Realm Area Filtering
What is Realm Area Filtering?
Realm area filtering affects the tag browser to enables you to hide tags that have been configured with one or more specific areas from unauthorized users while allowing authorized users to view these tags.
Note that Realm Area Filtering affects only the tag browser. All users will be able to view, edit and operate all tags currently running in the application.
Realm area filtering works with the security group system (see Security Groups for detailed information).
Why Should I Use Alarm Area Filtering?
Realm area filtering can be used for VICs (i.e. VTS Internet Clients that do not have VTS installed and who access their application over the World Wide Web using the Microsoft Internet Explorer web browser); for remote applications (i.e. multi-client applications that have VTS installed and who access their application over a local area network); and for applications using the VTS Alarm Dialer system that allows users to respond to alarms remotely by voice, pager, and/or e-mail. In all these cases, realm area filtering enables you to specify:
• What tag areas should be shown in the tag browser (if any) when no user is logged on to the application.
• What tag areas should be shown in the tag browser when a group user is logged on to the application.
• What tag areas should be shown in the tag browser when a super user is logged on to the application.
Note: A super user is one who does not belong to any group (and is therefore not as restricted as a group user), while a group user is one who has been assigned to a group (and is therefore more restricted than a super user).
While realm area filtering can prevent users from accessing tags belonging to certain areas using the application configuration tools, any tags that have been assigned to restricted areas and have been drawn on a page will still be viewable by restricted users. It is therefore recommended that you use custom security privileges to restrict access to the pages that you do not wish these users to view.
How Does Realm Area Filtering Differ From Tag Area Filtering and Alarm Area Filtering?
Realm area filtering affects the tag browser to hide tags configured with specific areas from given users according to the group to which their security account belongs, and is not limited to any one workstation (i.e. the user may logon to any workstation and they will still only have access to the tags permissible under their group).
Because realm area filtering is associated with the group to which a user belongs, no matter which client machine the user logs onto, they will still only see the tag areas that are relevant to them. Tag area filtering prevents tags that have been configured with specific areas from loading on a given workstation. Alarm area filtering hides alarms associated with specific areas on the Alarm page on a given workstation.
Where is Realm Area Filtering Configured?
Unlike tag area filtering and alarm area filtering (which are workstation-specific), realm area filtering is configured in your application's Config.ini configuration file. Because the settings are configured in the application-wide Config.ini file, they apply to all workstations running the application and to VTS Internet Connections. The security group to which a user logs on (or the realm to which they connect over a VTS Internet Connection) will determine which tag areas they are permitted to access.
How do I Configure Realm Area Filtering?
The following elements are involved in realm area filtering:
• One or more realms,
Note: One or more realms are required if VTS/IS is installed and realm area filtering is to be applied for VICs (i.e. clients that do not have VTS installed and who access their application over the World Wide Web using the Microsoft Internet Explorer web browser.) If realm area filtering is to be applied to clients who do have VTS installed and who access their application over a local area network (LAN), realm configuration is not required.
• NameSpaceDelimiter variable in SecurityManager.ini,
• GroupLogin variable in SecurityManager.ini,
• One or more super user security accounts,
• One or more realm user security accounts,
• [RealmAreas] section in Config.ini,
• [*-RealmAreas] section in Config.ini,
• [<Area>-RealmAreas] section in Config.ini, and
• Area Variables in the above section.
Realm Configuration
A realm is a set of one or more VTS applications that run on a VTS Internet Server (VTS/IS). VIC users may access one or more applications contained within a realm over the World Wide Web using Microsoft Internet Explorer, provided that they are able to provide credentials (i.e. a valid username and password) when requested by the VTS/IS.
Note: As indicated above, realm area filtering can be applied to applications whose clients are connecting using a VTS Internet Client (VIC) or to applications that do not use this technology. The configuration of a realm is only necessary for those users who will be using a VIC to view their applications. The examples that follow this section provide instructions on configuring realm area filtering for VIC users and for non-VIC users, including the creation of a realm.
NameSpaceDelimiter Variable
The NameSpaceDelimiter variable is a SecurityManager.ini variable that indicates the delimiter (i.e. a character that marks the beginning or end of a unit of data) that should be present to separate groups from usernames. This NameSpaceDelimiter variable is used when a manager is creating new group user accounts.
To specify a namespace delimiter:
1. Open your application's SecurityManager.ini file.
2. Locate the NameSpaceDelimiter variable under the [SECURITYMANAGER-Admin] section.
3. Enter the character(s) you wish to use as your namespace delimiter following the equals sign, as shown below. (A good choice of character for a namespace delimiter is a colon (:).)
NameSpaceDelimiter = :
4. Save and close the SecurityManager.ini file.
The result is that a super user may now configure new user account for group users by entering the group name, followed by the NameSpaceDelimiter character(s) followed by the username of the new user in the New Username field of the Add Account dialog.
GroupLogin Variable
The GroupLogin variable in your application's SecurityManager.ini file can be set to 1 to enable group logins. When the GroupLogin variable has been set to 1, the Please Logon dialog (that opens when the Logon button in the Display Manager's title bar has been clicked) will feature a Group field into which users must enter the appropriate group.
To set the GroupLogin variable, follow the steps below:
1. Open your application's SecurityManager.ini file.
2. Locate the GroupLogin variable under the [SECURITYMANAGER-Admin] section.
3. Enter a 1 following the equals sign, as shown below.
GroupLogin = 1
4. Save and close the SecurityManager.ini file.
Super User Security Account
A super user is one who does not belong to any group, and who has the ability to administer their own user base by adding new user accounts to a given group.
To create a super user account, simply add a new user account to the application.
Note: A non-super user account will specify the group name, followed by the namespace delimiter, followed by the username in the New Username field of the Add Account dialog, whereas a super user account does not specify the group name and namespace delimiter in the New Username field.
Group User Security Account
A group user is one who is associated with a specific group, and may only access the data permitted to that group.
To create a group user account, add a new user account to the application, making sure to specify the group name, followed by the namespace delimiter (see NameSpaceDelimiter Variable above), followed by the username in the New Username field of the Add Account dialog (e.g. GroupA::JSmith).
Note: When a group user logs on, they will have to enter the group (e.g. GroupA) in the Group field, their username (e.g. JSmith) in the Username field, and their password in the Password field of the Please Logon dialog.
[REALMAREAS] Section
The Config.ini [REALMAREAS] section enables you to indicate the tag areas that should be visible when no user is logged onto a VIC session.
To specify the tag areas that should be visible when no user is logged onto a VIC session:
1. Open your application's Config.ini file on the VTS/IS.
2. Enter the [REALMAREAS] section heading at the end of the file.
3. Enter "Area = " followed by the area you wish to be visible to users who are not logged on to your application.
(You may wish to protect your system by not allowing users who are not logged on to view any tag areas.) You may enter as many areas as you require, with each area on a separate line. An example is displayed below.
[REALMAREAS]
Area = Overview1
Area = Overview2
11. Save the Config.ini file.
[*-REALMAREAS] Section
The Config.ini [*-REALMAREAS] section enables you to indicate the tag areas that should be visible when a super user is logged on. (A super user is one who does not belong to any group.)
To specify the tag areas that should be visible when a super user is logged on:
1. Enter the [*-REALMAREAS] section heading beneath the [REALMAREAS] section heading and corresponding variables at the end of your application's Config.ini file.
2. Enter "Area = " followed by the area you wish to be visible to super users who do not belong to any group.
You may enter as many areas as you require, with each area appearing on a separate line. You may also use the asterisk (*) wildcard character. (For example, to view all areas, you could enter *. To view all areas ending with "1", you could enter *1. To view all areas beginning with "a", you could enter a*.) An example is displayed below.
[*-REALMAREAS]
Area = *
3. Save the Config.ini file.
[<Area>-REALMAREAS] Section
The Config.ini [<Area>-REALMAREAS] section enables you to indicate the tag areas that should be visible when a group user is logged on. (A group user is one who belongs to a group.)
To specify the tag areas that should be visible when a group user is logged on:
1. Enter the [<Area>-REALMAREAS] section heading beneath the [*-REALMAREAS] section heading and corresponding variables at the end of your application's Config.ini file, where <Area> is the group or realm.
2. Enter "Area = " followed by the area you wish to be visible to users who belong to this group or realm.
You may enter as many areas as you require, with each area appearing on a separate line. You may also use the asterisk (*) wildcard character. (For example, to view all areas ending with "1", you could enter *1. To view all areas beginning with "a", you could enter a*.) An example is displayed below.
[GroupA-REALMAREAS]
Area = North
Area = South
[GroupB-REALMAREAS]
Area = East
Area = West
3. Save and close the Config.ini file.
Note: Once you have completed the configuration of your application's Config.ini file, save the file and restart your application. (Your application's Config.ini file is only read when the application initially runs.)
Page Access
Realm area filtering applies to the Tag Browser to hide tags belonging to specified areas from users; however, any pages upon which those tags have been drawn are not automatically protected from access. The result is that users will be able to view the value of those tags, regardless as to the security group to which they belong. It is therefore recommended that you create custom application privileges and use them to protect those pages upon which restricted tags have been drawn. You may then grant the new custom application privileges to the accounts of those users who require access to those pages.
Some examples of different realm area filtering scenarios are provided in the sections that follow. Further information on realm area filtering is discussed in Config.ini [REALMAREAS] Sections: Realm Area Filtering.
Realm Area Filtering Example
1