Implementing Tag-Level Security

About this task

In addition to defining the iH Tag Admins who have the power to create, modify, and remove tags, you can also define individual tag level security to protect sensitive tags.

Set tag level security in Historian Administrator. You need the Historian Security Groups to implement tag-level security. You can use a Windows pre-defined group (power users, for example) or create your own separate group specifically for this function. For more information on creating and adding groups, refer to Setting Up Historian Security Groups.

Users must have iH Security Admins rights to set individual tag level security, browse, or query tags in Historian Administrator.

Note: Tag security is not enforced in the Trend Client when it comes to browsing the full list of tags. Security, however, is enforced when it comes to trending data for tags for which you have permission. For example, if you are logged into the Trend Client as a user that is a member of the User Group assigned to a tag's security Read Group, you will still be able to browse all Historian tags. However, you are only allowed to trend the tags for which the user is a member of the User Group assigned to the tag's security Read Group,

Procedure

  1. Access Configuration Hub.
  2. In the NAVIGATION section, under the Configuration Hub plugin for Historian, select Tags.
    A list of all the tags appears.
  3. Select the row containing the tag whose security you want to define.
    The tag details appear in the DETAILS section.
  4. Enter values as described in the following table.
    Field Description
    Read Group The Windows security group that can retrieve the tag data and plot it in a trend chart.

    For example, if you select a group with power users, in addition to members of the iH Security Admins group, only a member of the power users group will be able to read data for that tag. Even a member of the iH Readers group will not be able to access data for that tag, unless they are also defined as a member of the power users group.

    Write Group The Windows security group that can write tag data (for example, using the Excel Add-in for Historian).
    Administer Group The Windows security group that can create, modify, and delete the tag.
    Note: If you are using domain groups (instead of local groups), the Read Group, Write Group, and Administer Group fields contain only the groups whose names begin with iH<space> (case-sensitive). Therefore, ensure that the group that you want to use begins with iH<space>.