—

INDUSTRIAL AUTOMATION

ABB Ability™ Symphony® Plus

S+ Engineering 2.3 User management
User manual
—
INDUSTRIAL AUTOMATION

ABB Ability™ Symphony® Plus

S+ Engineering 2.3 User management
User manual
Notice
This document contains information about one or more ABB products and may include a description of or
a reference to one or more standards that may be generally relevant to the ABB products. The presence of
any such description of a standard or reference to a standard is not a representation that all of the ABB
products referenced in this document support all of the features of the described or referenced standard.
In order to determine the specific features supported by a particular ABB product, the reader should con-
sult the product specifications for the particular ABB product.
ABB may have one or more patents or pending patent applications protecting the intellectual property in
the ABB products described in this document.
The information in this document is subject to change without notice and should not be construed as a
commitment by ABB. ABB assumes no responsibility for any errors that may appear in this document.
Products described or referenced in this document are designed to be connected and to communicate in-
formation and data through network interfaces, which should be connected to a secure network. It is the
sole responsibility of the system/product owner to provide and continuously ensure a secure connection
between the product and the system network and/or any other networks that may be connected.
The system/product owners must establish and maintain appropriate measures, including, but not limit-
ed to, the installation of firewalls, application of authentication measures, encryption of data, installation
of antivirus programs, and so on, to protect these products, the network, its system, and interfaces
against security breaches, unauthorized access, interference, intrusion, leakage, and/or theft of data or
information.
ABB performs functionality testing on the products and updates that we release. However, system/prod-
uct owners are ultimately responsible for ensuring that any product updates or other major system up-
dates (to include but not limited to code changes, configuration file changes, third-party software
updates or patches, hardware change out, and so on) are compatible with the security measures imple-
mented. The system/product owners must verify that the system and associated products function as ex-
pected in the environment in which they are deployed.
In no event shall ABB be liable for direct, indirect, special, incidental or consequential damages of any na-
ture or kind arising from the use of this document, nor shall ABB be liable for incidental or consequential
damages arising from use of any software or hardware described in this document.
This document and parts thereof must not be reproduced or copied without written permission from ABB,
and the contents thereof must not be imparted to a third party nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under a license and may be used, cop-
ied, or disclosed only in accordance with the terms of such license.
This product meets the requirements specified in EMC Directive 2014/30/EU and in Low Voltage Directive
2014/35/EU.
The crossed-out wheeled bin symbol on the product and accompanying documents means
that used electrical and electronic equipment (WEEE) should not be mixed with general house-
hold waste. If you wish to discard electrical and electronic equipment (EEE), please contact
your dealer or supplier for further information.

Disposing of this product correctly will help save valuable resources and prevent any potential negative
effects on human health and the environment, which could otherwise arise from inappropriate waste
handling.

Trademarks and copyright

Symphony and Symphony Plus are registered or pending trademarks of ABB S.p.A.
Ability is a trademark of ABB.
All rights to copyrights, registered trademarks, and trademarks reside with their respective owners.
Copyright © 2011-2020 ABB. All rights reserved.

Release: May 2020

Document number: 2VAA003209-230
Revision: A
 TABLE OF CONTENTS

TABLE OF CONTENTS

1. Introduction.................................................................................................... 1-3
1.1 Technical Overview .............................................................................................1-3
1.2 Intended User ......................................................................................................1-3
1.3 User Manual Content ..........................................................................................1-3
1.4 Glossary of Terms and Abbreviations...............................................................1-3
1.5 Reference Documents ........................................................................................1-5

2. Active Directory and Workgroup Configuration ......................................... 2-1

2.1 Active Directory Installation...............................................................................2-1
2.1.1 Configuring Redundant Domain Controller ....................................................2-20
2.1.2 Configuring Child Domain Controller .............................................................2-27
2.1.3 Active Directory Settings for Workbench .......................................................2-28
2.1.4 Active Directory Settings for Workbench (Read-only Domain) ......................2-30
2.2 Workgroup Configuration.................................................................................2-36
2.2.1 Workgroup Settings for Workbench ...............................................................2-39
2.3 System Network Configuration........................................................................2-40

3. S+ Operations Security Concept.................................................................. 3-1

3.1 Introduction .........................................................................................................3-1
3.2 Configuring Users ...............................................................................................3-1
3.3 S+ Operations Application specific privilege ...................................................3-3
3.3.1 Security Group .................................................................................................3-3
3.3.2 Security Levels.................................................................................................3-4
3.3.3 Tag Operations and Privileges .........................................................................3-4
3.4 Specific Historian user groups ..........................................................................3-8
3.4.1 Configuring History Rights in S+ Operations ...................................................3-9
3.5 Setting Groups, Users, and Service Security ................................................. 3-11
3.5.1 Service security configuration for operation engineering ...............................3-13
3.6 Setting the Security Policy ...............................................................................3-13
3.7 Setting the Security Policies for the Local Users ..........................................3-16
3.8 On all S+ Operations Nodes .............................................................................3-17
3.8.1 On S+ Operations Server ..............................................................................3-18
3.8.2 Access to the local server homepage ............................................................3-19
3.8.3 On S+ Operations Application Severs ...........................................................3-26
3.9 Configuring Users in Workgroup Environment..............................................3-27

4. Working with User Management .................................................................. 4-1

4.1 Ribbon Bar Options ............................................................................................4-2
4.2 Symphony Plus User Roles................................................................................4-3

2VAA003209-230 A 1
TABLE OF CONTENTS

4.3 Add User ..............................................................................................................4-7

4.4 Edit User...............................................................................................................4-8
4.5 Delete User...........................................................................................................4-9
4.6 Export Users ...................................................................................................... 4-11
4.7 Import Users ......................................................................................................4-12
4.8 Sync Users.........................................................................................................4-15
4.9 Project Mapping ................................................................................................4-15
4.9.1 Assign a Project to the User ..........................................................................4-16
4.9.2 Unassign a Project.........................................................................................4-18
4.10 Configure Roles.................................................................................................4-18
4.11 Assign Roles......................................................................................................4-18
4.12 Operations .........................................................................................................4-20
4.13 Action Role Mapping.........................................................................................4-26

5. Setting up system to run under low privileged users ................................ 5-1

5.1 Providing access to the folder ...........................................................................5-3
5.2 To provide access to the Windows registries...................................................5-3
5.3 DCOM Settings ....................................................................................................5-4
5.3.1 OPC Server Settings........................................................................................5-4
5.4 Server settings ....................................................................................................5-8
5.5 Permissions to access services ........................................................................5-8
5.6 Create an SQL User.............................................................................................5-9
5.7 Exiting from the system....................................................................................5-14
5.8 User Account Settings ......................................................................................5-15

A. User Roles in Symphony Plus ...................................................................... A-1

A.1 User Roles........................................................................................................... A-4
A.1.1 Customized Roles........................................................................................... A-5
A.2 Existing common Symphony Plus user groups............................................ A-12
A.3 Registry settings .............................................................................................. A-14
A.4 NetBIOS configuration settings ...................................................................... A-14
A.5 Role Based Access Control............................................................................. A-14

B. Installing Microsoft Loopback Adapter ....................................................... B-1

C. Computer Browser Service........................................................................... C-1

D. Creating Group Policy Object....................................................................... D-1

D.1 Creating Group Policy ....................................................................................... D-1

2 2VAA003209-230 A
 LIST OF TABLES

LIST OF TABLES

Table 1-1. Glossary of Terms and Abbreviations .........................................................................1-3

Table 1-2. Reference Documents ................................................................................................1-5
Table 3-1 Historian group id information .....................................................................................3-9
Table 3-2 S+ Historian signal rights ............................................................................................3-9
Table 3-3 Signal rights for Property RTS ..................................................................................3-10
Table 3-4 Post installation verification .......................................................................................3-11
Table 3-5 User Specific permissions reference table ................................................................3-12
Table 3-6 Users and groups configuration ................................................................................3-15
Table 4-1: Permissions .................................................................................................................4-3
Table A-1. List of User Roles in Symphony Plus ......................................................................... A-1
Table A-2. Windows Group and Description .............................................................................. A-12

2VAA003209-230 A 3
LIST OF TABLES

4 2VAA003209-230 A
 LIST OF FIGURES

LIST OF FIGURES

Figure 2-1: Server Manager .......................................................................................................... 2-1

Figure 2-2: Add Roles and Features ............................................................................................. 2-2
Figure 2-3: Destination Server ...................................................................................................... 2-3
Figure 2-4: Select Server Roles .................................................................................................... 2-4
Figure 2-5: Add Features and Roles ............................................................................................. 2-5
Figure 2-6: Active Directory Role .................................................................................................. 2-6
Figure 2-7: Select Features........................................................................................................... 2-7
Figure 2-8: Active Directory Domain Services............................................................................... 2-8
Figure 2-9: Confirm Installation ..................................................................................................... 2-9
Figure 2-10:Installation Results .................................................................................................. 2-10
Figure 2-11:Active Directory Configuration ................................................................................. 2-11
Figure 2-12:Deployment Configuration ....................................................................................... 2-12
Figure 2-13:Domain Controller Options ...................................................................................... 2-13
Figure 2-14:DNS Options............................................................................................................ 2-14
Figure 2-15:NetBIOS Domain Name .......................................................................................... 2-15
Figure 2-16:Active Directory Paths ............................................................................................. 2-16
Figure 2-17:Review Options ....................................................................................................... 2-17
Figure 2-18:Prerequisites for Active Directory Installation .......................................................... 2-18
Figure 2-19:Active Directory Installation ..................................................................................... 2-19
Figure 2-20:Active Directory Administrative Tools Menu ............................................................ 2-20
Figure 2-21:Deployment Configuration for Redundant Controller............................................... 2-21
Figure 2-22:Windows Security .................................................................................................... 2-21
Figure 2-23:Redundant Domain Controller Options.................................................................... 2-22
Figure 2-24:DNS Option for Redundant Controller ..................................................................... 2-23
Figure 2-25:Domain Controller Options ...................................................................................... 2-23
Figure 2-26:Active Directory Paths ............................................................................................. 2-24
Figure 2-27:Review Options ....................................................................................................... 2-25
Figure 2-28:Prerequisites Check for Redundant Controller Installation...................................... 2-26
Figure 2-29:Installation Progress ................................................................................................ 2-27
Figure 2-30:Deployment Configuration ....................................................................................... 2-28
Figure 2-31.Server Configuration for Active Directory ................................................................ 2-29
Figure 2-32:Active Directory Users and Computers ................................................................... 2-30
Figure 2-33:User management screen of child domain .............................................................. 2-30
Figure 2-34:Server Configuration (Read-Only Domain).............................................................. 2-31
Figure 2-35:New User creation ................................................................................................... 2-32
Figure 2-36:User Creation .......................................................................................................... 2-33
Figure 2-37:Assigning Role......................................................................................................... 2-33
Figure 2-38:Assigned Roles........................................................................................................ 2-34
Figure 2-39:Assign Projects........................................................................................................ 2-35
Figure 2-40:Adding user in Database ......................................................................................... 2-36
Figure 2-41:My Computer Properties.......................................................................................... 2-37

2VAA003209-230 A 5
LIST OF FIGURES

Figure 2-42:System Properties ................................................................................................... 2-37

Figure 2-43:Computer Name/Domain Changes ......................................................................... 2-38
Figure 2-44:Computer Name/Domain Changes ......................................................................... 2-38
Figure 2-45:Workgroup Configuration Complete ........................................................................ 2-39
Figure 2-46:Workgroup Settings for Workbench......................................................................... 2-39
Figure 2-47:Windows Security prompt window........................................................................... 2-40
Figure 3-1: User configuration....................................................................................................... 3-2
Figure 3-2: S+ Operations security group ..................................................................................... 3-3
Figure 3-3: Users Security level .................................................................................................... 3-4
Figure 3-4: Tag Operations privileges ........................................................................................... 3-5
Figure 3-5: General privileges ....................................................................................................... 3-6
Figure 3-6: Display builder with security level and Security group ................................................ 3-7
Figure 3-7: S+ Operation historian user configuration-Example 1 ................................................ 3-8
Figure 3-8: S+ Operation historian user configuration-Example 2 ................................................ 3-8
Figure 3-9: Real Time Storage (RTS) in bit pattern..................................................................... 3-10
Figure 3-10:Real Time Storage (RTS) in bit pattern ................................................................... 3-11
Figure 3-11:Local Security Policy ............................................................................................... 3-14
Figure 3-12:User Rights Assignments ........................................................................................ 3-14
Figure 3-13:Group policy management ...................................................................................... 3-15
Figure 3-14:Local Group Policy Editor ........................................................................................ 3-16
Figure 3-15:Deny logon locally and Deny log on through Remote Desktop Services ................ 3-17
Figure 3-16:System Properties ................................................................................................... 3-18
Figure 3-17:Database Settings- Users........................................................................................ 3-19
Figure 3-18:Microsoft SQLServer - New login ............................................................................ 3-19
Figure 3-19:Login - New Window................................................................................................ 3-20
Figure 3-20:Select User or Group............................................................................................... 3-20
Figure 3-21:Object Types dialog box .......................................................................................... 3-20
Figure 3-22:Select User or Group............................................................................................... 3-20
Figure 3-23:Login - New (Server Roles) ..................................................................................... 3-21
Figure 3-24:SQL Server - Authentication.................................................................................... 3-21
Figure 3-25:SQL Server - New User........................................................................................... 3-22
Figure 3-26:Database User - New .............................................................................................. 3-22
Figure 3-27:Select Login............................................................................................................. 3-23
Figure 3-28:Browse for Objects .................................................................................................. 3-23
Figure 3-29:Database Role Membership .................................................................................... 3-24
Figure 3-30:SQL Server Security New Logins ............................................................................ 3-24
Figure 3-31:Select User or Group............................................................................................... 3-25
Figure 3-32:Object Types ........................................................................................................... 3-25
Figure 3-33:Select User or Group - Security............................................................................... 3-25
Figure 3-34:Login - New Sever Roles......................................................................................... 3-26
Figure 3-35:Permisions for ABB Symphony Plus ....................................................................... 3-27
Figure 3-36:SQL Server Security Logins - New User ................................................................. 3-28

6 2VAA003209-230 A
 LIST OF FIGURES

LIST OF FIGURES

Figure 3-37:Select User Group - Security Login ......................................................................... 3-28

Figure 3-38:Object Types ........................................................................................................... 3-29
Figure 3-39:Select User or Group - Administrator ...................................................................... 3-29
Figure 3-40:Login - New (Server Roles) ..................................................................................... 3-30
Figure 4-1: Opening User Management........................................................................................ 4-1
Figure 4-2: Windows Security prompt window .............................................................................. 4-1
Figure 4-3: User Management tool................................................................................................ 4-2
Figure 4-4: System Roles.............................................................................................................. 4-4
Figure 4-5: Engineering Roles....................................................................................................... 4-4
Figure 4-6: Operations Roles ........................................................................................................ 4-5
Figure 4-7: Historian Roles........................................................................................................... 4-5
Figure 4-8: Historian Roles - Continued ....................................................................................... 4-5
Figure 4-9: GIS Roles.................................................................................................................... 4-6
Figure 4-10:Adding New User....................................................................................................... 4-7
Figure 4-11:Edit User.................................................................................................................... 4-9
Figure 4-12:Deleting User........................................................................................................... 4-10
Figure 4-13:Delete Multiple Users .............................................................................................. 4-10
Figure 4-14:Export Users............................................................................................................ 4-11
Figure 4-15:Exported User Details.............................................................................................. 4-12
Figure 4-16:Export User Project Assignment Details.................................................................. 4-12
Figure 4-17:Import User Details.................................................................................................. 4-13
Figure 4-18:Import User Project Details...................................................................................... 4-13
Figure 4-19:Import Users ............................................................................................................ 4-14
Figure 4-20:Synchronize user nodes .......................................................................................... 4-15
Figure 4-21:Available Project List ............................................................................................... 4-16
Figure 4-22:Project Assigned to the User ................................................................................... 4-17
Figure 4-23:Project Mapping Successful .................................................................................... 4-17
Figure 4-24:Unassigning Project................................................................................................. 4-18
Figure 4-25: Assign User Roles .................................................................................................. 4-19
Figure 4-26:Operations Tab........................................................................................................ 4-20
Figure 4-27:User Settings ........................................................................................................... 4-21
Figure 4-28:User Data ................................................................................................................ 4-21
Figure 4-29:User Roles Settings................................................................................................. 4-22
Figure 4-30:User Roles Data ...................................................................................................... 4-22
Figure 4-31:Operations Tab with User Information..................................................................... 4-23
Figure 4-32:Operations tab-Create new template....................................................................... 4-23
Figure 4-33:Windows user group name...................................................................................... 4-24
Figure 4-34:Assign new operations user roles............................................................................ 4-25
Figure 4-35:Newly added operations user and user roles template confirmation....................... 4-25
Figure 4-36:Users in user database............................................................................................ 4-26
Figure 4-37:Action Role Mapping - Role Description.................................................................. 4-26

2VAA003209-230 A 7
LIST OF FIGURES

Figure 4-38:Action Role Mapping ............................................................................................... 4-27

Figure 4-39:Action Role Mapping - Error Message..................................................................... 4-27
Figure 5-1. Services window ......................................................................................................... 5-1
Figure 5-2. ABB S+ Operations HSI Properties ............................................................................ 5-2
Figure 5-3. ABB S+ Operations HSI Properties Log on tab .......................................................... 5-2
Figure 5-4. Operations properties security tab .............................................................................. 5-3
Figure 5-5. Full access in registry editor ....................................................................................... 5-3
Figure 5-6. Permissions in registry editor...................................................................................... 5-4
Figure 5-7. My Computer Properties ............................................................................................. 5-5
Figure 5-8. Access permissions OPC server settings ................................................................... 5-6
Figure 5-9. Launch and Activation Permission.............................................................................. 5-7
Figure 5-10.Opc Enum Properties ................................................................................................ 5-7
Figure 5-11.Process Monitor......................................................................................................... 5-9
Figure 5-12.Microsoft SQL Server Management Studio ............................................................. 5-10
Figure 5-13.New login window.................................................................................................... 5-11
Figure 5-14.Server Roles tab...................................................................................................... 5-12
Figure 5-15.Securables tab......................................................................................................... 5-13
Figure 5-16.Status tab ................................................................................................................ 5-14
Figure 5-17.Local Security Policy-User Rights Assignment........................................................ 5-15
Figure 5-18.User Account Control Settings ................................................................................ 5-15
Figure A-1:Operator user security levels as Tag Operations....................................................... A-4
Figure A-2:Engineer user security levels as Tag Operations ...................................................... A-4
Figure A-3.Configure Roles window ............................................................................................ A-5
Figure A-4.Creating Customized Role ......................................................................................... A-6
Figure A-5.View tab ..................................................................................................................... A-6
Figure A-6.Filtering the Roles ...................................................................................................... A-7
Figure A-7.Customized Groups ................................................................................................... A-8
Figure A-8.Select All groups ........................................................................................................ A-9
Figure A-9.All available Groups ................................................................................................. A-10
Figure A-10.Edit Roles............................................................................................................... A-11
Figure A-11.Custom Role Message........................................................................................... A-11
Figure A-12.Custom Roles mismatch notification message ...................................................... A-11
Figure A-13.User Management screen...................................................................................... A-12
Figure A-14.Event database with different user groups............................................................. A-13
Figure A-15.Role Based Access_Workbench............................................................................ A-15
Figure A-16.Role Based Access_User Management ................................................................ A-15
Figure A-17.Role Based Access_Project Administration ........................................................... A-16
Figure A-18.Role Based Access_Bulk Engineering................................................................... A-16
Figure A-19.Role Based Access_Bulk Engineering_More Roles .............................................. A-17
Figure A-20.Role Based Access_Topology Design ................................................................... A-18
Figure A-21.Role Based Access_Connectivity Engineering ...................................................... A-19
Figure A-22.Role Based Access_Connectivity Engineering_More Roles.................................. A-20

8 2VAA003209-230 A
 LIST OF FIGURES

LIST OF FIGURES

Figure A-23.Role Based Access_Control Engineering .............................................................. A-21

Figure A-24.Role Based Access for Control Engineering_Continuing....................................... A-21
Figure A-25.Role Based Access for Control Engineering_Continuing....................................... A-22
Figure A-26.Role Based Access for Control Engineering_Continuing....................................... A-22
Figure A-27.Role Based Access for Control Engineering_Continuing....................................... A-23
Figure A-28.Role Based Access_Control Engineering_Roles Continuing................................. A-23
Figure A-29.Role Based Access for Control Engineering_Continuing....................................... A-24
Figure A-30.Role Based Access for Control Engineering_Continuing....................................... A-24
Figure A-31.Role Based Access for Control Engineering_Continuing....................................... A-25
Figure A-32.Role Based Access for Control Engineering_Continuing....................................... A-25
Figure A-33.Role Based Access for Control Engineering_Continuing....................................... A-26
Figure A-34.Role Based Access for Control Engineering_Continuing....................................... A-26
Figure A-35.Role Based Access for Control Engineering_Continuing....................................... A-27
Figure A-36.Role Based Access for Control Engineering_Continuing....................................... A-27
Figure A-37.Role Based Access for Control Engineering_Continuing....................................... A-28
Figure A-38.Role Based Access for Control Engineering_Continuing....................................... A-28
Figure A-39.Role Based Access for Control Engineering_Continuing....................................... A-29
Figure A-40.Role Based Access for Control Engineering_Continuing....................................... A-29
Figure A-41.Role Based Access for Control Engineering_Continuing....................................... A-30
Figure A-42.Role Based Access for Control Engineering_Continuing....................................... A-30
Figure A-43.Role Based Access for Control Engineering_Continuing....................................... A-31
Figure A-44.Role Based Access for Control Engineering_Continuing....................................... A-31
Figure A-45.Role Based Access for Control Engineering_Continuing....................................... A-32
Figure A-46.Role Based Access for Control Engineering_Continuing....................................... A-32
Figure A-47.Role Based Access for Control Engineering_Continuing....................................... A-33
Figure A-48.Role Based Access for Control Engineering_Continuing....................................... A-33
Figure A-49.Role Based Access for Control Engineering_Continuing....................................... A-34
Figure A-50.Role Based Access for Control Engineering_Continuing....................................... A-34
Figure A-51.Role Based Access for Control Engineering_Continuing....................................... A-35
Figure A-52.Role Based Access for Control Engineering_Continuing....................................... A-35
Figure A-53.Role Based Access_Field Engineering .................................................................. A-36
Figure A-54.Role Based Access_Field Engineering_More Roles.............................................. A-37
Figure A-55.Role Based Access_Signal Manager..................................................................... A-38
Figure A-56.Role Based Access_Operations Engineering ........................................................ A-39
Figure A-57.Pop-up Message on Limited User Roles................................................................ A-40
Figure B-1.Command Prompt...................................................................................................... B-1
Figure B-2.Network Adapters ...................................................................................................... B-2
Figure C-1.Computer Browser Service ........................................................................................ C-1
Figure C-2.Windows Command................................................................................................... C-1
Figure D-1.Administrative Tools................................................................................................... D-1
Figure D-2.Group Policy Management ........................................................................................ D-2

2VAA003209-230 A 9
LIST OF FIGURES

Figure D-3.New GPO................................................................................................................... D-2

Figure D-4.Edit Policy .................................................................................................................. D-3
Figure D-5.Group Policy Management Editor .............................................................................. D-3
Figure D-6.Select Restricted Group............................................................................................. D-4
Figure D-7.Selected Restricted Group Properties ....................................................................... D-4
Figure D-8.Add Restricted Group Members ................................................................................ D-5
Figure D-9.Select SPLUS User.................................................................................................... D-6

10 2VAA003209-230 A
Preface
This document provides information about how to install and operate the User Management in Symphony Plus, as part of
the Symphony Plus Engineering software.
This functionality is used in S+ Engineering software.
About This Book

About This Book

General
This manual describes the User Management feature and how to work with Accounts in the Symphony Plus Engineering.
The User Management in Symphony Plus is a module that is used to create and manage users and assign user roles to
users in a Symphony Plus system. The assigned user roles define the privileges given to a user.

Document Conventions
Microsoft Windows conventions are normally used for the standard presentation of material when entering text, key
sequences, prompts, messages, menu items, screen elements, etc.

Document Icons
This publication includes Information, Caution and Tip where appropriate to point out important information or useful hints
to the reader. The corresponding symbols should be interpreted as follows:

Electrical Warning icon: It indicates the presence of a hazard that could result in electrical shock.

Warning icon: It indicates the presence of a hazard that could result in a plant shutdown
or personal injury.

Caution icon: It indicates the presence of a hazard that could result in corruption of software or
damage to equipment/property.

Information icon: It alerts the user to pertinent facts and conditions.

Tip icon: It indicates advice on, for example, how to design project or how to use a certain function.

NOTE The Note statement highlights important information pertaining to a particular descriptive text (for example: 'Module
description', 'Installation', 'Configuration', or 'Operational procedure', etc.) in the document.
Although Warning hazards are related to personal injury, and Caution hazards are associated with equipment or property
damage, it must be understood that operation of damaged equipment could, under certain operational conditions, result in
degraded process performance leading to personal injury or death. Therefore, fully comply with all Warning and Caution
notices.

2VAA003209-230 A 1
 About This Book

2 2VAA003209-230 A
Introduction Technical Overview

1. Introduction
This document contains the description of how to work with the user management functions in ABB Symphony Plus.

1.1 Technical Overview

The User management is installed with S+ Engineering workbench. User management aligns itself to the users, with
assigned roles in the system and the roles define the privileges that a specific user has got. A predefined set of user roles
for Symphony Plus is provided. Using the Symphony Plus User Management, the security user with administrative
privileges in a plant is able to create, define new users and associate these users to user roles.

1.2 Intended User

This online help provides the required information on how to work with the User Accounts intended for personnel with
system and security administration expertise. This online help further assumes the reader is familiar with Windows
operating systems.

1.3 User Manual Content

This user manual consists of the following sections and appendices:

Introduction
Explains the overview of the online help and its intended user.

Active Directory and Workgroup Configuration

Explains the configuration of Active Directory and Workgroup.

S+ Operations Security Concept

Explains how to configure users in the domain environment.

Working with User Management

Explains the operations that a user can perform using the User Management feature.

User Roles in Symphony Plus

Explains the SPlus User Roles and its description.

Installing Microsoft Loopback Adapter

Provides installation procedure for Microsoft Loopback Adapter.

Computer Browser Service

Provides information about the Composer Browser Service.

Creating Group Policy Object

Provides information about how to create the Group Policy object.

1.4 Glossary of Terms and Abbreviations

The following table contains the glossary of terms and abbreviations used in this online help. It contains those terms and
abbreviations that are unique to ABB or have a definition that is different from standard industry usage.

Table 1-1. Glossary of Terms and Abbreviations

Term Definition
IP Internet Protocol

MSI Microsoft Installer

RBAC Role Based Access Control

UID User Identity

AD Active Directory

WG Workgroup

2VAA003209-230 A 1-3
Reference Documents Introduction

Table 1-1. Glossary of Terms and Abbreviations

Term Definition
WB Workbench

UM User Management

PA Project Admin

DNS Domain Naming System

1.5 Reference Documents

This online help provides information about Symphony Plus User Management and its functions. The following table lists
the additional documents that relate to the Symphony Plus User Management module.

Table 1-2. Reference Documents

Number Document
8VZZ002960T2300 S+ Operations 2.3 Operations engineering user manual

8VZZ000130T2300 S+ Engineering 2.3 Project administration user manual

8VZZ000131T2300 S+ Engineering 2.3 System topology user manual

8VZZ000132T2300 S+ Engineering 2.3 Connectivity engineering user manual

8VZZ000133T2300 S+ Engineering 2.3 Bulk Engineering user manual

2VAA008303* S+ System Installation user manual

2VAA003191* S+ System Installation manager 2.3 user manual

2VAA003195* S+ System Logging and audit trail 1.3 user manual

2VAA005210-230 S+ Engineering Third party software licenses reference manual

* Implies the latest version of the respective manuals.

1-4 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

2. Active Directory and Workgroup Configuration

Symphony Plus supports both Active Directory and Workgroup installations.

2.1 Active Directory Installation

Select a Windows Server 2016 machine for hosting the Active Directory services. It is recommended that this machine is
not a Symphony Plus server or client, i.e. this machine should not have S+ Operations, S+ Engineering and S+ Operations
Historian software installed.
Follow the following steps to setup an Active Directory system:
1. In the Start menu select Server Manager.
The Server Manager window opens as shown in the following figure.

Figure 2-1: Server Manager

2. Click the Add roles and features option in the Server Manager window.
The Add Roles and Features Wizard window open as shown in Figure 2-2.
3. Select Role-based or feature-based installation in the Select installation type window as shown in the following fig-
ure.

2VAA003209-230 A 2-1
Active Directory Installation Active Directory and Workgroup Configuration

Figure 2-2: Add Roles and Features

4. Click Next.
The Select destination server window opens as shown in the following figure.

2-2 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-3: Destination Server

5. Click Next.
The Select server roles window opens as shown in Figure 2-4.
6. Select Active Directory Domain Services from the list of Roles as shown in the following figure.

2VAA003209-230 A 2-3
Active Directory Installation Active Directory and Workgroup Configuration

Figure 2-4: Select Server Roles

An Add Roles and Features Wizard dialog box open as shown in the following figure.

2-4 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-5: Add Features and Roles

7. Click Add Features.

The dialog box closes and Active Directory Domain Services check box is checked as shown in the following
figure.

2VAA003209-230 A 2-5
Active Directory Installation Active Directory and Workgroup Configuration

Figure 2-6: Active Directory Role

8. Click Next.
The Select features window open as shown in the following figure.

2-6 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-7: Select Features

9. Click Next.
The Active Directory Domain Services window opens as shown in the following figure.

2VAA003209-230 A 2-7
Active Directory Installation Active Directory and Workgroup Configuration

Figure 2-8: Active Directory Domain Services

10.Click Next.
The Confirm installation selections window opens as shown in the following figure.

2-8 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-9: Confirm Installation

11.Click Install.

2VAA003209-230 A 2-9
Active Directory Installation Active Directory and Workgroup Configuration

Once the Installation is complete the Installation Results window appears as shown in the following figure.

Figure 2-10: Installation Results

12.Click Close to complete the Installation process.

After the Installation. The system requires a Reboot, select reboot to complete the installation.
After

Once the system restarts, follow the following steps to install the Active Directory:
13.Click on Windows and select Server Manager.
The Server Manager window opens as shown in the following figure.

2-10 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-11: Active Directory Configuration

14.Click on the notification symbol. The notification opens as shown in Figure 2-11.
15.In the notification message click on the link Promote this sever to a domain controller.
The Deployment Configuration window opens as shown in the following figure.

2VAA003209-230 A 2-11
Active Directory Installation Active Directory and Workgroup Configuration

Figure 2-12: Deployment Configuration

16.Select the option Add a new forest under the Select the deployment operation.
17.In the Root domain name text box enter the root domain name (for example Engineering.abb.com), and click Next.
The Domain Controller Options window opens as shown in the following figure.

2-12 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-13: Domain Controller Options

18.Enter the domain password and click Next.

The DNS Options window opens as shown in the following figure.

2VAA003209-230 A 2-13
Active Directory Installation Active Directory and Workgroup Configuration

Figure 2-14: DNS Options

19.Click Next.
The additional options window opens as shown in the following figure.

2-14 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-15: NetBIOS Domain Name

20.Click Next.
The Paths window opens as shown in the following figure.

2VAA003209-230 A 2-15
Active Directory Installation Active Directory and Workgroup Configuration

Figure 2-16: Active Directory Paths

21.Click Next.
The Review Options window opens as shown in the following figure.

2-16 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-17: Review Options

22.Click Next.
The Prerequisites Check window opens as shown in the following figure.

2VAA003209-230 A 2-17
Active Directory Installation Active Directory and Workgroup Configuration

Figure 2-18: Prerequisites for Active Directory Installation

23.Click Install.
The Installation begins as shown in the following figure.

2-18 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Installation

Figure 2-19: Active Directory Installation

Once the installation is complete the system will Restart automatically.

2VAA003209-230 A 2-19
Configuring Redundant Domain Controller Active Directory and Workgroup Configuration

After the server reboot, the Active directory option is visible in the tools menu as shown in the following figure.

Figure 2-20: Active Directory Administrative Tools Menu

2.1.1 Configuring Redundant Domain Controller

Follow the given steps to configure the redundant domain controller.
1. In the Start menu select Server Manager, then follow the steps from Step 1 through Step 15.

2-20 2VAA003209-230 A
Active Directory and Workgroup Configuration Configuring Redundant Domain Controller

2. In the Deploy Configuration window select Add a domain controller to existing domain options as shown in the
following figure to configure the redundant domain controllers.

Figure 2-21: Deployment Configuration for Redundant Controller

3. In the Domain text box, specify the existing domain name (i.e., Engineering.abb.com).
4. Click Select to specify the domain information.
The Windows Security dialog box opens as shown in the following figure.

Figure 2-22: Windows Security

5. Enter the user name and password of administrator (the primary domain controller).
6. Click OK.
7. Click Next.

2VAA003209-230 A 2-21
Configuring Redundant Domain Controller Active Directory and Workgroup Configuration

The Domain Controller Options window opens as shown in the following figure.

Figure 2-23: Redundant Domain Controller Options

8. Enter the domain password and click Next.

The DNS Options window opens as shown in the following figure.

2-22 2VAA003209-230 A
Active Directory and Workgroup Configuration Configuring Redundant Domain Controller

Figure 2-24: DNS Option for Redundant Controller

9. Click Next.
The Additional Options window opens as shown in the following figure.

Figure 2-25: Domain Controller Options

10.Select the domain Controller from the Replicate from dropdown list.
11.Click Next.
The Paths window opens as shown in the following figure.

2VAA003209-230 A 2-23
Configuring Redundant Domain Controller Active Directory and Workgroup Configuration

Figure 2-26: Active Directory Paths

12.Click Next.
The Review Options window opens as shown in the following figure.

2-24 2VAA003209-230 A
Active Directory and Workgroup Configuration Configuring Redundant Domain Controller

Figure 2-27: Review Options

13.Click Next.
The Prerequisites Check window opens as shown in the following figure.

2VAA003209-230 A 2-25
Configuring Redundant Domain Controller Active Directory and Workgroup Configuration

Figure 2-28: Prerequisites Check for Redundant Controller Installation

14.Click Install.
The Installation begins as shown in the following figure.

2-26 2VAA003209-230 A
Active Directory and Workgroup Configuration Configuring Child Domain Controller

Figure 2-29: Installation Progress

Once the installation is complete the system will Restart automatically.

2.1.2 Configuring Child Domain Controller

Add the newly created domain to an existing forest with the domain type as Child Domain. When a domain is configured as
a child domain of a different domain, a transitive trust is established between them.

2VAA003209-230 A 2-27
Active Directory Settings for Workbench Active Directory and Workgroup Configuration

1. Click on Windows and select Server Manager, then follow the steps from section Active Directory Installation
Step 1 through Step 15.

Figure 2-30: Deployment Configuration

2. Enter the mandatory value as shown as in the above figure and Click Next.
3. Follow the steps 7 -14 from Active Directory and Workgroup Configuration

2.1.3 Active Directory Settings for Workbench

The Active Directory settings for workbench has to be done only on the engineering server.

Following are the steps to configure Active Directory Settings in Workbench:

1. Login as administrator (local administrator for workbench or Domain administrator for Domain).

2-28 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Settings for Workbench

2. In the S+ Engineering application select, System> Server Configuration as shown in the Figure 2-31.

Figure 2-31. Server Configuration for Active Directory

It is recommended not to use abb.com in the domain name as it is registered to ABB not for internal
purposes.

The domain name should be always the same as the Domain under which the machine is present.

The Options Window opens as shown in Figure 2-46.

3. In the Options window select Active Directory server settings.
• Active Directory
– Server IP: IP address of the Active directory server.
NOTE: If the machine is present in the child domain then the IP address should be filled as child domain’s IP address.
– Domain: Fully qualified domain name of the active directory (Example: engineering.abb.local).(The domain
name is automatically fetched).
4. Click OK.
5. The workbench will restart automatically.
Now open User Management application and proceed with the functionalities as explained in the Working with
User Management section.
Following are the limitations of the redundant domain controllers:
1. When any one of the domain controllers is down, the User Management application will take a
few minutes (domain controller switchover time) to query roles from or adding users to the other
domain controller.
2. After switchover time, all User Management functionalities will work without any problem.
NOTE: Roles will be created automatically on the active directory server. User can check in the active directory users and
computers window whether roles are created or not.
Follow these steps to configure workbench with existing active directory
• Roles will be created automatically (by UM tool) in ‘Builtin’ folder of the active directory and users will be created in
Users folder as shown in the following figure. Refer to the section User Roles in Symphony Plus for more detailed
information on SPlus roles.

2VAA003209-230 A 2-29
Active Directory Settings for Workbench (Read-only Domain) Active Directory and Workgroup Configuration

Figure 2-32: Active Directory Users and Computers

– NIC: Network interface card

The configured networks are available in a drop-down list for user to select.
If the configured NIC is not operational, unplugged or the NIC name is changed, then all the other workgroup
machines cannot be discovered. however, user can continue with the configuration in the current machine.

2.1.3.1 Configuring Child Domain

All the Symphony Plus roles are created in the Child Domain and all the Users are fetched from the Parent Domain.If the
machine is present in the child domain and the logged in user is of parent domain, then the User Management
functionalities will be disabled except Assign Roles, Assign Projects, Apply and Cancel as shown as in the following figure.

Figure 2-33: User management screen of child domain

2.1.4 Active Directory Settings for Workbench (Read-only Domain)

Following are the steps to configure Active Directory Settings in Workbench:
1. Login as administrator (local administrator for workbench or Domain administrator for Domain).

2-30 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Settings for Workbench (Read-only Domain)

2. In the S+ Engineering application, select System menu> Server Configurations as shown in the following figure.

Figure 2-34: Server Configuration (Read-Only Domain)

The Options Window opens as shown in Figure 2-34.

3. In the Options window select Active Directory server settings.
• Active Directory
– Server IP: IP address of the Active directory server.
– Domain: Fully qualified domain name of the active directory (Example: engineering.abb.local), (The domain
name is automatically fetched).
– Read Only Domain: In read only mode all the User Management functionalities will be grayed out except
Assign project, Apply and Cancel. The User should create new user and S+ Engineering roles in domain
Manually.
4. Click OK.
5. The Workbench will restart automatically.
Follow the steps to add users manually in Domain:
1. In the Start menu of domain controller machine, Click Windows Administrative Tools > Click Active Directory
Users and Computers.
2. In the Active Directory Users and computers window, click Domain.
3. Click Users from the drop-down and select Create New User icon.

2VAA003209-230 A 2-31
Active Directory Settings for Workbench (Read-only Domain) Active Directory and Workgroup Configuration

4. In the pop-up window fill the User’s details.

Figure 2-35: New User creation

5. Click Next > Provide password and select the required check box.
6. Click Next > Finish to create new user.

NOTE: User Management prevents the creation of a user with a hyphen in the user name due to database restriction.
Only the following characters are supported in the User Management :

• Numeric
• Alphanumeric
• (_, @,#)
Follow the steps to create new group manually in Domain:
1. In the Start menu of domain controller machine, Click Windows Administrative Tools > Click Active Directory
Users and Computers.
2. In the Active Directory Users and computers window, click Domain.
3. Click Builtin from the drop-down and select Create New Group icon

2-32 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Settings for Workbench (Read-only Domain)

4. Select Group scope as Universal and Group type as Security.

Figure 2-36: User Creation

Follow the steps to assign roles to the new user.

1. Double click the User, from the pop-up window select the option Member Of
2. Click Add> provide the required role in the text box.
3. Click Check Names.
4. Select the required role and click OK

Figure 2-37: Assigning Role

2VAA003209-230 A 2-33
Active Directory Settings for Workbench (Read-only Domain) Active Directory and Workgroup Configuration

5. Apply the role and Click OK to assign role.

Figure 2-38: Assigned Roles

2-34 2VAA003209-230 A
Active Directory and Workgroup Configuration Active Directory Settings for Workbench (Read-only Domain)

2.1.4.1 Domain Users

If the Read Only Domain option is selected in the Server Configuration (Refer to Active Directory and Workgroup
Configuration ), then except assigning project, Apply and Cancel rest all functionalities will be disabled for the users as
shown in the figure.

Figure 2-39: Assign Projects

NOTE: For assigning project to a user, the user should have minimum SPUser role.

NOTE: All the users should have minimum SPUser role for to access the Database.

2VAA003209-230 A 2-35
Workgroup Configuration Active Directory and Workgroup Configuration

If a new user is added in Domain, refresh User management to add the user in Database (Refer to figure).

Figure 2-40: Adding user in Database

2.2 Workgroup Configuration

All machines in the workgroup must have the same administrator account (i.e. same username and same
password).
Note: A workgroup should not contain more than 10 computers and should have only one engineering server.
Note: In case of single node S+ installation where the machine is not connected to the network loop back adapter has to be
setup for more information refer to the section Installing Microsoft Loopback Adapter
Note: It is highly recommended to define a unique name for the workgroup, For example, SPLUS instead of using the
default name "WORKGROUP".
Note: On each machine of the workgroup the Computer Browser Service needs to be running. For more information refer to
the section Computer Browser Service

2-36 2VAA003209-230 A
Active Directory and Workgroup Configuration Workgroup Configuration

Following are the steps to configure one S+ node into workgroup:

Note: It is required to follow this for all S+ nodes.
Configuring S+ node to Workgroup
1. Login as administrator.
2. Right click on My Computer > Properties > Change settings as shown in the following figure.

Figure 2-41: My Computer Properties

System Properties window opens as shown in the following figure.

Figure 2-42: System Properties

3. Click on Change in the System Properties window.

Computer Name/Domain Changes window opens as shown in the following figure.

2VAA003209-230 A 2-37
Workgroup Configuration Active Directory and Workgroup Configuration

Figure 2-43: Computer Name/Domain Changes

4. Select Workgroup option.

5. Provide the unique workgroup name (For example, SPLUS).
6. Click OK.
The Computer Name/Domain Changes window opens as shown in the following figure.

Figure 2-44: Computer Name/Domain Changes

7. Click OK.
8. Restart the system.
Check whether the S+ node is in the intended workgroup.
Note: The workgroup would be configured with the workgroup name specified (For example, SPLUS) as shown
in the following figure.

2-38 2VAA003209-230 A
Active Directory and Workgroup Configuration Workgroup Settings for Workbench

Figure 2-45: Workgroup Configuration Complete

2.2.1 Workgroup Settings for Workbench

Once the system restarts, refer the following steps to configure workbench:
1. Login in with administrative privileges.
2. In workbench, navigate to System > Server Configuration.
The Server Configuration opens as shown in Figure 2-46.
3. Select Workgroup option from the Server Configuration window.
4. Specify the workgroup name in upper case that was created
5. Select Network from NIC dropdown refer to Workgroup Configuration for more details.

Figure 2-46: Workgroup Settings for Workbench

6. Click OK.

2VAA003209-230 A 2-39
System Network Configuration Active Directory and Workgroup Configuration

7. Restart the application.

8. Open User Management, provide the Domain/ workgroup password in Windows security prompt window.

Figure 2-47: Windows Security prompt window

9. Click OK, refer to Figure 4-1 for more details.

2.3 System Network Configuration

When there is a network configuration change from Active Directory to Workgroup or Workgroup to Active Directory or
Active Directory to Active Directory switchover configuration, the following settings must be updated in the file under path
C:\Program Files (x86)\ABB Symphony Plus\Engineering\Workbench\BIN\EDashBoard.exe.Config
IsCustomRoleConfigured" value="False"

2-40 2VAA003209-230 A
S+ Operations Security Concept Introduction

3. S+ Operations Security Concept

3.1 Introduction
The security concept of S+ Operations is based on Windows security using Windows users and Windows user groups in
order to configure and validate users and their permissions inside the system. This concept requires that all computers and
users involved must have a trusted relationship to each other. This can either be achieved by Windows Workgroups or by
Windows Active Directory (Domain model).
Configuring a trusted relation between Windows computers and users are not part of the manual. For these details on the
concepts and configuration, refer to Windows specific user manuals and trainings.
S+ Operations has generally 3 different kinds of user types which are operator users, most of their daily work with the
console application together with supervisors that also can tune, administrator users who work on a system level to make
system settings, maintain and administer the control system and finally office users who typically use the system to do long
term analysis on their office systems. The below sections will give details for each user group in order to understand the
possible settings.

3.2 Configuring Users

Windows support two methods to configure users, either centrally in a Windows Active Directory (Domain Model) or
individually as a Workgroup. Both are supported with Symphony Plus however, this chapter will basically concentrate on
describing the Domain Model. Users who use Workgroup, must configure accordingly on each computer following Microsoft
configuration guidelines. This chapter will not explain Windows network configurations, please refer to Windows
Administration guides.
The concept to configure users in Symphony Plus is the following:
1. Definition and individual accounts of all users are done in the Windows user management, see below picture
"Windows users". Those users (names are only examples) are typically managed in an active directory.
2. The individual users are then mapped to their general function in the Symphony Plus system. All existing
functions are predefined as Windows user groups. Each group is associated with certain windows rights such as
read/write access to the system.
3. Each User is then additionally associated with an S+ Operations user group that sets, individual tag operations
and privileges that only exist in the S+ Operations software.

2VAA003209-230 A 3-1
Configuring Users S+ Operations Security Concept

The following figure (Figure 3-1) explains the different type of associations possible:

Figure 3-1: User configuration

The Figure 3-1 shows an example of Windows user Operator1 associated with the Symphony Plus Windows user group
SPlusOUsers, which will grant general permissions needed to work as an operator with Symphony Plus. Additionally
Operator1 is associated with SPlusOOperators and Operator1 is also associated with a S+ Operations Windows Group that
is associated with special in application user right of S+ Operations. The identification is the Windows user group name.
The diagram below Figure 3-2 explains the association to S+ Operations security group in more details:

3-2 2VAA003209-230 A
S+ Operations Security Concept S+ Operations Application specific privilege

The associate takes place in the Windows user group field where all users that are in the referenced group will be
associated with this security settings.

Figure 3-2: S+ Operations security group

Ensure that the Active user is set to No, Yes will make this configuration invalid.
NOTES:
• While each User can be assigned to as many Windows user groups, only one particular S+ Operations user group
is possible. In case of a misconfiguration when multiple groups are selecting the one with the lowest index will be
used. If this function is required the "Role" feature of S+ Operations can be used.
• Ensure that S+ Operations user group (For example: SPlusOOperators) is not associated with any other group
members, else the user may gain access from the associated group member if exists. The S+ Operations user
group SPlusOOperators and SPlusOGuests are user defined and not defined by the script. Hence the Windows
user (For example: OPerUser) must be a member of SPlusOOperators, SPlusOUsers, and SPlusIMEventReader.

3.3 S+ Operations Application specific privilege

The individual application setting in S+ Operations will be explained in the chapter below. There are two concepts that are
used in single or together in order to control the in application privileges of a user.

3.3.1 Security Group

S+ Operations provide a total of 32 security groups that can be assigned directly to database items. Using these security
groups the permission of user can be individually defined. If a User is granted Yes to a particular security group then that
user can access all the database items which are assigned to same security group.

2VAA003209-230 A 3-3
Security Levels S+ Operations Security Concept

3.3.2 Security Levels

The second concept of application specific user rights is the Security Levels. It is an integer value in the range 1 to 16. A
security level can be assigned to database items (example: tags, groups). The user can access a database item, if the
user's security level is greater than or equal to database item security level.
In S+ Operations, a user can have access to certain privileges on Tags, Configuration Database items, and permissions to
execute/operate features in the product based on its own security level, Security group, security privileges (as described in
above sections) and security level, security group assigned to Tags and Configuration database items.
If the User’s security level is greater or equal to database Item’s security level AND one of the User’s Security Group is
equal to database Items Security Group then User’s Security Privileges can be applied to database Items as defined. The
diagram below explains the conditional functioning of user’s security rights.

Figure 3-3: Users Security level

3.3.3 Tag Operations and Privileges

User/User Role can have different rights in S+ Operations that are differentiated between individual tag right and general
privileges.

3-4 2VAA003209-230 A
S+ Operations Security Concept Tag Operations and Privileges

example of Tag Operations privilege is shown below::

Figure 3-4: Tag Operations privileges

2VAA003209-230 A 3-5
Tag Operations and Privileges S+ Operations Security Concept

Privileges
Different privileges defined here applies at system levels. These privileges control more generic functions and access to
utilities. Some examples of privileges are shown below:

Figure 3-5: General privileges

For more information, refer to Security parameters section in S+ Operations User Manual (8VZZ000206T3300).
The following are the examples of the different functions:

Tags Security
For a user to access tags in S+ Operations Server, the required privileges are Security level, Security Group, and Tag
Operations plays an important role.
To View Tags following conditions must satisfy:
Tag Security Level <= User Security Level
AND
Tag Security Group In User Security Groups (set to YES)
For User to be able to configure a Tag additionally following condition must satisfy:
Under Tags Operations: Tag Configure = YES
Under Privileges: Configuration = YES and View Configuration = YES

Trend Group Security

For a User to access Trend Groups related functions following configuration must be enabled
To View:

3-6 2VAA003209-230 A
S+ Operations Security Concept Tag Operations and Privileges

Following configuration must be enabled,

Trend Group Security Level <= User Security Level
Trend Group's Security Group In User Security Groups (set to YES)
Under Privileges: View Trend Privilege = YES
To Configure:
Under Privileges: Trend Configuration Privilege = YES

Menu Items Security

Each menu items view is controller by the following conditions:
Menu Item Security Level <= User Security Level
AND
Menu Item's Security Group In User Security Groups (set to YES)

Alarm List Security

Only Viewing of Alarm List Items can be controlled with below settings
Alarm List's Security Level <= User Security Level
AND
Alarm List's Security Group In User Security Groups (set to YES)

Displays Security
Displays can be viewed by a User if:
Display Security Level <= User Security Level
AND
Display Security Group In User Security Groups (set to YES)
Similar to other Database items, Display's security level and groups are defined within Display Builder for every graphics
page under, Display header page as shown below:

Figure 3-6: Display builder with security level and Security group

2VAA003209-230 A 3-7
Specific Historian user groups S+ Operations Security Concept

3.4 Specific Historian user groups

The history often reaches out to office users and therefore additional configuration and structuring is possible.
Within the S+ Operations historian, administrators can configure 9 individual signal groups (0 - 8). Each group can contain a
number of individually configured signals: read access, write access and configuration access.

Figure 3-7: S+ Operation historian user configuration-Example 1

Figure 3-8: S+ Operation historian user configuration-Example 2

The permissions given are individually by signal and not by signal group: in the same group there can be signals that have
read access only, few among them have read/write access and others that have configuration access (see above).

3-8 2VAA003209-230 A
S+ Operations Security Concept Configuring History Rights in S+ Operations

Each historian signal group is assigned to a matching windows group name (SPlusIMGroup0 - SPlusIMGroup8). Some
groups have predefined functions such as:
• User Group 0 always has access to all signal of the S+ Operations historian server. This group is also called the
administrator group. This group can always read, write and configure a signal.
• User Group 1 is used as a Guest group. This group has no signals by default. Typically users have very limited
access to signals and only read operation is possible.
• User Group 3 is used for standard operator or office users. By default signals are in read operation assigned to this
group.
All other groups have no preassigned role and can be freely used for any kind of operation.
A Windows user can only be part of one group - if a user is configured to be in multiple groups, then the permissions
granted will not be deterministic.
Conceptually the configuration should follow a user profile represented by a particular history group and then this group
must be associated with a particular user.
Signals are generated by the TagSync windows service. Signals permissions can be changed and maintained in the
Symphony Plus realtime database at any time. For more information, refer also to the extra chapter on configuration with
Symphony Plus.

Table 3-1 Historian group id information

Historian
Windows Group Names Function
Group ID
0 SPlusOAdmins Administrator group, can read, write and
SPlusIMGroup0 configure. All Signals are in this group by
default for read, write and configure

1 SPlusOGuests Guest group, can only read data.

SPlusIMGroup1

2 SPlusIMGroup2 No preassigned function

3 SPlusOUsers User group, can read data only.

SPlusIMGroup3

4 SPlusIMGroup4 No preassigned function

5 SPlusIMGroup5 No preassigned function

6 SPlusIMGroup6 No preassigned function

7 SPlusIMGroup7 No preassigned function

8 SPlusIMGroup8 No preassigned function

3.4.1 Configuring History Rights in S+ Operations

In the historian, each user can be exactly allocated to a group. There are eight different groups in the historian and the
group of system administrators. Only the system administrators are allowed to connect signals to the specific security
groups. All rights which are assigned in the historian always refer to the user groups, never to an individual user. In S+
Operations Historian the rights are assigned to the individual signals. There are three different rights per signal:
A specific right for a specific signal can be assigned to a user group, or it can be removed. Such an assignment may only be
performed by the historian system administrator (SysAdmin).
For each of the signals, the rights are stored in the database under the property Real Time Summary (RTS). The storage is
done in a bit pattern.

Table 3-2 S+ Historian signal rights

Read The right to read the signal and its values.

2VAA003209-230 A 3-9
Configuring History Rights in S+ Operations S+ Operations Security Concept

Table 3-2 S+ Historian signal rights

Write The right to write and to delete values for the

signal.

Configure The right to write and to delete the

descriptions for the signal or to delete the
signal itself (including all archived values).

A specific right for a specific signal can be assigned to a user group, or it can be removed. Such an assignment may only be
performed by the historian system administrator (SysAdmin).
For each of the signals, the rights are stored in the database under the property Real Time Summary (RTS). The storage is
done in a bit pattern.

Figure 3-9: Real Time Storage (RTS) in bit pattern

Thus, for each signal the rights can arbitrarily be set for each of the groups.
• 1 (high) in the bit pattern means that the right has been assigned to the group.
• 0 (low) in the bit pattern means that the right has not been assigned to the group.
The property "RTS", for example, is displayed as a character string in the Signal Explorer. In this representation, each of the
three bytes (read/write/config) is displayed by a two-digit hexadecimal number.
Thus the signal with the property RTS = "0F0705" has the following rights:

Table 3-3 Signal rights for Property RTS

Read All S+ Historian user groups can read the

signal.

Write The user groups 1, 2 and 3 may archive

values for this signal or delete them from the
archives.

Configure Only the user groups 1 and 3 may change

the describing information for this signal.

3-10 2VAA003209-230 A
S+ Operations Security Concept Setting Groups, Users, and Service Security

The following figure shows an example of the allocation of the bit pattern the user groups and rights:

Figure 3-10: Real Time Storage (RTS) in bit pattern

3.5 Setting Groups, Users, and Service Security

In order to setup user groups as well as users S+ Operations provides scripts that need to be executed as part of the post
installation. Detailed instructions where to find the scripts and when to execute are explained in the installation chapters.
On systems with windows active directory (Domain model) it is necessary that these user groups and also users are
created on the domain controller. On Workgroup computers it must be created on each system. Refer to the Microsoft
documentation for domain model and workgroup model configuration philosophy.
The Refer to the table below verify the post installation steps .

Table 3-4 Post installation verification

Service Service User Description Windows Groups

S+ Operations HSI New User must be Realtime Server SPlusOAdmins
created User does not exist and must SPlusIMEventReader
be created. Name not fixed. SPlusScanner
Administrators

OR SPlusOAdmins
Create an account called SPlusIMEventReader
HSIServiceUser SPlusScanner
Administrators

S+ Operations SPlusOServiceUser Supervisory service between SPlusOUsers

LifeCheck realtime and long term historian SPlusScanner

S+ Operations SPlusOServiceUser Synchronization service SPlusOUsers

TagSync between realtime and historian SPlusScanner
database

S+ Operations History SPlusOServiceUser History server SPlusOUsers

Server

S+ Operations Scan SPlusOServiceUser Scan manager SPlusOAdmins, SPlusOUsers,

Manager SPlusScanner

S+ Operations Report SPlusIMReportUser Schedules reports SPlusIMEventReader,

Scheduler SPlusOAdmins, SPlusOUsers

S+ Operations SPlusIMServiceUser Deletes outdated event from SPlusOUsers

DBLimiter the database

S+ Operations SPlusIMServiceUser Writes the events into the SQL SPlusOUsers

EventImport database SPlusOAdmins

S+ Operations SPlusOServiceUser Compresses data and stores it SPlusIMEventAdmin,

Compressor again in the history server SPlusOAdmins, SPlusOUsers

2VAA003209-230 A 3-11
Setting Groups, Users, and Service Security S+ Operations Security Concept

Table 3-4 Post installation verification

Service Service User Description Windows Groups

S+ Operations SPlusOServiceUser Redundancy bridge for client SPlusIMEventAdmin,
RedProxy applications SPlusOAdmins, SPlusOUsers

SQL Server SQLServerUser Event storage of S+ Operations SPlusEventDBAdmin

Historian

SQL Server Agent SQLServerAgentUser Executes jobs, monitors SQL Only in Windows User group
Server, fires alerts, and allows
automation of some
administrative tasks.

Reference table for user specific permissions on the file system, see table below:

Table 3-5 User Specific permissions reference table

User / Group Permission FileSystem

SPlusOUsers RX %SYSTEMPATH%
Example: C:\Program Files (x86)\ABB
Symphony Plus\Operations

RX %PUBLIC%\Historian
Example: %PUBLIC% is C:\Users\Public

F %SYSTEMPATH%\History\PlantConnect.SY
S\Temp

F %SYSTEMPATH%\History\<NavigatorPath>

F %SYSTEMPATH%\History\History\PlantConn
ect.SYS\Debug

RW %SYSTEMPATH%\History\PlantConnect.SY
S\Texte

RW %SYSTEMPATH%\History\PlantConnect.BIN
\Updates

F %SYSTEMPATH%\History\PlantConnect.SY
S\WebServer

RW %programdata%\ABB Symphony
Plus\Operations
Example: %programdata% is
C:\ProgramData

SPlusOAdmins F %SYSTEMPATH%
Example: C:\Program Files (x86)\ABB
Symphony Plus\Operations

F %PUBLIC%\Historian

SPlusIMReportUser F %SYSTEMPATH%\PlantConnect.SYS\Report
Scheduler

DRMW %SYSTEMPATH%\PlantConnect.BIN\Report
Scheduler

DRMW %SYSTEMPATH%\History\PlantConnect.SY
S\Debug

DRMW %SYSTEMPATH%\History\PlantConnect.BIN
\Addins

3-12 2VAA003209-230 A
S+ Operations Security Concept Service security configuration for operation engineering

Table 3-5 User Specific permissions reference table

User / Group Permission FileSystem

SPlusIMServiceUser RW %SYSTEMPATH%\PlantConnect.BIN\PlaCo
Compress

DRW %SYSTEMPATH%\History\PlantConnect.SY
S\Events

DRMW %SYSTEMPATH%\History\PlantConnect.SY
S\Debug

DRMW %programdata%\\ABB Symphony

Plus\Operations
DRMW %SYSTEMPATH%\History\PlantConnect.BIN
\ReportScheduler

SPlusOServiceUser W %SYSTEMPATH%\History\PlantConnect.BIN
\Server

DRW %SYSTEMPATH%\History\PlantConnect.SY
S\Events

DRMW %SYSTEMPATH%\History\PlantConnect.SY
S\Debug

DRXW %SYSTEMPATH%\History\PlantConnect.BIN
\PwTagSync

RX %SYSTEMPATH%\History\PlantConnect.BIN
\PCCounter

DRXMW %SYSTEMPATH%\History\PlantConnect.BIN

DRW %SYSTEMPATH%\History\PlantConnect.SY
S\PCCounter

DRMW %programdata%\\ABB Symphony

Plus\Operations

F <RohPath>

<MMMPath>

SPlusIMEventAdmin DRW %SYSTEMPATH%\History\PlantConnect.SY

S\Events

SQLServerUser F <DefaultDBPath>

SPlusIMScanner RW %SYSTEMPATH%\PlantConnect.SYS\SysKo
nfi\Scanner

RW %SYSTEMPATH%\PlantConnect.BIN\Scann
er

3.5.1 Service security configuration for operation engineering

Composer Operations Service should be configured under currently logged on user.
For example, the Windows User Engineer is currently logged user, then operation engineering must be configured to run
under Windows User Engineer. Similarly the next logged on Windows user should update the security configuration.

3.6 Setting the Security Policy

The user rights in the Windows security policies must be configured additionally to enable users with right permissions to
perform various activities in the system.
For systems in Workgroup environment, configure the user rights assignment security policies on each node in the following
location as given in the Table 3 1: Users and groups configuration (gpedit.msc):

2VAA003209-230 A 3-13
Setting the Security Policy S+ Operations Security Concept

1. Go to Control Panel > Administrative Tools > Local Security Policy.

Figure 3-11: Local Security Policy

2. Navigate to Security Settings > Local Policies > User Rights Assignments

Figure 3-12: User Rights Assignments

For systems in Domain environment, configure the user rights assignment security policies on the domain controller node in
the following location as given in the Table 3 1: Users and groups configuration:
1. Go to Control Panel > Administrative Tools > Group Policy Management.

3-14 2VAA003209-230 A
S+ Operations Security Concept Setting the Security Policy

2. Select the Domain Policy of systems

Figure 3-13: Group policy management

3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies.
4. Click User Rights Assignments.
Add users/groups to the policies as given in the following table.

Table 3-6 Users and groups configuration

Policy Security Setting

Access this SPlusOAdmins
computer from SplusOUsers
the network

Log on as a SPlusIMServiceUser
batch job

Log on as a SPlusIMReportUser
service SPlusIMServiceUser
SQLServerAgentUser
SQLServerUser
Impersonate a SQLServerUser
client after SPlusIMServiceUser
authentication

2VAA003209-230 A 3-15
Setting the Security Policies for the Local Users S+ Operations Security Concept

3.7 Setting the Security Policies for the Local Users

1. Go to Local Group Policy Editor > Computer Configuration > Windows Settings > Security Settings > Local
Policies > Security Options, then disable the User Account Control: Run all administrators in Admin Approval
Mode.

Figure 3-14: Local Group Policy Editor

2. The user with limited privileges (that is without Administrators or SPlusOAdmins groups) cannot start S+
Operations using the Start Operations icon.
NOTE: The unique way to start the system is to reboot the machine.
3. The Windows Administrator account must be disabled.

3-16 2VAA003209-230 A
S+ Operations Security Concept On all S+ Operations Nodes

4. Go to Local Group Policy Editor > Computer Configuration > Windows Settings > Security Settings > Local
Policies > User Rights Assignment, then add the Users in the HSI Services to the Deny logon locally and Deny
log on through Remote Desktop Services as shown in the following figure:

Figure 3-15: Deny logon locally and Deny log on through Remote Desktop Services

3.8 On all S+ Operations Nodes

For configuring/adding a workstation into domain, perform the following
1. Follow these steps to configure a Domain environment based workstation:
2. For every workstation login as Local Administrator.
3. On Control Panel > Network and Sharing Center.
4. Click Change adapter settings>, select the required Network.
5. Select Ipv4 Properties, set the DNS address as the IP address of Domain Server(s).

2VAA003209-230 A 3-17
On S+ Operations Server S+ Operations Security Concept

6. Join the domain as shown in the following Figure 3-16 and then reboot the system.

Figure 3-16: System Properties

On all Nodes perform the following actions:

1. Execute Batch file from S+ Operations installation DVD located at:
H:\ABB Symphony Plus\System Hardening\Users\First step\domain\All other SPO nodes
This file restricts folder permissions to required level, run this script on all the nodes

3.8.1 On S+ Operations Server

Ensure that settings mentioned in the different tables of previous Sections are properly
applied.

Follow these steps to set up a user group on a S+ Operations Server:

1. Create S+ DB users: local and domain; for local user do not assign names already used in the Domain.
2. In the S+ User DB, create a new S+ users group.
3. Join it to the Domain Users Group defining the Domain User Group name into field “Windows user group”.
4. Set S+ User permission in the configuration based on the project requirement.
5. Set field Active User to N.
6. Password field is ignored (if used then it must be defined at domain level).
7. Retain the users groups; If there are no S+ Operations user, the security is managed at Domain level

3-18 2VAA003209-230 A
S+ Operations Security Concept Access to the local server homepage

The following figure displays the list of users in Operations Engineering > Database Settings > Users (Figure 3-17).

Figure 3-17: Database Settings- Users

3.8.2 Access to the local server homepage

The access rights are configured in Microsoft SQL Server. Here the user groups created in the previous sections are used
to assign the proper access rights to the Microsoft SQL Server.
Follow these steps to configure access rights to a new user group:
1. Start the Microsoft SQL Server Management Studio.
2. Login to the SQL Server with an Administrator account
3. In Microsoft SQL Server Management Studio navigation pane, select Security > Logins.
4. Right-click on Logins, a context menu is displayed.
5. Select New Login as shown in the following figure.

Figure 3-18: Microsoft SQLServer - New login

2VAA003209-230 A 3-19
Access to the local server homepage S+ Operations Security Concept

6. A Login - New window opens, in General page, select Windows authentication and click Search as shown in
the following figure.

Figure 3-19: Login - New Window

7. A Select User or Group dialog box is displayed, click Object types as shown in the following figure.

Figure 3-20: Select User or Group

8. In Object Types dialog box, select Groups and then click OK as shown in the following figure.

Figure 3-21: Object Types dialog box

9. Enter SPlusIMEventReader and validate input by selecting the Check Names option as shown Figure 3-22.
10. Click OK.

Figure 3-22: Select User or Group

3-20 2VAA003209-230 A
S+ Operations Security Concept Access to the local server homepage

11. In the Login - New window, Click Server roles page and select Public as shown in Figure 3-23.

Figure 3-23: Login - New (Server Roles)

A new guideline is created for validating members of the AD (Active Directory) group SPlusIMEventReader in
the SQL Server as shown in the following figure.

Figure 3-24: SQL Server - Authentication

Assign Database Role Membership

Map a specific role to this group, used to access the database PlaCoEvents.
Follow these steps to assign database role membership to a new user group:
1. In Microsoft SQL Server Management Studio navigation pane, select Databases > PlaCoEvents > Security >
Users.

2VAA003209-230 A 3-21
Access to the local server homepage S+ Operations Security Concept

2. Right-click on Users, a context menu is displayed, select New User as shown in the following figure
(Figure 3-25).

Figure 3-25: SQL Server - New User

3. A Database User - New window opens, in General page, type the user name in the Username field
(for example: SPlusIMEventReader) as shown in the following figure (Figure 3-26).

Figure 3-26: Database User - New

4. Select the Login name and click Browse button.

3-22 2VAA003209-230 A
S+ Operations Security Concept Access to the local server homepage

5. In Select Login window, click Object Types to browse for related objects as shown in the following figure
(Figure 3-27).

Figure 3-27: Select Login

6. In Browse for Objects window, select the AD (Active Directory) (for example: SPlusIMEventReader) as shown
in the following figure (Figure 3-28).

Figure 3-28: Browse for Objects

7. Click OK.

2VAA003209-230 A 3-23
Access to the local server homepage S+ Operations Security Concept

8. Under the Database User - New window, in Database role membership scroll box, select db_datareader to
assign the role to the user as shown in the following figure (Figure 3-29).

Figure 3-29: Database Role Membership

This configuration allows users from the group SPlusIMEventReader connect to the SQL server and to read
records from the database PlaCoEvents.

Assign SQL Admin rights for Domain Admins

Follow these steps to assign SQL Admin rights for Domain Admins:
1. In Microsoft SQL Server Management Studio navigation pane, select Security > Logins.
2. Right-click on Logins, a context menu is displayed, select New Login as shown in the following figure
(Figure 3-30)

Figure 3-30: SQL Server Security New Logins

3. A Login – New window opens, in the General page, click Search.

3-24 2VAA003209-230 A
S+ Operations Security Concept Access to the local server homepage

4. A Select User or Group window opens, click Object Types as shown in the following figure
(Figure 3-31).

Figure 3-31: Select User or Group

5. In the Object Types window, select Groups and then click OK as shown in the following figure (Figure 3-32).

Figure 3-32: Object Types

6. In the Object Name field, type Domain Admins and then click Check Names.
7. After validation of the Object Name, click OK.

Figure 3-33: Select User or Group - Security

2VAA003209-230 A 3-25
On S+ Operations Application Severs S+ Operations Security Concept

8. In the Login-New window, select Server Roles page and select sysadmin as shown in the following figure
(Figure 3-34).

Figure 3-34: Login - New Sever Roles

9. Click OK, to apply the settings.

3.8.3 On S+ Operations Application Severs

Configure access rights for group IIS_IUSRS to create file under S+ folders. It is required to have Thin Client or Web Client
to create reports.

3-26 2VAA003209-230 A
S+ Operations Security Concept Configuring Users in Workgroup Environment

For folder C:\Program Files (x86)\ABB Symphony Plus set permission as full control for the IIS_IUSRS group as shown
in below figure (Figure 3-35).

Figure 3-35: Permisions for ABB Symphony Plus

3.9 Configuring Users in Workgroup Environment

In case of Workgroup based environment, Windows groups and windows users need be created on each nodes locally.
Ensure that, all the users defined with same user password on every node. Rest of the Domain environment steps are same
with an exception as defined below:
Assignment of predefined Administrators groups to the SQL server: here BUILTIN\Administrators need to be added.
Follow these steps to assign SQL Admin rights for Built-in Administrators:
1. In Microsoft SQL Server Management Studio navigation pane, select Security > Logins.

2VAA003209-230 A 3-27
Configuring Users in Workgroup Environment S+ Operations Security Concept

2. Right-click on Logins, a context menu is displayed, select New Login as shown in the following figure
(Figure 3-30)

Figure 3-36: SQL Server Security Logins - New User

3. A Login – New window opens, in the General page, click Search.

4. A Select User or Group window opens, click Object Types as shown in the following figure (Figure 3-31).

Figure 3-37: Select User Group - Security Login

3-28 2VAA003209-230 A
S+ Operations Security Concept Configuring Users in Workgroup Environment

5. In the Object Types window, select Groups and then click OK as shown in the following figure (Figure 3-32).

Figure 3-38: Object Types

6. In the Object Name field, type Administrators and then click Check Names.
7. After validation of the Object Name, click OK.

Figure 3-39: Select User or Group - Administrator

2VAA003209-230 A 3-29
Configuring Users in Workgroup Environment S+ Operations Security Concept

8. In the Login-New window, select Server Roles page and select sysadmin as shown in the following figure
(Figure 3-34).

Figure 3-40: Login - New (Server Roles)

9. Click OK to apply the settings.

3-30 2VAA003209-230 A
Working with User Management

4. Working with User Management

After installing S+ Engineering Server, users have to configure the Active Directory or Workgroup (Refer the sections Active
Directory Settings for Workbench or Workgroup Settings for Workbench) to configure workbench.

For managing users, to one should login as Active Directory administrator or local administrator.

To open User Management from the S+ Engineering follow the steps:

1. Click Administration > User Management as shown in the following figure.

Figure 4-1: Opening User Management

2. To Open User Management, provide the Domain or local administrator password in Windows security prompt win-
dow

Figure 4-2: Windows Security prompt window

2VAA003209-230 A 4-1
Ribbon Bar Options Working with User Management

The User management tool opens as shown in the following figure

Figure 4-3: User Management tool

The User Management application consists of the following views:

• User List: This is the left pane of the User Management application.It consists of the list of default user..
In case of Active Directory the Domain users are displayed and in case of Workgroup the local users of
the S+ node, in which User Management application is running are displayed.
User details will be displayed when an user is selected.
The checkbox placed next to user entry is used for bulk operations such as deletion, role assignment,
etc.
If user Management is not accessible, when the logged in user accesses any mapped network drive.
Before performing any User Management action on a machine make sure no other connection is
mapped to the network drive.
• The right pane of the User Management application consists of the various tabs, as follows:
– Users: Users tab displays information of the selected user.
– Roles: Roles tab is used for assigning one or more users to a particular S+ role.
– Projects: This tab lists the projects available and the project assigned to the selected user.
– Operations: This tab lists the operations’ users that can be synced with Postgres DB.
– Action Role Mapping: This tab lists the assigned RBAC configurations against the user roles for all the
modules.

NOTE: Each tab is explained in a subsection.

4.1 Ribbon Bar Options

Ribbon bar is the main menu bar of S+ Engineering application screen. It consists of System, Home, View, Edit, Style and
Permission tabs.
The Permissions tab provides user management controls.
Note: If the user management module is started, the “permissions” tab is automatically selected.

4-2 2VAA003209-230 A
Working with User Management Symphony Plus User Roles

The following table (Table 4-1) lists the buttons and corresponding functional description of the Permissions tab.

Table 4-1: Permissions

Buttons Description

Click Add New User to add a new user.

Click Edit User to modify the details of an

existing user.

Click Delete User to delete selected user(s).

Click Export Users to export the details of the

selected users to an excel sheet.

Click Import Users to import the users/roles

details from the excel sheet.

Click Sync Users to synchronize users in the

Workgroup.

Click Assign Projects to assign or unassign a

project to the user.

Click Configure Roles to create the

customized roles against standard roles.

Click Assign Roles to assign or unassign roles

to the users.

Click Apply to apply the changes to the users

details, role, or project assignments.

Click Cancel to cancel any changes done.

4.2 Symphony Plus User Roles

The S+ Roles are differentiated into four categories as follows:
• System Roles
• Engineering Roles
• Operations Roles
• Historian Roles
• GIS

2VAA003209-230 A 4-3
Symphony Plus User Roles Working with User Management

The following figure shows the System Roles:

Figure 4-4: System Roles

The following figure shows the Engineering Roles for S+ Engineering:

Figure 4-5: Engineering Roles

4-4 2VAA003209-230 A
Working with User Management Symphony Plus User Roles

The following figure shows the Operations Roles:

Figure 4-6: Operations Roles

The following figure shows the Historian Roles

Figure 4-7: Historian Roles

Figure 4-8: Historian Roles - Continued

2VAA003209-230 A 4-5
Symphony Plus User Roles Working with User Management

The following figure shows the GIS Roles

Figure 4-9: GIS Roles

4-6 2VAA003209-230 A
Working with User Management Add User

4.3 Add User

Following are the steps to add a new user:
1. Click Add User in the ribbon bar as shown in the following figure.

Figure 4-10: Adding New User

The Add User tab in the application gets activated.

2. Enter the following details to create new users:
– User ID: Is the user name of the new user.
– Password: Is the password for the new user.
– Confirm Password: Re-enter the password.
– First Name: Is the first name of the new user.
– Last Name: is the last name of the new user.
– Description: Is the job of the user, for example, Test user, Admin user etc.

NOTE: Only the following characters are supported in the User Management for User creation:

• Numeric
• Alphanumeric
• (_, -, @,#)

NOTE: The Password must meet the following complexity requirement.

• Not contain the user’s account name or parts of the user’ full name that exceed two consecutive characters
• Be at least six characters in length
• Contain characters from three of the following four categories:
– English uppercase characters (A through Z.)
– English lowercase characters (a through z).
– Base 10 digits (0 through 9).
– Non alphabetic characters (for example,!, $, #,%).

When the password does not meet the password complexity, an error message appears.

2VAA003209-230 A 4-7
Edit User Working with User Management

3. Select the following check box to edit the user details.

– User must change password at next
– User cannot change password
– Password never expires
– Account is disabled
Once the details of the user is entered, roles can be assigned to the users.
NOTE:
• For a new user, during bulk import, "Change password on next logon" will be enabled, for security reasons, user
has to change the password on each node.
• For existing users, the password field is not considered during bulk import. If user wants to update the new
password, this has to be done in all nodes.
4. Click Apply.
A User Management message box opens with the message “User added successfully”.
In Case of Active Directory User will be added to Active Directory domain.
Each client will access the active directory for authentication.

In case of Workgroup User will be added in each computer of the Workgroup.

A User will also be added in postgres database.

5. Click OK.
The user is created and the roles are defined.
The user name, project name, and the role that is selected, is displayed on the status bar.
When users switch between the modules or features, the defined role is automatically changed and displayed on
the status bar.
For installations the engineering user also requires local admin rights. For this, user needs to be added to the local
Administrators group on the Workbench client machine.

For an administrative privileged user, and unable to create a user in User Management, ensure to follow the
Registry settings.

For S+ Engineering and 800xA nodes, NetBIOS configuration settings must be set to default value for Plant
Network adapter to perform User Management actions successfully.

4.4 Edit User

Follow the following steps to edit an existing user:
1. Select the user from the User List.
2. Click Edit User.

4-8 2VAA003209-230 A
Working with User Management Delete User

The User ID, First Name, Last Name and Description fields are now editable as shown in the following figure.

Figure 4-11: Edit User

3. Rename the user and click Apply.

Users cannot be renamed the users in the following cases:
1. When the user is the current logged in user.
2. When the user is any of the following:
– GUEST
– DEFAULTACCOUNT

4.5 Delete User

Follow the steps to delete a user:
Select the user from the list of users that you want to delete. Multiple users can be selected and deleted all with
confirmation.

2VAA003209-230 A 4-9
Delete User Working with User Management

1. Click Delete User in the ribbon bar as shown in the following figure.

Figure 4-12: Deleting User

A User Management message box opens with the message “Do you want to delete selected user(s)?”.
2. Click Yes.
The user is deleted and a “User deleted successfully” message is displayed in the Messages Pane.
Follow the steps to delete multiple user at a time:
1. Select the users from the Users List as shown in the following figure.

Figure 4-13: Delete Multiple Users

4-10 2VAA003209-230 A
Working with User Management Export Users

2. Click Yes.
The users gets deleted and a “User deleted successfully” message is displayed in the Messages Pane.
To perform delete option, ensure the selected user(s) is/are inactive in all the client machines of the same
workgroup.

When a user is deleted, in case of Active Directory, User will be deleted from Active Directory domain.

When a user is deleted, in case of Workgroup, User will be deleted from each machine of the Workgroup.

When a user is deleted, User will be deleted from the database.

4.6 Export Users

Users can export the users with their roles and associated project details.
Following are the steps to export user details to excel.
1. Select the Users to be exported.
2. Click the Export in the ribbon bar to export the user details into an excel sheet.
The Save As dialog box opens as shown in the following figure:

Figure 4-14: Export Users

3. Select the location and Save the excel sheet.

Users can open the excel sheet and edit the existing user details for example roles, project mapping, first name,
last name, and description as shown in the following figure.

2VAA003209-230 A 4-11
Import Users Working with User Management

Figure 4-15: Exported User Details

Figure 4-16: Export User Project Assignment Details

4.7 Import Users

Import users functionality is used to perform the following functions:
1. Update user information & user role assignment

4-12 2VAA003209-230 A
Working with User Management Import Users

2. Update user project assignment

3. Add new users.
Users can import the users with their roles and associated project details from the excel sheet as shown in the following
figure.

Figure 4-17: Import User Details

Figure 4-18: Import User Project Details

Following are the steps to import the user details form an excel sheet:
1. Click the Import to import the users with their roles and associated project details.

2VAA003209-230 A 4-13
Import Users Working with User Management

The Open dialog box opens as shown in the following figure.

Figure 4-19: Import Users

2. Select a user role excel sheet.

3. Click Open to open the user details.
This will import the user details from the excel sheet.

User should have the SPSystemAdmin role to Import and Export users.

NOTES:
1. User name and password must meet windows password complexity requirement.
2. Password imported through excel sheet will not be set, so after importing users list, user need to log on and set
a new password. Then in User Management, edit the particular users and uncheck “User must change password
at next logon” and check “Password never expires” option.

4-14 2VAA003209-230 A
Working with User Management Sync Users

4.8 Sync Users

This is used for synchronizing all users connected to the server from different client machines of the same Workgroup.This
option is used to sync the newly added client machine(s) added to the selected workgroup.

Figure 4-20: Synchronize user nodes

The steps to synchronize users in the same workgroup are:

1. Select the node (or workgroup) from the Workgroup Nodes list.
Note: Users connected to the selected node are listed in the Workgroup node users list.
2. Select the user(s) from the Master list as shown in the Figure 4-20.
Note: Users can select all or any number of users listed in the Master list.
3. Click “>>” button, to add the users from the Master List to the Workgroup node users.
After adding the users to Workgroup node users list.
4. Enter the workgroup Password.
5. Re-enter the password in Confirm Password.
6. Click OK, to synchronize the users.
Or
7. Click Cancel.
NOTE: After synchronization of users; when logged into the client machine, it is recommended to use the same
credentials (password) used during user creation across the same workgroup.

4.9 Project Mapping

Once the user is created, more than one project can be assigned to the user.
A user will be only able to edit a project if the project is assigned to the user in the project mapping
view. Otherwise the project is visible but the user cannot edit it.

2VAA003209-230 A 4-15
Assign a Project to the User Working with User Management

The project is created using the Project Admin tool. Refer to Section 3.1 Creating a Project of in S+ Engineering 2.3 Project
Administration user manual (8VZZ000130T). Once the project is created, it will be listed in the Available Projects list box of
the Project Mapping tab in the UM application as shown in the following figure.

Figure 4-21: Available Project List

Note: To assign a project, the user must have SPEngineerAdmin role.

Project Mapping is also done in the project admin tool of the S+ Engineering application.Refer to the
document S+ Engineering 2.3 Project Administration user manual (8VZZ000130T).

4.9.1 Assign a Project to the User

Follow the steps to assign a project to the user:
1. Click Projects tab in User Management tool.
The Project Mapping tab opens as shown in the Figure 4-22.
2. Select the user from the list of users.
3. Click on the Assign Projects button in the Permissions tab.
4. Select the project from the Available Projects list as shown in the following figure.
5. Click on “>>” button.

4-16 2VAA003209-230 A
Working with User Management Assign a Project to the User

The selected project is moved to the Assigned Project field as shown in the following figure.

Figure 4-22: Project Assigned to the User

Note: Users can also drag and drop the project from the Available project list to the assigned project to assign a
project to a user.
6. Click Apply.
A User Management message box opens with the message “Project mapping done successfully” as shown in
the following figure.

Figure 4-23: Project Mapping Successful

2VAA003209-230 A 4-17
Unassign a Project Working with User Management

The project is assigned to the selected user.

Once the project is assigned to the user, it is still listed in the Available Projects list. One project can be
assigned to multiple users.

4.9.2 Unassign a Project

Users can unassign a project that is assigned to a user. To unassign the project from a user:
1. Select the user form the list of users.
2. Click the Assign Projects button in the Permissions tab.
3. Select the project from the list of projects in the Assigned Project list as shown in Figure 4-22.
4. Click on the “<<” button.
The project is removed from the Assigned Project list.
Note: Users can also drag and drop the project from the Available project list to the assigned project to assign a
project to a user.
5. Click Apply.
If all the projects that are assigned to a specific user are unassigned, then a User Management message box
opens with the message There are no project (s) assigned to selected user. Do you want to apply changes? as
shown in the following figure.

Figure 4-24: Unassigning Project

6. Click Yes.
All the projects that are assigned to the user is removed from the Assigned Project list.

4.10 Configure Roles

This feature helps the user to create custom user roles against standard roles. Refer to Customized Roles for creating
custom user roles.

4.11 Assign Roles

Following are the steps to assign or unassign roles to an existing user:

NOTE: Operation roles and engineering roles will appear only after the project is open.

Select the user from the list of users for which roles need to be added.

4-18 2VAA003209-230 A
Working with User Management Assign Roles

1. Click Assign Roles in the ribbon bar as shown in the following figure.

Figure 4-25: Assign User Roles

The selected user gets activated, more roles can also be added to the user.
1. Select the roles from the S+ Roles list.
2. Click “>>” button.
The selected roles move to the Assigned Roles list box.
Note: Users can also Drag and drop the roles to assign the roles to the user.

A Tool tip with its description appears when mouse-hover any user role.

While assigning Operations roles to a user, only one role apart from SPlusOUsers role can be
assigned. The roles can be any one of the following:
– SplusOAdmins
– SPlusOGuests
– SPlusOOperators
– SPlusOEngineers
– SPlusOSupervisors.
Users can assign the Historian and web portal roles.
3. Click Apply.
The additional roles added will be updated.

In Case of Active Directory User, editing the roles will update in the Active Directory domain.

In case of Workgroup User, editing the roles will update in each machine of the Workgroup.

NOTE: Refer User Roles in Symphony Plus section for more information on role based access.

2VAA003209-230 A 4-19
Operations Working with User Management

4.12 Operations
Once the user is created, two operation roles can be assigned to a user.

Once the user is created and project assigned, click Application Engineering > Operations Engineering and import user
and user roles.
Once the user and user roles are imported, the template user in the Operations tab of User Management interface can be
seen.

Figure 4-26: Operations Tab

The Operations tab contains the following options as shown in the Figure 4-26:
User Name: The name of the User created.
Description: The job description of the user that is described while creating user.
S+ Role: the Operations role assigned to the user.
Template: A pre-defined set of privileges assigned to the operation’s user. The operation’s user is as imported in
Operations Engineering.
User Role: The user roles as imported in HMI Configuration.
To configure the operations tab, follow the steps:
1. Select Application Engineering > Operations Engineering.
2. Click Database Settings tab, in Operations Engineering window.
3. Expand the Database tree, click Users.

4-20 2VAA003209-230 A
Working with User Management Operations

The user settings screen opens as shown in the following figure.

Figure 4-27: User Settings

4. In the Files to Import option, click on the “...” (browse) button to select the file.
5. Click Import.
The user details (Index, Name and Description) are imported as shown in the following figure.

Figure 4-28: User Data

6. Click User Roles

The user roles settings screen opens as shown in the following figure.

2VAA003209-230 A 4-21
Operations Working with User Management

Figure 4-29: User Roles Settings

7. In the Files to Import option, click on the “...” browse button to select the file.
8. Click Import.
The user details (Index, Name and Description) are imported as shown in the following figure.

Figure 4-30: User Roles Data

Once the Users and User Roles settings done. Open the Operations tab in the User Management tool.
The users and roles data will be mapped to the operations database.

4-22 2VAA003209-230 A
Working with User Management Operations

9. Click the button on the right side of the Template option as shown in the following figure.

Figure 4-31: Operations Tab with User Information

For creating a new user template, select “Create a new template” from the drop-down menu:
10.Click the Create New Template button on the right side of the Template option as shown in the following figure

Figure 4-32: Operations tab-Create new template

The Template user interface window opens as shown in the following figure

2VAA003209-230 A 4-23
Operations Working with User Management

11. Provide the Windows user group name.

Figure 4-33: Windows user group name

4-24 2VAA003209-230 A
Working with User Management Operations

12. Assign new operations user roles to the user.

Figure 4-34: Assign new operations user roles

Validate the user and its roles assigned in Operations tab as shown below”

Figure 4-35: Newly added operations user and user roles template confirmation

2VAA003209-230 A 4-25
Action Role Mapping Working with User Management

The users will be updated in user database in Operations Engineering.

Figure 4-36: Users in user database

4.13 Action Role Mapping

The Action Role Mapping tab displays the role mapping against actions.
The first tab in the spreadsheet “Role Description” is to help the user to depict the legends used across the sheet.

Figure 4-37: Action Role Mapping - Role Description

4-26 2VAA003209-230 A
Working with User Management Action Role Mapping

The rest of the tabs in the spreadsheet lists all the S+ Engineering components and the details about actions versus role
mapping.

Figure 4-38: Action Role Mapping

NOTE: The spreadsheet is for user reference only. Any change or modifications made in the sheet will not have any
effect on the roles or actions which are predefined and not user configurable.

Figure 4-39: Action Role Mapping - Error Message

2VAA003209-230 A 4-27
Action Role Mapping Working with User Management

4-28 2VAA003209-230 A
Setting up system to run under low privileged users

5. Setting up system to run under low privileged users

This section describes how to set up a Windows Operating System, in order to let S+ Operations run with a
domain/workgroup user without administrative privileges.Regardless the of the logged in user, it must not be LOCAL
SYSTEM account, otherwise communication with S+ Operations Historian won't work, refer Table 3-1, “Historian group id
information,” on page 9.
It is recommend to name the user SPlusOServiceUser, in order to be coherent with the naming convention used for other
users (e.g. users/groups defined for S+ Operations Historian).
In this section the S+ Operations HSI service user is referred as SPlusOServiceUser.

Associate SPlusOServiceUser to the S+ Operations HSI service

1. Goto Windows, > Run, type “services.msc” on the text area and click Enter to open the Services window.

Figure 5-1. Services window

2VAA003209-230 A 5-1
 Setting up system to run under low privileged users

2. Right click on ABB S+ Operations HSI, Startup type must be Automatic

Figure 5-2. ABB S+ Operations HSI Properties

3. Go to Log on tab, choose the user.

Figure 5-3. ABB S+ Operations HSI Properties Log on tab

4. Click OK.

5-2 2VAA003209-230 A
Setting up system to run under low privileged users Providing access to the folder

5.1 Providing access to the folder

S+ Operations HSI service user will be running all the server side programs. These programs has access to the file system
in order to read and write specific files. The S+ Operations file system has two parts, the system part located in [..\Program
Files (x86)\ABB Symphony Plus\Operations] and the user/data part located in [\ProgramData\ABB Symphony
Plus\Operations].
The system path needs to be accessed in read-only mode by the service user and the interactive user (e.g. the user used
for the client interaction), while the user & data part need to be accessed in read-write mode (in fact the service user need
to be able to modify the S+ Operations data files). Please follow the instructions to allow such permissions. Follow the
instructions to allow following permissions.
Provide Full control for the following file system \ProgramData\ABB Symphony Plus\Operations (and descendant)

Figure 5-4. Operations properties security tab

5.2 To provide access to the Windows registries

For the file system, the HSI service user need to access the Windows registry, the list of areas that need to be granted to
SPlusOServiceUser are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ABB Symphony Plus\Operations] (and descendant)
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC] (and descendant)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Figure 5-5. Full access in registry editor

2VAA003209-230 A 5-3
DCOM Settings Setting up system to run under low privileged users

Figure 5-6. Permissions in registry editor

5.3 DCOM Settings

Some modules in S+ Operations use DCOM technology, the following configurations must be performed:
Note: The components are related to OPC connect.

5.3.1 OPC Server Settings

My Computer settings
Managing the settings for the general computer access, users and permissions
1. Goto Windows > Run, type "DCOMCNFG" on the text area and click Enter to open the Component Services
window.
2. Under: Component Services'Computers, Right-click on My Computer and Choose the Properties from the
menu.
3. Click the Default Properties Tab and configure as follow:
4. Enable Distributed COM on this computer checked.
– Default Authentication Level Connect
– Default Impersonation Level Identify

5-4 2VAA003209-230 A
Setting up system to run under low privileged users OPC Server Settings

Figure 5-7. My Computer Properties

5. Click the "COM Security" tab.

NOTE: It is necessary to request user account information, also add the users account and/or groups who will provided
access to the COM service in the machine.
6. Click Edit Limits button within the Access Permissions.
7. Click Add and type the object name (ANONYMOUS LOGON)
8. Click OK
9. Select local access and remote access boxes
10. Click OK
11. Click Add enter the users accounts and/or groups (ex: SPlusOServiceUser)

2VAA003209-230 A 5-5
OPC Server Settings Setting up system to run under low privileged users

12. Repeat the operations until completed

Figure 5-8. Access permissions OPC server settings

Configure as required for the Launch and Activation Permissions, provide permissions to the users and/or groups who
should be able to access the COM service in this machine, setting the permissions. To assign permissions to a special
group or user, add it and check the desired boxes.
1. Click Edit Limits button in the Launch and activation Permissions window.
2. Click Add, enter users accounts and/or groups required (ex: SPlusOServiceUser ).
3. Click OK.
4. Check the desired allow or deny boxes.

5-6 2VAA003209-230 A
Setting up system to run under low privileged users OPC Server Settings

5. Click OK

Figure 5-9. Launch and Activation Permission

OpcEnum Settings
This settings is to manage the users/groups that must be able to see the existing OPC servers running on the machine (It is
possible to give authorization to many users/groups to see the existing OPC servers running but authorize different
users/groups to access to different servers.
1. Goto Windows > Run, type DCOMCNFG on the text area and click Enter to open the Component Services
window.
2. Right-click on My Computer and Choose the Properties from the menu.
3. In General tab, confirm for the Authentication Level connect. is chosen from the drop-down list

Figure 5-10. Opc Enum Properties

2VAA003209-230 A 5-7
Server settings Setting up system to run under low privileged users

4. In Security tab, on the Launch and Activation Permissions window, Click Customize > Edit button.Manage
permissions.
5. Click OK.
6. For "Access Permissions", click Customize > Edit button.
7. Manage permissions and click OK
8. The Configuration Permissions is set to Use Default.

OPC Server process Settings

1. Find OPC process on the list
– ABB S+ Operation ComServer Class
– ABB S+ Operation OPC AE SERVER
– ABB S+ Operation OPC DA Server
– ABB S+ Operation OPC HDA Server
2. Right click and Choose Properties from the menu.
3. Repeat the authorizations procures for this particular server.

5.4 Server settings

The server permissions can be managed according to the level of access we want to give, for example, in a workgroup
(WG), the settings required to access a server and permissions user A (UA) will require to access OPCserverA and user B
(UB) to access only OPCserverB,.
Permissions are of the following:
• OpcEnum ' WG
• OPCserverA ' WG\UA
• OPCserverB ' WG\UB
• Allow remote and\or local operations for each one of them.

5.5 Permissions to access services

S+ Operations HSI service user require permissions, to start or stop the system, in other words the permissions to start and
stop the S+ Operations services.
The easiest way to perform this configuration is by using a tool called SubInAcl, which can be downloaded from Microsoft
web site.
The same configuration can be performed by other Windows administrative tools but is not simple as it is with this utility
Download subinacl.exe from Microsoft:
http://www.microsoft.com/en-us/download/details.aspx?id=23510
1. Copy SubInAcl in C:\Program Files (x86)
NOTE: Shall not be needed, if it is available in the path already.
2. Use SubInAcl to grant access to the user to the following services:
Open a command shell, go to SubInAcl program is copied and use the follow command:
SubInAcl /service "Service name" /grant=SPLUSOSERVICEUSER
The following are needed to start/stop S+ Operations HSI
• SubInAcl /service apmssvc /grant=SPLUSOSERVICEUSER
• SubInAcl /service spocentrallicensing /grant=SPLUSOSERVICEUSER
The following are needed to stop S+ Operations Historian
• SubInAcl /service "PGIM DBLimiter" /grant=SPLUSOSERVICEUSER
• SubInAcl /service ConMeaService /grant=SPLUSOSERVICEUSER
• SubInAcl /service "PlantConnect EventImport" /grant=SPLUSOSERVICEUSER
• SubInAcl /service "PDCS LifeCheck" /grant=SPLUSOSERVICEUSER
• SubInAcl /service "PlantConnect Compressor" /grant=SPLUSOSERVICEUSER

5-8 2VAA003209-230 A
Setting up system to run under low privileged users Create an SQL User

• SubInAcl /service "PGIM AdvancedScheduler" /grant=SPLUSOSERVICEUSER

• SubInAcl /service "PDCS TagSync" /grant=SPLUSOSERVICEUSER
• SubInAcl /service "timesync" /grant=SPLUSOSERVICEUSER
• SubInAcl /service "PlaCoRedProxy" /grant=SPLUSOSERVICEUSER
• SubInAcl /service "PlantConnect Server" /grant=SPLUSOSERVICEUSER\

5.6 Create an SQL User

S+ Operations HSI service user need to access the S+ Operations Historian database in order to show up in Last
Alarm/Last Event utility historical alarms and events. It is possible to troubleshoot if the service user has proper access
permission to the database by looking at the "led" color in PwMonitor utility or by enabling the PwMonitorSrv trace (with
TraceManager)

Figure 5-11. Process Monitor

NOTE: a red light in PwMonitor does not necessary mean the problem is related to user permissions, it is an indication
about unsuccessful connection with Historian database
Run Microsoft SQL Server Management Studio

2VAA003209-230 A 5-9
Create an SQL User Setting up system to run under low privileged users

1. Goto Tab Security -> Logins -> new login

Figure 5-12. Microsoft SQL Server Management Studio

5-10 2VAA003209-230 A
Setting up system to run under low privileged users Create an SQL User

New Login window appears.

Figure 5-13. New login window

2. Click O.K
3. Re-open the User details and check:
4. Go to Server Roles tab, select the following check boxes:
– public
– sysadmin

2VAA003209-230 A 5-11
Create an SQL User Setting up system to run under low privileged users

Figure 5-14. Server Roles tab

5. Click OK.
6. Go to User Mapping tab, select the following check boxes
For User mapped to this login:
– Check the checkbox PlaCoEventMYVM\SPlusOServiceUser dbo
Database role mambership for tempdb:
– Select public
7. Click OK.
8. Go to Securables tab, check the following checkbox:
– Permission Connect SQL sa set (column grant)

5-12 2VAA003209-230 A
Setting up system to run under low privileged users Create an SQL User

Figure 5-15. Securables tab

9. Click OK.
10. Go to Status tab, For Permission to connect to database engine option, choose Grant radio button.
– For Login, choose Enabled radio button.

2VAA003209-230 A 5-13
Exiting from the system Setting up system to run under low privileged users

Figure 5-16. Status tab

11. Click OK.

5.7 Exiting from the system

S+ Operations offers the functionality of stopping the entire system (which requires S+ permissions for such operations),
the "kill" of the system can happen automatically (e.g. by S+ Task Manager, after a pre-configured condition is satisfied by
plant conditions) or manually (For example, the interactive user perform a Shut down Operations action from PwMonitor
menu.)
Independently from the kill type executed (automatic or manual), the user that is going to physically stop the system is the
service user SPlusOServiceUser. The stop operations involves stop of services in the right sequence, posting messages to
all the opened applications in order they will stop themselves, and in case of applications not closing for a long period, the
killer application will stop them by a task kill operation.
Of course, to perform such actions, killer application, and more specifically the windows user associated to it
(SPlusOServiceUser) need to have specific permissions enabled.
1. Goto Windows > Run, type secpol.msc on the text area and click Enter to open the Security Policy window.
2. Goto Local Policies tab> User Right Assignment> Add the SplusOServiceUser to the following:
– Create Global objects
– Debug programs

5-14 2VAA003209-230 A
Setting up system to run under low privileged users User Account Settings

Figure 5-17. Local Security Policy-User Rights Assignment

5.8 User Account Settings

1. Goto Windows > Run, type UserAccountControlSettings.exe on the text area and click Enter to open the
User Account Control Setting window.

Figure 5-18. User Account Control Settings

2. Click OK.
3. Restart the system and S+ Operations system will run with low privileges and UAC enabled.

2VAA003209-230 A 5-15
User Account Settings Setting up system to run under low privileged users

5-16 2VAA003209-230 A
User Roles in Symphony Plus

A. User Roles in Symphony Plus

The following table consists of a list of user roles in Symphony Plus:

Table A-1. List of User Roles in Symphony Plus

Sl. No. User Role Role Description Operations Engineering System

System Roles

1 SPUser Only view the user list and the 

project dashboard.
2 SPSystemAdmin Create, manage, and assign  
roles to a user

Engineering Roles

3 SPEngineer Perform standard engineering  

tasks on an assigned project.
and take a project backup
and manage engineering
projects (For example: create,
backup, restore).
4 SPEngineerAdmin Manage engineering projects  
(For example: create, backup,
restore).

5 SPELoad Perform the configuration /  

communication related
actions to controller, HMI (For
example: HAPI configuration,
Load the logics to controller,
Firmware download, labeling,
deploy to HMI).
6 SPEMonitor Only view the controller  
status, logic data flow (online
value), diagnostic status,
difference between
engineering and HMI node
(For example: Monitor mode,
Difference viewer).
7 SPEMaintenance Support the engineering  
activity.
Restriction is provided for
bulk activities such as
export/import, pack/unpack.
8 SPEMeasure Authorized for online data  
view (For example: Monitor)
9 SPEParametrize Authorized for changing the
tuning parameter

10 SPESimulate Perform the value / spec  

during the online monitoring
or running time (For example:
Spec tuning).
11 SPESafety Authorized to edit the safety  
application

2VAA003209-230 A A-1
 User Roles in Symphony Plus

Table A-1. List of User Roles in Symphony Plus

Sl. No. User Role Role Description Operations Engineering System

12 SPELibray Perform the standard  
activities which are
prerequisite for the project
engineering (For example:
CFC creation, Logic template
creation, Library object
creation, device template
creation, deploy action set).
NOTES:
Refer Section A.5, User Roles in Symphony Plus for details about the permission associated with every role.
Role based access control (RBAC) is applicable only for Engineering roles.
RBAC is not applicable for Installation manager.
The permissions for RBAC roles are default templates, which cannot be customized by the user.

Operation Roles

12 SPlusOUsers Provide permissions use S+ 

Operation software on all S+
nodes.
13 SPlusOGuests Provide view guest access 
rights to SPlus Operations
14 SPlusOAdmins Provide administrative rights 
to SPlus Operations users, to
sync the Administrators group
in the SPlus Operations
Users database.
15 SPlusOEngineers Provide engineer access 
rights to SPlus Operations
users, to sync with the
Engineers group in the SPlus
Operations Users database.
16 SPlusOOperators Provide operator access 
rights to SPlus Operations
users. To be synced with
Operators group in the SPlus
Operations Users database.
17 SPlusOWebServiceUsers Provide access for Web 
Services.
18 SPlusOSupervisors Provide access to Supervisor
rights to SPlus Operations.

Historian Roles

19 SPlusIMEventReader Provide folder permissions to 

access SPlus Historian

20 SPlusIMEventConfig Manage the MS SQL Event 

database PlaCoEvents.
21 SPlusIMEventWriter Manage the MS SQL Event 
database PlaCoEvents.
22 SPlusIMEventAdmin Manage the MS SQL Event 
database PlaCoEvents

A-2 2VAA003209-230 A
User Roles in Symphony Plus

Table A-1. List of User Roles in Symphony Plus

Sl. No. User Role Role Description Operations Engineering System

23 SPlusIMEventDBAdmin Users included in this security 
group are able to use
DBAdmin tool to manage the
SQL Event Database and
PocketPortal Database
24 SPlusWebPortalAdmin Manage web portal with
administrator privilege.

25 SPlusWebPortalUser Manage web portal with guest

privilege.

26 SPlusWDNAlarmsDBAdmin SPlusWDNAlarmsDBAdmin

27 SPlusIMGroup0 Manage the permissions of 

tags. Group 0 is reserved for
Administrators.
28 SPlusIMGroup1 Manage the permissions of 
tags. Group 1 is reserved for
Guests.

29 SPlusIMGroup2 Manage the permissions of 

tags.
30 SPlusIMGroup3 Manage the permissions of 
tags.
31 SPlusIMGroup4 Manage the permissions of 
tags.
32 SPlusIMGroup5 Manage the permissions of 
tags.

33 SPlusIMGroup6 Manage the permissions of 

tags.
34 SPlusIMGroup7 Manage the permissions of 
tags.
35 SPlusIMGroup8 Manage the permissions of 
tags.

GIS Roles

36 SPlusOGISAdmins Provide administrative rights

to SPlus GIS users, to sync
the Administrators group in
the GIS Users database.

37 SPlusOGISUsers Provide permissions use S+

GIS software on all S+ nodes

2VAA003209-230 A A-3
User Roles User Roles in Symphony Plus

A.1 User Roles

Each Windows User can be assigned to one or more User Roles. Security Group, Security Levels assigned to User Role
overrides the security settings of assigned Users. Once the User Role of a User changes, also user rights changes
accordingly.
For example 1: A user role is created as OPERATOR, with the security privileges as tag operations-privileges. Now, two
windows users can be derived as OPERATOR 1, OPERATOR 2 from this user role OPERATOR.

Figure A-1: Operator user security levels as Tag Operations

Example 2: A user role is created as ENGINEER, with the security privileges as tag operations-privileges. Now, two
windows users can be derived as ENGINEER 1, ENGINEER 2 from this user role ENGINEER.

Figure A-2: Engineer user security levels as Tag Operations

A-4 2VAA003209-230 A
User Roles in Symphony Plus Customized Roles

A.1.1 Customized Roles

This feature helps the user to create custom user roles against standard roles.

NOTE: During the first launch of User Management user have an option to configure the Custom Role.

Navigate to Administration > User Management , click Configure Roles button in the ribbon bar, Configure Roles
window opens as show as in the figure..

Figure A-3. Configure Roles window

• Standard Roles: The S+ engineering standard roles are displayed in Standard Roles pane.
• Customized Roles: All the groups which is available in the machine will be displayed.
• View: It will display all the customized Roles against the Standard Roles.

NOTE: The custom roles are applicable only for S+ Engineering.

2VAA003209-230 A A-5
Customized Roles User Roles in Symphony Plus

To create new Customized Role, enter the name in the Customized Name text box and add description in Description text
box, then select Standard roles and Click Add as shown as in the below figure

Figure A-4. Creating Customized Role

To view Customized Roles mapped against Standard Roles, click on the View tab in the Configure Roles window.

Figure A-5. View tab

A-6 2VAA003209-230 A
User Roles in Symphony Plus Customized Roles

To filter the roles, right click in the Customized Roles pane for filtering the Roles and select Show Customized Groups
option as shown as in the below figure

Figure A-6. Filtering the Roles

2VAA003209-230 A A-7
Customized Roles User Roles in Symphony Plus

It will display the available Customized Groups as shown as in the figure

Figure A-7. Customized Groups

A-8 2VAA003209-230 A
User Roles in Symphony Plus Customized Roles

To filter the roles, right click in the Customized Roles pane for filtering the Roles and select Show All Groups option as
shown as in the below figure

Figure A-8. Select All groups

2VAA003209-230 A A-9
Customized Roles User Roles in Symphony Plus

It will display all the available Groups as shown as in the figure

Figure A-9. All available Groups

A-10 2VAA003209-230 A
User Roles in Symphony Plus Customized Roles

To edit the custom role, select the custom role and edit the mappings in the Standard Roles pane then click Update button
as shown as in the figure.

Figure A-10. Edit Roles

Figure A-11. Custom Role Message

NOTE: Custom role configuration is incomplete, either user should maintain standard roles or custom roles. combination
of both standard role and custom role is not allowed.

NOTE: Customized Roles are not recommended to modify from the windows group, if customized roles are modified
from windows group, then while opening User management, it shows an error message as shown as in the figure.

Figure A-12. Custom Roles mismatch notification message

2VAA003209-230 A A-11
Existing common Symphony Plus user groups User Roles in Symphony Plus

NOTE: The existence of custom roles can be viewed in User management as well under S+ Roles pan, the example is
shown the below figure.

Figure A-13. User Management screen

A.2 Existing common Symphony Plus user groups

S+ Operations uses a set of predefined user groups for various purposes. Below table give an overview of these groups

Table A-2. Windows Group and Description

Group Description Granted rights

NOTE: In this table users can be associated with multiple groups

SPlusOUsers General rights group that all S+ Operations users Gives read access to the Windows directories where
must join S+ Operations is located, also grants certain
permissions to debug and logging directories.
Is part of History Group 3.

SPlusOAdmins Administrator group that can do all Symphony Plus Is similar to a Windows Administrator and can do all
and Windows administration administration tasks in Windows

SPlusOGuests Guest user Has no Windows rights but is part of History Group 1
Note: Create the group manually in the Windows
user management

SPlusScanner Write real time data to the historian All services that require to write data to the historian.

Event specific user groups

SPlusIMEventReader Operator and Office users for read access to event Group that has read access to all alarms/events in
history data. All S+ Operations users must join the database
Run the Delete Events tool and use the export
function
Run the Manual Events tool
Run the EventProcessor tool

SPlusIMEventConfig Reader and configuration of event tables All permissions of group SPlusIMEventReader
Update/Insert permissions on tables that contain
configuration data (the database tables are called:
tbl_EventExplorer_Confi,
tbl_EventClientHeader)
EventExplorer: Edit and save event configurations

A-12 2VAA003209-230 A
User Roles in Symphony Plus Existing common Symphony Plus user groups

Table A-2. Windows Group and Description

Group Description Granted rights

SPlusIMEventWriter Read and write events All permissions of group SPlusIMEventReader
Select/Update/Insert permissions on specific tables
(the database tables are called: tbl_Events,
tbl_Events_Attributes, tbl_SigInfo,
tbl_LastAlarmUpdate, tbl_Inserted, tbl_Changes,
tbl_AlarmEvent)
EventExplorer: Edit event comments
Run the Tag Info Tool

SPlusIMEventAdmin Read and full rights to event table All permissions of group SPlusIMEventReader
Select/Update/Insert/Delete permissions on all event
database tables
EventExplorer: Edit Blacklist
Run the Delete Events tool with all functions

SPlusIMEventDBAdmin Event database administrator Database administrator, can do everything in the

event database.

Typically, normal operator users are assigned to SPlusOUsers and to SPlusIMEventReader group.
Only special users such as used for the installation or administration should be using higher privileged accounts.
For the event database, please refer to the below table in order to understand the different user groups.

Figure A-14. Event database with different user groups

2VAA003209-230 A A-13
Registry settings User Roles in Symphony Plus

A.3 Registry settings

It is recommended to disable the User Account Control and remote restrictions in the client machine, by adding the
following registry entry.
1. Click Start, click Run, type regedit, and then press ENTER.
2. Locate and then click the following registry sub key::
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
1. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
2. On the Edit menu, point to New, and then click DWORD Value.
3. Type LocalAccountTokenFilterPolicy, and then press ENTER.
4. Right-click LocalAccountTokenFilterPolicy, click Modify.
5. In the Value data box, type 1, and click OK.
6. Exit Registry Editor.
Note: Value Description
• 0: This value builds a filtered token. This is the default value. The administrator credentials are removed.
• 1: This value builds an elevated token.
Once done, system restart is recommended.

A.4 NetBIOS configuration settings

For all the interfaces on separate Plant Networks, two configuration changes must be done to reduce the amount of traffic
on the Plant Network.
1. Disable IPv6 by clearing the check box Internet Protocol Version 6 (TCP/IPv6).
2. Click Properties in the Internet Protocol (TCP/IP) Properties dialog to open the Advanced TCP/IP settings dialog.
3. Click the WINS tab.
4. Select Default NetBIOS over TCP/IP.

A.5 Role Based Access Control

Role based access (RBAC) functionality defines a relation between the permissions vs actions based on the user roles
associated to a user. With RBAC, Administrator must associate appropriate role based actions to specific engineer. A user
associated to a role is allowed to perform only those set of actions.
Role based access for various groups are summarized in the following section.
Notes:
• Users should have a minimum SPUser role assigned, only then they can perform all the required actions.
• Once roles are assigned, it is recommended to close the project and open User management to apply the roles.
• When any action comprises of more than one role, one of these roles is sufficient to perform that action. This is
applicable for all modules.
For example: Deploy action requires SPEngineer OR SPELoad role. Anyone of the roles is required to perform this
action.
• SPEAccess role is not associated to any of the RBAC privileges in S+ Engineering. SPEAccess and SPUser role
must be used along with combination of other standard/custom roles. These roles facilitate the users towards
RBAC infrastructure.

A-14 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Workbench:

Figure A-15. Role Based Access_Workbench

User Management:

Figure A-16. Role Based Access_User Management

2VAA003209-230 A A-15
Role Based Access Control User Roles in Symphony Plus

Project Administration:

Figure A-17. Role Based Access_Project Administration

Note: SPSystemAdmin role is not granted for users accessing Project Administration module.

Bulk Engineering:

Figure A-18. Role Based Access_Bulk Engineering

A-16 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-19. Role Based Access_Bulk Engineering_More Roles

Note: SPSytemAdmin, SPEngineerAdmin, SPELoad, SPEMonitor, SPESimulate, and SPELibrary roles are not
granted for the users accessing Bulk engineering module.

2VAA003209-230 A A-17
Role Based Access Control User Roles in Symphony Plus

Topology Design:

Figure A-20. Role Based Access_Topology Design

Note: SPSystemAdmin, SPEngineerAdmin, SPELoad, SPEMonitor, and SPESimulate roles are not granted for the
users accessing Topology design module.

A-18 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Connectivity Engineering:

Figure A-21. Role Based Access_Connectivity Engineering

2VAA003209-230 A A-19
Role Based Access Control User Roles in Symphony Plus

Figure A-22. Role Based Access_Connectivity Engineering_More Roles

Note: SPSystemAdmin, SPUser, SPEngineerAdmin, SPELoad, SPEMonitor,SPESimulate, and SPELibrary roles are
not granted for the users accessing Connectivity engineering module.

A-20 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Control Engineering:

Figure A-23. Role Based Access_Control Engineering

Figure A-24. Role Based Access for Control Engineering_Continuing

2VAA003209-230 A A-21
Role Based Access Control User Roles in Symphony Plus

Figure A-25. Role Based Access for Control Engineering_Continuing

Figure A-26. Role Based Access for Control Engineering_Continuing

A-22 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-27. Role Based Access for Control Engineering_Continuing

Figure A-28. Role Based Access_Control Engineering_Roles Continuing

2VAA003209-230 A A-23
Role Based Access Control User Roles in Symphony Plus

Figure A-29. Role Based Access for Control Engineering_Continuing

Figure A-30. Role Based Access for Control Engineering_Continuing

A-24 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-31. Role Based Access for Control Engineering_Continuing

Figure A-32. Role Based Access for Control Engineering_Continuing

2VAA003209-230 A A-25
Role Based Access Control User Roles in Symphony Plus

Figure A-33. Role Based Access for Control Engineering_Continuing

Figure A-34. Role Based Access for Control Engineering_Continuing

A-26 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-35. Role Based Access for Control Engineering_Continuing

Figure A-36. Role Based Access for Control Engineering_Continuing

2VAA003209-230 A A-27
Role Based Access Control User Roles in Symphony Plus

Figure A-37. Role Based Access for Control Engineering_Continuing

Figure A-38. Role Based Access for Control Engineering_Continuing

A-28 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-39. Role Based Access for Control Engineering_Continuing

Figure A-40. Role Based Access for Control Engineering_Continuing

2VAA003209-230 A A-29
Role Based Access Control User Roles in Symphony Plus

Figure A-41. Role Based Access for Control Engineering_Continuing

Figure A-42. Role Based Access for Control Engineering_Continuing

A-30 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-43. Role Based Access for Control Engineering_Continuing

Figure A-44. Role Based Access for Control Engineering_Continuing

2VAA003209-230 A A-31
Role Based Access Control User Roles in Symphony Plus

Figure A-45. Role Based Access for Control Engineering_Continuing

Figure A-46. Role Based Access for Control Engineering_Continuing

A-32 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-47. Role Based Access for Control Engineering_Continuing

Figure A-48. Role Based Access for Control Engineering_Continuing

2VAA003209-230 A A-33
Role Based Access Control User Roles in Symphony Plus

Figure A-49. Role Based Access for Control Engineering_Continuing

Figure A-50. Role Based Access for Control Engineering_Continuing

A-34 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-51. Role Based Access for Control Engineering_Continuing

Figure A-52. Role Based Access for Control Engineering_Continuing

Note: SPSystemAdmin, and SPEngineerAdmin roles are not granted for the users accessing Control engineering
module.
Note: SPEAccess role is mandatory for Control Engineering, if user does not have SPEngineerAdmin and
SPSystemAdmin role.

2VAA003209-230 A A-35
Role Based Access Control User Roles in Symphony Plus

Field Engineering:

Figure A-53. Role Based Access_Field Engineering

A-36 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Figure A-54. Role Based Access_Field Engineering_More Roles

2VAA003209-230 A A-37
Role Based Access Control User Roles in Symphony Plus

Signal Manager:

Figure A-55. Role Based Access_Signal Manager

Note: SPSystemAdmin, SPEngineerAdmin, SPESimulate and SPELibrary roles are not granted for the users accessing
Signal manager module.

A-38 2VAA003209-230 A
User Roles in Symphony Plus Role Based Access Control

Operations Engineering:

Figure A-56. Role Based Access_Operations Engineering

Note: SPSystemAdmin, SPEngineerAdmin, SPEMonitor, and SPESimulate roles are not granted for the users
accessing Operations engineering module.
Note: SPEAccess role is mandatory for Operations Engineering, if user does not have SPEngineerAdmin and
SPSystemAdmin role.

2VAA003209-230 A A-39
Role Based Access Control User Roles in Symphony Plus

If any required role is not associated any user, then a pop-up message shall be displayed to notify the user, also the
respective action gets disabled for that user. A typical message is shown as in Figure A-57

Figure A-57. Pop-up Message on Limited User Roles

A-40 2VAA003209-230 A
Installing Microsoft Loopback Adapter

B. Installing Microsoft Loopback Adapter

The installation of Microsoft Loopback Adapter is required only for Workgroup setups where there is a
standalone installations with no network connection.
When the computer is not connected to any physical network, the workgroup machines does not appear. As a result, S+
roles are not loaded when the engineering roles list is expanded.
User must add a Microsoft Loopback Adapter through the Windows Add Hardware wizard. After this, the workgroup
displays the list of computer even if there is no physical network connection.
Following are the steps to add a Mocrosoft Loopback Adapter:
1. Click Start and then open the Command Prompt.
2. At the Command Prompt, type hdwwiz.exe.

Figure B-1. Command Prompt

3. Press Enter.
This opens the Welcome to the Add Hardware Wizard dialog box.
4. Click Next.
This opens the Add Hardware dialog box.
5. Select the Install the hardware that I manually select from a list (Advanced) radio button.
6. Click Next.
7. Select Network adapters from the list.
8. Click Next.

2VAA003209-230 A B-1
 Installing Microsoft Loopback Adapter

The following dialog box opens.

mp

Figure B-2. Network Adapters

9. From the List of Manufacturer, select Microsoft and then from the list of Network Adapter, select Microsoft Loop-
back Adapter.
10. Click Next > Next > Finish.

B-2 2VAA003209-230 A
Computer Browser Service

C. Computer Browser Service

Computer Browser service maintains an updated list of computers on the network and supplies the list to computers
designated as browsers. If this service is stopped this list will not be updated or maintained. If this service is disabled, any
services that explicitly depend on it will fail to start.

Figure C-1. Computer Browser Service

Computer Browser service is required for identifying the members of a particular workgroup.
NOTE: User can check the workgroup discovery status by using the following windows command:

Figure C-2. Windows Command

NOTE: This is applicable only for workgroup installations.

NOTE: Workgroup system supports only class C network.(255.255.255.Y). Refer Network Address Rules section of S+
Engineering 2.3 System topology user manual (8VZZ000131T) for more information.

2VAA003209-230 A C-1
 Computer Browser Service

C-2 2VAA003209-230 A
Creating Group Policy Object Creating Group Policy

D. Creating Group Policy Object

Group Policy provides centralized management and configuration of operating system used, software application, and
users' settings in an Active Directory environment.
Create a group policy object in Active Directory, assign local admin rights to it and make this privilege available to the
SPEngineer, SPEngineerAdmin and SPSystemAdmin roles.

D.1 Creating Group Policy

Once the SPlus roles are created, the administrative privileged user has to create a group policy object. Follow the steps
given to create a group policy object.
1. Click Windows Start Menu, Select Group Policy Management under Windows Administrative Tools as shown in
the following figure.

Figure D-1. Administrative Tools

A Group Policy Management window opens.

2. Right-click on user domain or OU and select Create a GPO in this domain, and Link it here... as shown in the
following figure.

2VAA003209-230 A D-1
Creating Group Policy Creating Group Policy Object

Figure D-2. Group Policy Management

3. Enter a name for the GPO (ex: gpo-local-admin) in the New GPO dialog box as shown in the following figure
4. Click OK.

Figure D-3. New GPO

NOTE: User should see the policy in the tree now.

Edit the policy to contain the SPEngineer group
Here the Administrator needs to add the Administrators group to the “Local Admin Rights GPO” policy
and then make some SPlus roles members of the Administrators group.

D-2 2VAA003209-230 A
Creating Group Policy Object Creating Group Policy

5. Right-click on Local Admin Rights GPO and click Edit as shown in the following figure.

Figure D-4. Edit Policy

In the Group Policy Management Editor window, select Restricted Groups (expanding Computer
configuration\Policies\Windows Settings\Restricted Groups) right-click and select Add Group....

Figure D-5. Group Policy Management Editor

6. Select a group as shown in the following figure.

2VAA003209-230 A D-3
Creating Group Policy Creating Group Policy Object

Figure D-6. Select Restricted Group

The selected group is listed in the right pane of the window as shown in the following figure.

Figure D-7. Selected Restricted Group Properties

7. Right-click on the group and select Properties to add the group to make it a member of other groups (like
Administrators, Remote Desktop Users etc.)
The properties dialog box opens.
8. Click Add button under Member of this group field in the Properties dialog box as shown in the following figure.

D-4 2VAA003209-230 A
Creating Group Policy Object Creating Group Policy

Figure D-8. Add Restricted Group Members

Add the SPSystemAdmin, SPEngineerAdmin, SPEngineer roles as shown in the following figure.

2VAA003209-230 A D-5
Creating Group Policy Creating Group Policy Object

Figure D-9. Select SPLUS User

9. Click OK.
NOTE: It takes some time for these changes to reflect in all domain clients. User can login into any domain client
and type “gpupdate /force” command and check local administrators group.

D-6 2VAA003209-230 A
 —
Visit us

solutions.abb/symphonyplus

Document ID: 2VAA003209-230 Rev. A

solutions.abb/controlsystems

Back Cover