Application Rights

Application rights define which system applications users can access, and what operations they can perform (for example, only view, edit and save changes to existing objects, create new objects) within each one. Application rights can also be used to enable/disable users' access to Engineering mode, and to other features such as Assisted Treatment.

The most important application rights include:

Show: This gives users read-only access to the application. If the Show check box is deselected, the application will not display.

Configure: This enables users to edit data and save changes within the application. If Configure is deselected, toolbar buttons such as Save, Save As..., New, Delete, and Edit will be unavailable.
NOTE: If the application in question creates or deletes objects in System Browser, users must also have the appropriate Create/Delete Scope rights for their changes to take effect.

Toggle Engineering mode: This enables users to access Engineering mode. If Toggle Engineering mode right is deselected, the button for switching to Engineering mode will no longer display.

Other application rights include: Export, Import, and Execute.

Application Rights intersect with the Scope Rights that enable users to create or delete system objects. The Configure application right makes toolbar icons such as New, Save, Save As.., Delete available. However, if the corresponding action creates or deletes objects in System Browser tree, it will not complete successfully if the user lacks the necessary Scope rights.

Example:

If a user has Configure application rights for Macros, toolbar buttons (for example, to create a new macro folder, to save changes to an existing macro, or to delete a macro) will be available. However, if this user lacks the Create Scope right, the system will not let the user create a new macro folder, because this involves creating a new system object. On the other hand, the user can save changes to an existing macro because this does not create a new system object. Similarly, to complete the action of deleting an existing macro the user must have the Delete Scope right.

If the user has Create/Delete Scope rights but lacks the Configure application right the user will not be able to initiate any action because the toolbar buttons will be unavailable.

The following sections describe the specific application rights that you can set for each system application, and how they interact with the Create/Delete Scope rights.

NOTE:
The actual list of application rights in the system may include additional items from the installed extension modules. To get information about such additional application rights, refer to the documentation for the specific extension modules.

Application rights are disabled by default in applications installed with an extension module. This also applies to the DefaultAdmin user. Therefore, after installing an extension module you must manually enable the corresponding application rights.

The following general rules apply to application rights:

When you change the application rights for a user group, the changes take effect immediately, even if those users are currently logged on and using the system.
Do not use setting ALL if the Scope is handled differently for each application.
Restricted Scope Rights must be assigned to the individual application.

Assisted Treatment

Assisted Treatment rights define the access permission to Assisted Treatment alarm handling feature.

Assisted Treatment Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application (Assisted Treatment window). If not set, Investigative Treatment window is available instead. NOTE: Executing Assisted Treatment steps depends on the rights assigned to the specific applications involved in the assisted treatment procedures.	✔	n/a	n/a	n/a

Automatic Event Treatment

Automatic event treatment rights define the access permission for configuring automated alarm handling rules.

Automatic Event Treatment Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘
Create a new automated alarm handling rule. Create an automated alarm handling rule from existing configuration.	✔	✔	✔	✘
Delete any automated alarm handling rules.	✔	✔	✘	✔

BACnet Configuration

BACnet Configuration rights define the access permission for configuring BACnet devices on a BACnet network.

BACnet Configuration Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application (BACnet Devices or BACnet Editor) and view existing data.	✔	✘	n/a	✘
Modify existing data and save the changes.	✔	✔	n/a	✘
Delete any BACnet devices.	✔	✔	n/a	✔

NOTE: Importing BACnet devices depends on the Importer rights.

NOTE2:BACnet Configuration rights do not impact working with Schedules in Management Station or Flex Client.

Device

Device rights define the access permission for the System Management application to configure:

Under the stations:

WMI UPS

SNMP network devices. In particular,

SNMP UPS
SNMP Scalance

SNMP properties to monitor the SNMP network.

Device Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes. Import the configuration. Export the existing configuration.	✔	✔	✘	✘
Create these objects from existing configuration.	✔	✔	✔	✘
Delete any of these objects.	✔	✔	✘	✔

NOTE: Manually adding the following objects depends on the System Management rights: WMI UPS, SNMP network devices, and SNMP properties.

Document Configuration, Document Viewer, and Rule Editor

For documents and web applications, two types of access permission are available:

Document Configuration and Rule Editor
Document Viewer

Document Configuration rights define the access rights for configuring documents in the Documents tab. For web applications, these rights also define the access to the Rule Editor tab to configure display rules.

Document Configuration Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘
Create a new document folder or display rule. Create a new document or display rule object. Create a document or display rule object from existing configuration.	✔	✔	✔	✘
Delete any document folder, document object, display rule folder, or display rule object.	✔	✔	✘	✔

Document Viewer rights define the access rights for viewing documents in the Documents tab

Document Viewer Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
In the Documents tab, access the application and view existing documents. Execute the Document Viewer step in Assisted Treatment.	✔	n/a	n/a	n/a

Driver

Driver rights define the access permission for configuring the drivers.

Driver Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
If applicable, modify existing data and save the changes.	✔	✔	✘	✘
Add a new driver.	✔	✔	✔	✘
Delete any driver.	✔	✔	✘	✔

NOTE: Creating driver objects also depends on the Object Configurator rights.

Filter Groups

Filter Groups application rights define permissions for viewing and modifying data, creating new filter groups and deleting existing filter groups.

Filter Groups Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access Filter Groups tab and view existing data	✔	✘	✘	✘
Modify existing data and save the changes	✔	✔	✘	✘
Create new filter groups	✔	✔	✔	✘
Delete existing filter groups	✔	✔	✘	✔

Graphics Editor

Graphics Editor application rights define the permissions for creating, modifying, and deleting graphic objects such as project graphics, symbols, and graphic templates.

Graphic Editor Application Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the Graphic Editor	✔	✔	✔	✔
Create new and save existing graphics	✘	✔	✘	✔
Delete graphics and graphic folders	✘	✔	✔	✔
Edit and save changes to a graphic.	✘	✔	✔	✔

Graphics Library Editor

Graphics Library Editor application rights define the permissions for viewing Symbols and Graphic Templates libraries, and modifying or configuring them.

Graphic Library Editor Application Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View the Symbols and Template Graphic libraries. Copy References from Symbols and Template Graphics.	✔	✔	✔	✔
Create new and save existing Symbols and Template Graphics. Edit and save changes to Symbols and Template Graphics.	✘	✔	✔	✘
Delete Symbols and Template Graphics.	✘	✘	✘	✔

Graphics Viewer

The access rights for the Graphic Viewer application define the user’s ability to display a graphic, a symbol, a graphic template in the Graphic Viewer and in the Graphic Editor Runtime mode.

Graphic Viewer Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and display a graphic, Symbol, or Graphic Template. Execute the Graphic Viewer step in Assisted Treatment.	✔	n/a	n/a	n/a

Help

Defines the sections of the Help that are displayed when the user presses F1 or selects the Help from the menu. In a new and upgraded project, both check boxes are selected.

Help Rights

Application Rights

Action

Access to Operating Help

Access to Engineering Help

Activated Operating Help
Activated Engineering Help
Activated Engineering and Operating

✔

✘

✔

✘

✔

Icons

Icons rights define the access permission for configuring any icons library.

Icons Rights	Application Rights			Scope Rights
Action	Show	Config.	Import	Create	Delete
Access the application and view existing data.	✔	✘	✘	n/a	n/a
Delete icons and save the changes.	✔	✔	✘	n/a	n/a
Import icons.	✔	✔	✔	n/a	n/a

NOTE: Adding and deleting icons library objects depends on Library rights.

Import Rules

Import Rules rights define the access permission for configuring the import rules.

Import Rules Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	n/a	n/a
Modify existing data and save the changes. Customize import rules.	✔	✔	n/a	n/a

NOTE: Adding and deleting import rules library objects depends on Library rights.

Importer

Importer rights define the access permission for performing the import operation.

Importer Rights	Application Rights			Scope Rights
Action	Show	Config.	Execute	Create	Delete
Access the application and perform field data import.	n/a	n/a	✔	n/a	n/a

Journaling

For Journaling, two types of access permission are available:

Journaling printers
Journaling configuration

Journaling Printers application rights define the access rights for configuring journaling printers.

Journaling Printers Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View an existing printer template mapping.	✔	✘	✘	✘
Add a new printer template mapping entry and save it. Modify an existing printer template mapping entry and save it. Remove an existing printer template mapping entry.	✔	✔	✘	✘

Journaling Configurator application and Scope rights define the access rights for configuring the journaling configurator.

Journaling Configurator Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View an existing journaling definition.	✔	✘	✘	✘
Modify an existing journaling definition and save the changes.	✔	✔	✘	✘
Create, configure, and save a new journaling definition. Create a new journaling definition from an existing journaling definition using the Save As icon.	✔	✔	✔	✘
Delete a journaling definition.	✔	✔	✘	✔

Library

Library rights define the access permission for the Library Configurator.

Library Rights	Application Rights				Scope Rights
Action	Show	Config.	Import	Export	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘	✘	✘
Modify existing data and save the changes. Customize libraries.	✔	✔	✘	✘	✘	✘
Import libraries.	✔	✔	✔	✘	✘	✘
Export existing libraries.	✔	✔	✔	✔	✘	✘
Create a new library object. Create a new library block.	✔	✔	✔	✔	✔	✘
Delete any library folders, library objects, or library blocks.	✔	✔	✔	✔	✘	✔

License

License rights define the access permission for displaying license data.

License Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view data.	✔	n/a	n/a	n/a

Localization

Localization rights define the access rights for handling the texts to localize.

Localization Rights	Application Rights			Scope Rights
Action	Show	Config.	Import	Create	Delete
Access the application and view existing data.	✔	n/a	✘	n/a	n/a
Import localized texts.	✔	n/a	✔	n/a	n/a

Log Viewer

Log Viewer application and Scope rights define the access rights for configuring Log Viewer.

Log Viewer Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View log data in the Log Viewer by selecting the log viewer root folder, or a log view subfolder, or a log view definition. Configure the displayed log data by applying filters, sorting the data, selecting, removing, reordering, and resizing columns. Refresh the displayed data. Modify an existing log view definition. Export a log view definition. Stop the execution of a log view.	✔	✘	✘	✘
Modify an existing log view definition and save any changes.	✔	✔	✘	✘
Create a new log folder. Save the configured log view as a log view definition. Create a new log view definition from an existing log view definition using the Save As icon. Save a log view definition as default. Import a log view definition. Save a log view definition as a report.	✔	✔	✔	✘
Delete a log view definition. Delete a log view folder.	✔	✔	✘	✔

Macro

Macro rights define the access permission for configuring macros.

Macro Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘
Create a new macro folder. Create a new macro. Create a macro from existing configuration.	✔	✔	✔	✘
Delete any macro folder or macro.	✔	✔	✘	✔

Network

Network rights define the access permission for configuring networks.

Network Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘
Add a new network.	✔	✔	✔	✘
Delete any network.	✔	✔	✘	✔

NOTE: Adding network objects also depends on the Object Configurator rights.

Node Map

Node Map rights define the access permission for configuring the Node Map view.

License Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Enter Edit mode to configure the Node Map (grouping/ungrouping and renaming nodes)	n/a	✔	n/a	n/a

Object Configurator

Object Configurator rights define the access permission for objects.

Object Configurator Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
For display purposes only.	✔	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘
Create new folders in System Browser. Create new objects in System Browser.	✔	✔	✔	✘
Delete folders in System Browser. Delete objects in System Browser.	✔	✔	✘	✔

Operating Procedure

Operating procedure rights define the access rights for configuring the operating procedures for assisted treatment.

Operating Procedure Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘
Add a new operating procedure folder, operating procedure template, or step. Create an operating procedure template from existing configuration.	✔	✔	✔	✘
Delete any operating procedure folders, operating procedures, or procedure steps.	✔	✔	✘	✔

Reactions

Reactions rights define the access rights for configuring the reactions.

Reactions Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘
Add a new reactions folder. Create a new reaction. NOTE: Creating an Output Macro in the context of a reaction requires Macro rights. Create a reaction from existing configuration.	✔	✔	✔	✘
Delete any reactions folder or reaction.	✔	✔	✘	✔

Reporting and Application Viewer

Reports application and Scope rights define the access rights for configuring different types of reports and is also used to view and configure applications in the Application Viewer tab (see Application Viewer table below.)

NOTE: If you have a combination of application rights, a union of all the groups is assessed.

Reports Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View a report definition. Modify any existing report definitions. Run the report definition using the Run icon, Run As icon, and Execute command button. Stop a report execution Export a report definition Print a report. Create and view a report as a PDF Create and view a report as an Excel Execute standard reports from the Related Items tab. Execute the alarm printout, report, and treatment form steps in Assisted Treatment.	✔	✘	✘	✘
Modify existing report definition and save any changes. Create a new report from the Related Items tab.	✔	✔	✘	✘
Create a new report folder. Create and configure a new report definition. Save a report definition Create a new report definition from an existing report definition using the Save As icon. Save a report definition as a default template. Create, configure, and save a new report from the Related Items tab. Import a report definition.	✔	✔	✔	✘
Delete an existing report. Delete a report folder.	✔	✔	✘	✔

Application Viewer

The Application Viewer allows you to access web reporting applications to configure and execute them. With the appropriate application rights, the Application Viewer tab displays from the following:

Advanced Reporting
Managed Meter
Links

Application Viewer	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View the Application Viewer tab. Navigate to the Advanced Reporting Configuration Page. Execute Advanced Reporting Job Create Cache. Execute, view, and cancel configured reports. Display reports in the Related Items pane.	✔	✘	✘	✘
Work with Application Viewer toolbar. Save Advanced Reports as Links. Operating mode, on a link: Set and clear credentials. Configure email settings for links. Engineering Mode: Delete link.	✔	✔	✘	✘

Schedules

Schedules application and Scope rights define the access rights for setting up and configuring schedules on management stations or on field panels at your facility.

Scheduler Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View daily and weekly schedules. View schedule details. Toggle between graphical view and table view. Export a schedule. Print a schedule.	✔	✘	✘	✘
Modify any existing schedules. Create calendars and associate them with schedules. Create schedule entries from the weekly or daily view. Control BACnet command tables with schedules. Copy current settings from one schedule to another.	✔	✔	✘	✘
Create a new schedule. Create exceptions to schedules. Create a new schedule from an existing schedule using the Save As icon.	✔	✔	✔	✘
Delete a calendar. Delete any existing schedules.	✔	✔	✘	✔
Migrating Management Station Schedules and Calendars Restoring Management Station Schedules and Calendars	✔	✔	✔	✔

Scopes

Scopes application and Scope rights define the access rights for configuring Scopes.

Scopes Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View the configured data in an existing Scope definitions.	✔	✘	✘	✘
Modify any existing Scope definitions and save any changes.	✔	✔	✘	✘
Create a new Scope folder. Create, configure, and save a new Scope definition. Create a new Scope definition from an existing scope definition using the Save As icon.	✔	✔	✔	✘
Delete a Scope definition. Delete a Scope folder.	✔	✔	✘	✔

Security

Security application rights define the permissions for configuring the security of a user group.

Security Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View the Security rights.	✔	✘	✘	✘
Create a new user group. Modify, copy and delete a user group.	✔	✔	✘	✘
The Create option in Scope Rights has no influence on performing this function	✔	✔	n/a
The Delete option in Scope Rights has no influence on performing this function	✔	✔		n/a

Sessions

Sessions application rights define the permissions for configuring sessions.

Sessions Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
For display purposes only.	✔	✘	✘	✘
The controls are available, and the users can end a session.	✔	✔	✘	✘
The Create option has no influence on performing this function.	✔	✔	n/a
The Delete option has no influence on performing this function.	✔	✔		n/a

System Management

System Management rights define the access permission for the application to configure:

Stations, peripherals, and internal devices. In particular,

Under Desigo CC server,
- Add and configure the hard disk drive or server printer.
- Add the OPC DA Server.
- Add a WMI UPS. Configuring this object requires Device rights.
Under an Installed Client or a FEP station:
- Create the Drivers folder.
- Add and configure the hard disk drive.
- Add a WMI UPS. Configuring this object requires Device rights.

Under an SNMP Network, add and configure:

SNMP-capable devices such as, printer, UPS, switch, or a custom SNMP device.
Configuring the UPS, switch, or custom device objects requires Device rights.
Individual properties for an SNMP device
Configuring these objects requires Device rights.

Visibility of Engineering/Operating button in System Manager.

NOTICE

Disabled Engineering Rights

You can configure Toggle Engineering Mode rights to grant or deny access to Engineering mode for a user group. Be careful not to deny these rights for the user group that you belong to. If you deselect the Toggle Engineering Mode check box for your user group, the next time you switch back to Operating mode the Operating/Engineering button will no longer display. At that point, you can no longer go back and re-enable your Engineering rights.

System Management Rights	Application Rights			Scope Rights
Action	Show	Config.	Toggle Engin. Mode	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘	✘
Switch System Manager between Engineering and Operating mode.	✔	✔	✔	✘	✘
Add or create station/SNMP network objects.	✔	✔	✔	✔	✘
Delete any station/SNMP network objects.	✔	✔	✔	✘	✔

NOTE:
If you change the application rights for a user group, the changes will take effect immediately, even if those users are currently logged on and using the system.

Trends

Trend application and Scope rights define the access rights for configuring the Trends.

Trend Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View a Trend View definition. Modify any existing Trend View definitions. Run and stop the Trend View definition using the Run or Stop icon. Toggle between graphical view and table view. Compare a Trend View definition. Export a Trend View definition. Print a Trend View definition. Save changed background information as a user default.	✔	✘	✘	✘
Modify existing data and save any changes. Add new data points to existing Trend View definition. Delete an existing data point on the Trend View definition. Create a Trendlog or Trendlog multiple object in the BACnet device. Delete a Trendlog or Trendlog multiple object in the BACnet device.	✔	✔	✘	✘
Create a new Trend folder. Create a new Trend View definition. Create a new Trend View definition from an existing Trend View definition using the Save As icon.	✔	✔	✔	✘
Delete a Trend folder. Delete any existing Trend View definition.	✔	✔	✘	✔

NOTE:
If you want to prevent a user from creating or deleting BACnet Trend Log or Trend Log Multiple objects, then the user group to which this user belongs must not have the Create and Delete Scope rights and Config application right on the BACnet configurator.

Trends Manual Correction

Trends Manual Correction application rights define the access rights for configuring the Manual Correction application.

Manual Correction Application Rights	Application Rights
Action	Show	Config.
Manual Correction application does not display on selecting the Manual Correction node. On primary/secondary selection of an object, the Manual Correction link does not display in the Related Items tab.	✘	✘
Manual Correction application displays. On primary/secondary selection of an object, the Manual Correction link displays in the Related Items tab. Drop a trended object in the Manual Correction application. View trend values for the selected trended property.	✔	✘
Add new records, edit and delete existing records	✔	✔

Users

Users application rights define the permissions for configuring users.

Users Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
For display purposes only.	✔	✘	✘	✘
Create a new user. Modify, copy and delete a user.	✔	✔	✘	✘
The Create option in Scope Rights has no influence on performing this function.	✔	✔	n/a
The Delete option in Scope Rights has no influence on performing this function.	✔	✔		n/a

View Builder and View Configurator

For configuring site views, two types of access permission are available:

View Builder
View Configurator

View Builder rights define the access permission for building site views.

View Builder Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes. Purge aggregators. Update Physical View, Logical View, and User-Defined views with soft links.	✔	✔	✘	✘
Create a new aggregator in a view.	✔	✔	✔	✘
Delete any aggregator in a view.	✔	✔	✘	✔

View Configurator rights define the access permission for configuring site views.

View Configurator Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
Access the application and view existing data.	✔	✘	✘	✘
Modify existing data and save the changes.	✔	✔	✘	✘
Create a new view.	✔	✔	✔	✘
Delete any views.	✔	✔	✘	✔

Calibrators

Calibrators application and scope rights define permissions for viewing and modifying calibrator object, creating new calibrator object and deleting existing calibrator object.

Calibrator Rights	Application Rights		Scope Rights
Action	Show	Config.	Create	Delete
View a calibrator object.	✔	✘	✘	✘
Modify existing calibrator object and save the changes.	✔	✔	✘	✘
Create a new calibrator folder. Create a new calibrator object.	✔	✔	✔	✘
Delete an existing calibrator folder. Delete an existing calibrator object.	✔	✔	✘	✔