Defining Security in Schema Viewer

Owned by Gary Cane
Last updated: Oct 25, 2011Version comment

We'll run through defining and using security using Schema Viewers's menus and dialogs in this section. First, define an HWI file containing a Smart Valve and place it in a workspace. View the rights and roles available on the device by right clicking on the valve and selecting Security Rights Setup... in Figure 11.1.



Figure 11.1. Defining Security Rights in Schema Viewer


The five roles displayed in the dialog (Figure 11.2) are the default suggestions provided by Schema Viewer. Each is displayed with details about the characteristics of the role Administrators are granted the ability to Read and Write Security information. This enables a user in the administrator role to create and delete users, assign and change their passwords, assign the users to roles, create and remove roles and assign rights to roles. If you left click on Administrators, you see that role has no rights to communicate with the hardware (Figure 11.3). The built in Authenticated Users role, however, means any user who has legitimately logged in has all the rights displayed for that role. It is wise to limit these rights in your actual security configuration. Schema Viewer initially grants Everyone the capability to change security settings and with all communications rights as a way to default the system to its functionality in prior versions. When this right is removed from Everyone the next attempt to open the workspace will require a user to login. Select a role and allow a right by checking the box next to its name. Deny the right by leaving it blank or unchecking it. Update the settings by left clicking on the Apply button.


Figure 11.2 Administrators May Change Security Settings…



Figure 11.3...But Have No Other Default Rights

The following Rights describe the elements of Fairmount Automation products to be secured.

  • Diagnostic Communications (DIAG) - Permission to perform the options in Design Pad or Schema Viewer's 'Communications Menu'. Additional rights are required to update the kernel, control code, schema, or security configuration.
  • HMI Browse Communications (HMI) – Permission to use the 'view browse signals' command and commence data exchange with a Design Pad or Schema Viewer HMI.
  • Schema Viewer Variables (SVV) – Permission to edit the initial value of selected variables from Schema Viewer.
  • Design Pad / Schema Viewer Security Configuration Screens (SCS) – Permission to view and/or edit the Username, Password, Roles, and Rights configuration screens.
  • Firmware Download (FD) - Permission to perform a Firmware Download.
  • Schema Download (SD) - Permission to perform a Schema Download or Send Security Configuration.
  • Infrared Communications (IRC) – Permission to communicate using the Infrared interface. The FD and SD rights are used in conjunction with IRC.
  • Ethernet Communications (EC) - Permission to communicate using the Ethernet interface using the FANDA SSH shell. The FD and SD rights are used in conjunction with EC.
  • Mulitcast Access (MA) – Permission to have access to one or more encrypted Ethernet multicasts.
  • Network Variable Access (NVR) – Permission to Read network variables.
  • Network Variable Access (NVW) – Permission to Write to network variables.


Now it's time to define some users and assign them roles. Right click on the workspace name and select Security Configuration (Figure 11.4). The dialog in Figure 11.5 comes up, displaying the Manage Users tab within Security Configuration. It's empty since no users are currently defined.


Figure 11.4. Navigate to the Workspace Security Configuration



Figure 11.5. Initial Workspace Security Configuration Dialog

Add a user by left clicking the Add button. Usernames are case significant and two usernames may not differ only in case. Some usernames are reserved for internal use. Currently these are root, DesignPad, FANDA and sshd. Passwords are, at a minimum, a case sensitive 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!'). The pop-up (Figure 11.6) asks for a user name and password. Enter those and press OK.

Note you can now select the user and assign one or more roles to that user. Press Apply to make the change.



Figure 11.6. Adding a User


When a user is created an associated public / private key pair is also created and stored in a secure container. Only administrators have access to view or modify the private contents of the container. To view, import, or export a users key, first log in to Schema Viewer with a user that has the Administrator role, then select 'Manage Keys...' and the dialog shown below appears. This dialog displays the users Public Key and allows the users Private Key to be imported / exported using a secure container protected by a Passphase. The import / export file type is PEM (which is a Base64 encoding with headers). The binary data inside is a PKCS#8 encrypted private key.


The user is ready to be assigned one or more roles. Select the Roles tab to link at least one role to the new user(Figure 11.7). Left click on a role and then check the box (Figure 11.8) next to the user receiving that role. Note you can assign more than one user the selected role. Press Apply to make the change.



Figure 11.7. Assigning a Role to a User


Figure 11.8. Choosing the User(s) Assigned to the Role


The Add button creates a new role. The pop-up allows you to name the role and determine if it can read and write security data (Figure 11.9). Role names are case significant. The Delete button at the bottom of the dialog removes the selected role from the system.


Figure 11.9. Allow a Role to Change Security Settings


The Set Security button allows for assigning the ability to change security settings to a role. Pressing it with a role selected brings up the pop-up in Figure 11.10. Check the box and press OK to allow the users in that role security privileges.



Figure 11.10. Allow Established Role Security Privileges


If we go back to the Manage Users tab, the Delete button removes the selected user and the Set Password button brings up the pop-up in Figure 11.11, allowing changing of the selected user's password. The new password must have more than four characters changed,
.

Figure 11.11. Change a Password


The last tab on the Security Configuration dialog is for Security Options (Figure 11.12). Check the Enable FIPS enforcing mode box to enable FIPS self tests to be run when the node boots for both facore and the ssh server. This adds approximately 2 minutes to Fairmount Automation device boot time before the node can be accessed for any authenticated operations. Schema processing occurs during this time. Check the Allow password authentication on the node box to require users to provide passwords for SSH or FANDA logins. Otherwise, only public key-based login is allowed.



Figure 11.12. Security Options Tab