Implementing Tag Level Security

About this task

In addition to defining the iH Tag Admins who have the power to create, modify, and remove tags, you can also define individual tag level security to protect sensitive tags.

Set tag level security in Historian Administrator. You need the Historian Security Groups to implement tag-level security. You can use a Windows pre-defined group (power users, for example) or create your own separate group specifically for this function. For more information on creating and adding groups, refer to Setting Up Historian Security Groups.

Users must have iH Security Admins rights to set individual tag level security, browse, or query tags in Historian Administrator.

Note: Tag security is not enforced in the Trend Client when it comes to browsing the full list of tags. Security, however, is enforced when it comes to trending data for tags for which you have permission. For example, if you are logged into the Trend Client as a user that is a member of the User Group assigned to a tag's security Read Group, you will still be able to browse all Historian tags. However, you are only allowed to trend the tags for which the user is a member of the User Group assigned to the tag's security Read Group,

Procedure

  1. Open Historian Administrator.
  2. Select the Tags link.
    The Tag Maintenance page appears.
  3. Select a tag (or group of tags) from the Tag Name section of the Tag Maintenance page.
  4. Select Advanced to display the advanced tag options.
  5. In the Read Group, Write Group, or Admin Group field, select the security group that you wish to assign to the tag from the drop-down list.
    The drop-down list automatically lists all security groups that are defined in your Windows security environment.
    For example, if an iH Security Admins user selects a tag and chooses power users from the Read Group drop-down list, in addition to members of the iH Security Admins group, only a member of the power users group will be able to read data for that tag. Even a member of the iH Readers group will not be able to access data for that tag, unless they are also defined as a member of the power users group.
    Note: If you are using domain groups (instead of local groups), the Read Group, Write Group, and Admin Group fields contain only the groups whose names begin with iH<space> (case-sensitive). Therefore, ensure that the group that you want to use begins with iH<space>.