User account roles and privileges

User accounts are assigned to roles that have variable permissions to read access or configuration privileges by default.
Roles and privileges are created at the time of installation and stored in the project.
User accounts, role names and mapping can be changed at any time after the project is set up.

When a project is restored from backup in Power Operation, so are all saved user accounts, roles, and mapping.

Power Operation web application user account privileges are not the same as the roles and privileges in Plant SCADA, Windows, and Windows Active Directory.
Active Directory Users are authenticated against Active Directory Windows Groups. Active Directory Windows Users added to local Windows Groups are not supported.
For local Windows users, the local Windows groups are mapped to Power Operation user account privileges for Web Applications. See Default user account roles and privileges for Power Operation web applications and Default Windows Groups privilege level mapping to Power Operation web applications.
For Citect users, privilege levels are mapped to Power Operation web applications access levels. See Default User account mapping between Citect and Power Operation web applications.

To optimize cybersecurity in a protected environment:

Keep user accounts, roles and privileges up-to-date. See Managing user accounts, roles, and mapping for information about adding users and enforcing access.
View security settings after making changes to ensure least privilege is applied. See Viewing security settings for details for viewing current settings.

Default user account roles and privileges for Power Operation web applications

Power Operation Web Applications	Roles and Privileges
	None = 0	Observer = 1	User = 2	Controller = 3	Operator = 4	Administrator = 5
AlarmViewer.AcknowledgeAlarm
AlarmViewer.DeleteAny
AlarmViewer.EditAny
AlarmViewer.Owner
AlarmViewer.SetSystemDefaultItem
AlarmViewer.ViewIncidents
ApplicationAccess.AlarmViewer
ApplicationAccess.HmiApplication
ApplicationAccess.Event
ApplicationAccess.RealtimeData
	None = 0	Observer = 1	User = 2	Controller = 3	Operator = 4	Administrator = 5
ApplicationAccess.RealtimeTrend
ApplicationAccess.Tgml
ApplicationAccess.WebConfig
ConfigurationAccess.Alarms
ConfigurationAccess.CustomScripting
ConfigurationAccess.MyPreferences
ConfigurationAccess.Localization
ConfigurationAccess.Theme
ConfigurationAccess.Security
ConfigurationAccess.Tgml
	None = 0	Observer = 1	User = 2	Controller = 3	Operator = 4	Administrator = 5
Diagrams.Owner
Diagrams.EditAny
Diagrams.DeleteAny
Diagrams.SetSystemDefaultItem
Diagrams.ControlActions
RealtimeTrend.DeleteAny
RealtimeTrend.EditAny
RealtimeTrend.Owner
No Access

Default Windows Groups privilege level mapping to Power Operation web applications

Adding local Windows Users to these groups will grant them the following mapped web applications privileges. For example, all local Windows Users added to the PSO_Controllers group will be granted the Web Application Controller = 3 access level. The values are a semicolon delimited list.

Power Operation web application roles	Windows Group Privilege Levels
None = 0	N/A
Observer = 1	`<ConfigurationItem Key="OsObservers" Category="Security" Application="CitectPlatform"> <Value>PSO_Observers</Value> </ConfigurationItem>`
User = 2	`<ConfigurationItem Key="OsUsers" Category="Security" Application="CitectPlatform"> <Value>PSO_Users</Value> </ConfigurationItem>`
Controller = 3	`<ConfigurationItem Key="OsControllers" Category="Security" Application="CitectPlatform"> <Value>PSO_Controllers</Value> </ConfigurationItem>`
Operator = 4	`<ConfigurationItem Key="OsOperators" Category="Security" Application="CitectPlatform"> <Value>PSO_Operators</Value> </ConfigurationItem>`
Administrator = 5	`<ConfigurationItem Key="OsAdministrators" Category="Security" Application="CitectPlatform"> <Value>PSO_Administrators</Value> </ConfigurationItem>`

Default User account mapping between Citect and Power Operation web applications

Citect user account privileges map to Power Operation web applications roles and privileges. For example, a Citect privilege level 3 (Priv3) maps to access level 3, which is a Controller.

Power Operation web application roles	Plant SCADA privilege level	Configuration file default
None = 0	Priv0	`<ConfigurationItem Key="Priv0" Category="Security" Application="CitectPlatform"> <Value>0</Value> </ConfigurationItem>`
Observer = 1	Priv1	`<ConfigurationItem Key="Priv1" Category="Security" Application="CitectPlatform"> <Value>1</Value> </ConfigurationItem>`
User = 2	Priv2	`<ConfigurationItem Key="Priv2" Category="Security" Application="CitectPlatform"> <Value>2</Value> </ConfigurationItem>`
Controller = 3	Priv3 Priv4	`<ConfigurationItem Key="Priv3" Category="Security" Application="CitectPlatform"> <Value>3</Value> </ConfigurationItem>` `<ConfigurationItem Key="Priv4" Category="Security" Application="CitectPlatform"> <Value>3</Value> </ConfigurationItem>`
Operator = 4	Priv5 Priv6	`</ConfigurationItem> <ConfigurationItem Key="Priv5" Category="Security" Application="CitectPlatform"> <Value>4</Value>` `</ConfigurationItem> <ConfigurationItem Key="Priv6" Category="Security" Application="CitectPlatform"> <Value>4</Value> </ConfigurationItem>`
Administrator = 5	Priv7 Priv8	`<ConfigurationItem Key="Priv7" Category="Security" Application="CitectPlatform"> <Value>5</Value> </ConfigurationItem>` `<ConfigurationItem Key="Priv8" Category="Security" Application="CitectPlatform"> <Value>5</Value> </ConfigurationItem>`

Active Directory Privilege Levels

If your authentication type is PlatformLegacyAD, refer to the following:

Active Directory (AD) Windows Users added to local Windows Groups are not supported. AD Users will be authenticated against AD Windows Groups.

For example, if an AD User is in the AD Windows Group “Web_Controllers”, add that group to the OsControllers section:

<Value>PSO_Controllers;Web_Controllers</Value>

</ConfigurationItem>

If your authentication type is PlatformAD, see Default User account mapping between Citect and Power Operation web applications.