User Manual
61
Building Technologies
MM8000 Installation, Function & Configuration, Commissioning, Safety Regulations
Fire Safety & Security Products
06.2009
4.4 Setting up the project security
Once you have finished setting up the Composer project structure as detailed in
the DMS Connectivity configuration guide, you are ready to configure the MM8000
system behaviour. The first step is setting up MM8000 security, which is organised
in two basic criteria: User groups and Security profiles.
4.4.1 Overview
Domain security
The underlying purpose here is to control who has what event treatment capabili-
ties, such as being able to acknowledge and reset events, and who can see activity
and/or send commands from nodes in the plant browser.
You set up security by first setting the system Domain. If the PC is part of a Win-
dows domain and MM8000 users are defined at domain level (distributed configu-
ration), the security domain is the Windows domain. Instead, if the PC is a single
station (Stand-Alone configuration) or networked in a workgroup, then the security
domain is local and the domain name is actually the PC name.
User Groups permissions and Users
You then have to define user Groups and assign permissions to the groups. These
permissions determine what commands each group can issue in the event list and
what it can see and/or do in the graphical user interface, such as accessing the
history browser or launching Windows applications.
For each group, permissions are organised in three tabs: Event Settings, related
to event treatment, Client settings, concerning various functions and applications,
and System settings, used to enable/disable global system options.
Individual Users can be assigned to each group. Users inherited all the permis-
sions of the group they belong to.
Depending on the software setup options for security (see p.28), new users may or
may not be added to the
Windows user list when the Composer configuration is
downloaded.
Security Profiles
Next you assign Security Profiles to each group. Profiles are used to define seg-
ments in the configuration tree and assign different access rights to the groups on
each segment.
For example, you may want the Fire operator group to be able to send commands
to Fire control units, while you may want the Intrusion operator group to be able to
see the activity, but not send commands. To do this, you would create a “Fire” pro-
file, and an “Intrusion” profile. All user groups belonging to the Fire team would
have command privileges in the “Fire” profile, while the Intrusion user groups would
have only display privileges for fire-related events.
In the configuration tree, the fire and intrusion control units must be organised in
consistent subtrees under folders to which you associate a Security Profile (such
as “Fire Safety” or “Intrusion Security”). This determines each group’s permissions
or capabilities in the plant browser where activity is displayed, and commands are
sent to nodes (or points).
Note: Unless you associate a profile to a node, it will have the “Default” profile,
which means that any user group will have full command permissions.
The example that follows shows a configuration with two profiles, one for fire and
one for intrusion.
The installation requirements specify that a group of users, focused on safety, has
full control on the fire control units and read-only privileges on the intrusion control
units. Another group, e.g. security guards, has an opposite setting: full control on
the intrusion units and read-only on fire units.