Realm Area Filtering

Realm area filtering is based on a combination of user groups (as defined using the security manager) and a realm of tag area names. It will affect your application in the following ways:

  • Members of a user group can see and acknowledge only the alarms from areas matching their designated realm list.
  • When working with reports, members of a user group can select only the tags from areas matching their designated realm list.
  • When working with the Historical Data Viewer, members of a user group can select only the tags from areas matching their designated realm list.
  • For VIC connections, a realm having the same name as each security-group, must be provided. Users will be able to log in to only the realm that matches their security group. Users who are not part of a security group may only log on to the realm designated by the RootNamespace property.
  • The tag browser will also be affected, such that users in a given security group will see only the tags that match their designated tag areas. Note that this applies only to the tag browser - not to tags drawn on application pages. All tags will be visible on all pages to all users. Any tag's trend window may be viewed.
  • Security managers who are members of a realm are able to see only those accounts and roles that are also members of the same realm.
  • ODBC queries cannot see tags outside the matching realm list.

Realm Area Filtering will affect how you configure the roster so that users can acknowledge alarms via email or SMS-text message. Each contact user name in the roster (other than the admin account) must include the full group qualifier.

Why Should I Use Realm Area Filtering?

Realm area filtering is most often used for larger applications where there are groups of users for various areas of the application. Use Realm area filtering to specify:

  • What alarms should be visible to a user, based on their security-group.
  • What tag areas should be shown in the tag browser (if any) when no user is logged on to the application.
  • What tag areas should be shown in the tag browser, reports screen and historical data viewer when a user is logged on to the application.
  • What tag areas should be shown in the tag browser when a super user is logged on to the application.

 A super user (aka, administrative user) is one who does not belong to any security-group.

While realm area filtering can prevent users from acknowledging alarms in areas they are not authorized for and can also prevent them from drawing tags having those areas, it does not affect any page displays other than the alarm list, and does not restrict access to controls.

If you wish to restrict user access to pages or to control tags, use application-specific security privileges.

How Does Realm Area Filtering Differ From Tag Area Filtering and Alarm Area Filtering?

Realm area filtering affects alarms configured with specific areas, hiding them from given users according to their security-group, and is not limited to any one workstation (i.e. the user may logon to any workstation and they will still only have access to the alarms permitted by the filter).

Tag area filtering prevents tags that have been configured with specific areas from loading on a given workstation. Alarm area filtering hides alarms associated with specific areas on the Alarm page on a given workstation.

Where is Realm Area Filtering Configured?

Realm-area filtering is primarily configured in your application's Settings.Dynamic file. You will also need to configure user accounts such that they belong to a specific security group.

If using Windows Security Integration and Realm Area Filtering, you must add the realm name and prefix to the account using the VTScada accounts dialog. (e.g. realm:username@company.com)
If a user needs multiple realm logons, they will require multiple Windows accounts.

How do I Configure Realm Area Filtering?

The following elements are involved in realm area filtering:

  • One or more realms.

 One or more realms are required if VTS/IS is installed and realm area filtering will be applied for VTScada Internet Clients

  • NameSpaceDelimiter property in Settings.Dynamic.
  • GroupLogin property in Settings.Dynamic.
  • One or more super-user security accounts. (Accounts with no group designation.)
  • One or more user security accounts. (Accounts with a group designation.)
  • [RealmAreas] section in Settings.Dynamic.
  • [*-RealmAreas] configuration section.
  • [<Area>-RealmAreas] section in Settings.Dynamic.
  • Area properties in the above section.
  • RootNameSpace property defined for users who are not part of any security group, but who will logon to a VTScada Internet Server.

Realm Configuration

A realm is a set of one or more VTScada applications that run on a VTScada Internet Server (VTS/IS). VIC users may access one or more applications contained within a realm over the World Wide Web, provided that they are able to provide credentials (i.e. a valid username and password) when requested by the VTS/IS.

Realm Areas and the VTScada Internet Server

Realm Areas also affect VTScada Internet Client access to an application. On the VTScada server, add one realm for each user group. Each realm must be given the same name as the group, and must include a reference to this application.

An operator can then connect to the application using a URL that includes the name of the Realm he is connecting to. For example, members of the Western group would use the address: http://www.yourdomain/Western.

Restricting group access to areas does not mean that the operators cannot see the tags belonging to areas outside of their group's defined realm area. It does mean that they cannot see or acknowledge alarms resulting from those tags. It also restricts their ability to use the tags in reports and the trends screen.

NameSpaceDelimiter Property

The NameSpaceDelimiter property is a application property that sets the character that should be present to separate group names from user names. The NameSpaceDelimiter property is used when a manager is creating new user accounts if the GroupLogin property is also set to TRUE (1).

To specify a namespace delimiter:

  1. Open your application's Settings.Dynamic file.
  2. Locate the NameSpaceDelimiter property under the <SECURITYMANAGER-Admin> section.
  3. Enter the character(s) you wish to use as your namespace delimiter following the equals sign, as shown:

NameSpaceDelimiter = :

The usual choice of character for a namespace delimiter is a colon :

  1. Save and close the Settings.Dynamic file.
  2. Start VTScada if it is not already running
  3. In the VAM, select the application and click on Properties.

You may need to logon if security has been enabled.

  1. Click Import File Edits.
  2. Click on the button, Import.

GroupLogin Property

The GroupLogin property in your application's Settings.Dynamic file can be set to 1 to enable group logons. When the GroupLogin property has been set to 1, the Please Logon dialog (that opens when the Logon button in the Display Manager's title bar has been clicked) will include a Group field into which users must enter their group name.

To set the GroupLogin property:

  1. Open your application's Settings.Dynamic file.
  2. Locate the GroupLogin property under the <SECURITYMANAGER-Admin> section.
  3. Enter a 1 following the equals sign, as shown:

GroupLogin = 1

  1. Save and close the Settings.Dynamic file.
  2. Start VTScada if it is not already running.
  3. In the VAM, select the application and click on Properties.

You may need to logon if security has been enabled.

  1. Click Import File Edits.
  2. Click on the button, Import.

Super User Security Account

A super user is one who does not belong to any group, and who has the ability to administer their own user base by adding new user accounts to a given group.

To create a super user account, simply add a new user account to the application.

Group User Security Account

A group user is one who is associated with a specific security-group.

To create a group user account, add a new user account to the application, making sure to specify the group name, followed by the namespace delimiter (see NameSpaceDelimiter Property above), followed by the username in the New Username field of the Add Account dialog (e.g. GroupA:JSmith).

 When a group user logs on, they will have to enter the group (e.g. GroupA) in the Group field, their account name (e.g. JSmith) in the Username field, and their password in the Password field of the Please Logon dialog.
If logging into a VTScada Internet Client, they must log into a realm name that matches their security-group. You must ensure that the realm has been configured in the VTScada Internet Server.
Super users, who are not members of any group , will not be able to log on over the internet unless the application property RootNamespace has been added, and its value set to the name of a realm created for the use of these accounts.

[REALMAREAS] Section

The [REALMAREAS] section of Settings.Dynamic is used to define the alarm areas that should be visible when no user is logged on. This applies to AlarmList banners that may have been drawn on the default page - the Alarms page will not be accessible when no user is logged on.

To create a RealmAreas section:

  1. Open your application's Settings.Dynamic file.
  2. Add the [REALMAREAS] section heading at the end of the file.
  3. Enter "Area = " followed by the area you want to make visible to users who are not logged on to your application.

(You may wish to protect your system by not allowing users who are not logged on to view any alarm areas.)

You may enter as many areas as you require, with each area on a separate line. For example:

[REALMAREAS]
Area = Overview1
Area = Overview2

  1. Save the Settings.Dynamic file and load it into your application.

[*-REALMAREAS] Section

The Settings.Dynamic [*-REALMAREAS] section is used to select the tag areas that should be visible when a super user is logged on. (A super user is one who does not belong to any group.)

To specify the tag areas that should be visible when a super user is logged on:

  1. Enter the [*-REALMAREAS] section heading beneath the [REALMAREAS] section heading and corresponding properities at the end of your application's Settings.Dynamic file.
  2. Enter "Area = " followed by the area you want to make visible to super users who do not belong to any group.

You may enter as many areas as you require, with each area appearing on a separate line. You may also use the asterisk (*) wildcard character. (For example, to view all areas, you could enter *. To view all areas ending with "1" you could enter *1. To view all areas beginning with "a" you could enter a*.) For example:

[*-REALMAREAS]
Area = *

  1. Save the Settings.Dynamic file and load it into your application.

[GroupName-REALMAREAS] Section

The Settings.Dynamic [GroupName-REALMAREAS] section  to define the alarm areas that should be visible when a user in a given security-group user is logged on.

To specify the visible alarm areas:

  1. Open the application's Settings.Dynamic file.
  2. Add the [GroupName-REALMAREAS] section heading at the end of the file.
  3. "GroupName" should be replaced by the name of the security group for which you are granting access to alarm areas.
  4. On successive lines below the heading, enter "Area = " followed by the area you want to make visible to users who belong to this security group.

You may enter as many areas as you require, with each area appearing on a separate line. You may also use the asterisk (*) wildcard character. (For example, to view all areas ending with "1" you could enter *1. To view all areas beginning with "a" you could enter a*.) For example:

[GroupA-REALMAREAS]
Area = North
Area = South
[GroupB-REALMAREAS]
Area = East
Area = West

  1. Save the Settings.Dynamic file and import it to your application.

Trihedral and VTScada are registered trade marks of Trihedral Engineering Ltd.
© Trihedral Engineering Ltd. 1983- 2019 All rights reserved.