead of using auto-login when the system starts up, users can also log in to Power Operation using any Windows user credential that is a member of the linked group.

When the name of a Power Operation user has the same name as a Windows user, the Power Operation user takes priority at runtime. However, if a valid Power Operation user login is unsuccessful, the Windows user credentials will not be checked and an alert will be generated to advise that the login was not effective.