Configure User Accounts Appropriately
ClearSCADA's security feature can act as an effective security tool, helping to protect your system from being accessed by unauthorized users. But its effectiveness is dependent on the appropriate configuration of user accounts.
To access your system via a user account, a user needs to know the user name and password allocated to that user account. But the protection offered by user accounts does not end there - a user account can be denied access to items and features by its own configuration and the security settings of each database item (in addition to the system-wide security settings made at the server).
For more effective security, you should configure the settings for each user account. Ideally, you should configure a user account so that it only allows the user of that account to access the features and items they need to perform their expected duties. For security purposes, the settings you should pay particular attention to are:
- Access Type—Allows you to define whether the user can access ClearSCADA via ViewX, WebX and Pager/SMS (Phone). For more information, see Define whether a User can Access the System via ViewX, WebX, Original WebX or Phone.
- User Group—Allows you to associate a user account with one or more User Groups. The user account will have its own permissions plus those that are allocated to the User Group(s).
- The Operational settings on the ViewX tab—You can use the check boxes to control which operator level features are available to the user.
- The Configuration settings on the ViewX tab—You can use the check boxes to control which configuration features are available to the user.
- The Alarm Banner/List settings on the ViewX tab—You can use the check boxes to control which alarm features are available to the user.
- The Explorer Bars settings on the ViewX tab—You can use the check boxes to control which Explorer Bars (navigation hierarchies, such as the Database Bar) are available to the user.
- The user-specific security settings that are on the Security tab (only available if the Allow per User option is enabled at the server, and the user accounts are managed directly in ClearSCADA, rather than via the Windows User Authentication feature). You can use the Security settings to define the password length, password strength, password expiry, and so on, for the user account.
By configuring each user account so that it only has access to the features and items that are relevant to the user of that account, you help to protect your system from:
- Inappropriate changes made by users who are not trained in certain aspects of ClearSCADA. If a user can only access the features that are relevant to their role and which they have been trained to use, there is less chance of ClearSCADA being misused.
- Unauthorized access to high-level features via low-level user accounts. For example, let’s say your system has a high number of user accounts that are restricted to operational settings only. This means that even if an unauthorized user gains access via one of those accounts, the user is restricted from performing potentially damaging actions due to the configuration settings of the account.
Further Information