Read-Only Workstation
The default system privilege mask for a read-only workstation does not grant the configuration privilege or the edit files privilege. If you configure the workstation you are using to be read-only, you will have no means to do further configuration at that workstation, or even to reverse that change. Your only recourse will be to move to another workstation on your system and use the Version Control system to reverse the change.
*******************************************************
*** DEFINING A WORKSTATION TO BE READ-ONLY ***
*** IS BEST DONE FROM ANOTHER WORKSTATION. ***
*******************************************************
(A remote connection using a VIC or Anywhere client does not count as working at another workstation. Do not proceed unless your application has a Client / Server Configuration)
You can configure a workstation to have read-only access to an application, regardless of the privileges assigned to the logged-in user at that workstation.
This is especially useful for workstations located in unsecured areas or for a server providing VTScada Thin Client access. If the workstation configured as read-only is also a VTScada Thin Client Server, then all VTScada Thin Client connections to that server will have read-only access.
Configuration of what can be done from a read-only workstation is done using three workstation-specific properties:
When set, the station can display I/O data but not write to hardware. No operator will be able to write to hardware from this station, regardless of their privileges, and without exception. This setting places no other restriction on the signed-on operator and they will be able to do all other tasks within the application according to their privilege set.
Relevant only on workstations where ReadOnlyStation is set. Does not apply otherwise. This is a bitwise value that controls which system privileges are enabled at a read-only workstation. By default, only the following privileges are granted. (Assuming that the signed-in operator has also been granted these privileges.)
- Account Modify
- Application Stop
- Thin Client Access
- Alarm Page Access
- History Page Access
- Page Note Hide
- Sites Page Access
- Maps Page Access
- Global Tag & Area Filter
- Recipe Page Access
- Remote Tag Value/History Retrieve
- Services Page Access
- Parameter View
- Remote Data Access
Relevant only on workstations where ReadOnlyStation is set. Does not apply otherwise. This is a bitwise value that disables specified custom privileges for all operators who sign in on that station, regardless of the privilege set granted to their account. None are disabled by default.
The read-only workstation setting takes precedence over all security privileges related to writing I/O. If set for a particular workstation, then all I/O write access is denied. Attempts to operate any control will result in the Access Denied dialog box being displayed.
There are no exceptions to this rule. There are no methods to enable partial write access at this workstation, or to grant write access to some users but not others at this workstation.
Note that you can also create Rules for Privilege Scope so that an operator's privileges are in effect only at named workstations. This provides more flexibility in controlling who can do what from where, but at the cost of not providing simple, blanket-coverage that applies to all operators.
To configure a workstation as read-only, add the following line to the [System] section of that computer’s Workstation.Dynamic file, and import the file into the application's working set.
[System]
ReadOnlyStation = 1
a Workstation.Dynamic file is not named "Workstation.Dynamic". Substitute the name of the computer to which the configuration variables should apply, for the word "workstation". You can have a different workstation. dynamic file for each workstation in your network.
To add or change application properties, you must have the Configuration privilege or the Edit Files privilege. Note that this means than anyone with those privileges can make changes to these settings.
- Open the Application Configuration dialog.
- Click on the Insert button
The Add Property dialog will open.
- Set the property name to ReadOnlyStation
- The section should remain as System
- Set the value to 1.
- Select the workstation where this will apply.
In most cases, it is unlikely that you want your current workstation to become read-only. - Enter a comment, describing the new property.
Comments will be stored on the line below the property in the Workstation.Dynamic file.
- Select OK
The dialog closes. Note that the new property is not saved until you apply your changes.
- Select Apply.
The Comment dialog will appear.
- Type a comment into the Comments dialog and click OK.
This comment is for the VTScada version control system and should explain why the new property is being added, unlike the earlier comment that explains what the property does.
A mask is a series of bits (0's and 1's) that are compared to a template using a bitwise AND. Every bit has a unique meaning. If the same bit is set in both the template and the mask, the meaning assigned to that bit is enabled. Typically, all bits are set to 1 in the template.
Numbering is zero-based and bits are counted from right to left. For example, a mask that is one-byte wide (eight bits) might be written as the following:
StationMaskSys = 00000010;
In this example, only the second bit (bit number 1 - Account View privilege) is set. (The bit furthest to the right is bit number 0.) For the purpose of a station mask, custom privileges are numbered in the same way, even though the number shown in the Privileges dialog will be 16 greater than the matching bit number.
The first four bits of the station privilege template are defined as:
| Bit # | Meaning |
|---|---|
| 0 | Configure privilege |
| 1 | Account view privilege |
| 2 | Account modify privilege |
| 3 | Accounts manager privilege |
For further information, refer to the two station mask properties: StationMaskApp and StationMaskSys
