BF Ref 241

Business FLEX® 241
Reference Guide
Document ID: BF-REF-241
Revision Date: September 2011
Copyright, Notices, and Trademarks
Copyright, Notices, and Trademarks

© Honeywell International Inc. 1998 – 2011. All Rights Reserved.
While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied
warranties of merchantability and fitness for a particular purpose and makes no express warranties except as may be
stated in its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any indirect, special, or consequential damages. The information and
specifications in this document are subject to change without notice.
Honeywell, Experion, Uniformance, and Business FLEX are registered trademarks of Honeywell International Inc.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
Crystal Reports and Business Objects are trademarks or registered trademarks of Business Objects SA in the United
States and/or other countries.
Adobe and Adobe Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the
United States and/or other countries.
OSIsoft and The PI System are either registered trademarks or trademarks of OSIsoft, Inc.
All other brand and product names shown are trademarks of their respective owners.
About Business FLEX®

Business FLEX® is a family of advanced applications that improve plant profitability by enabling plant staff to work
more effectively and make better decisions. To learn more about Honeywell Business FLEX and other Honeywell
software solutions, contact your Honeywell account manager.
Visit us online at www.honeywell.com/ps, or contact us at 800-822-7673.
Honeywell, 1860 West Rose Garden Lane, Phoenix, Arizona, 85027, USA
Release Information
Business FLEX: Release 241
Revision Date: September 2011
Business FLEX Database Version: BF241.0.00
Document ID: BF-REF-241
ii  Business FLEX Reference Guide

Contents
Contents
Security within Business FLEX 241 1
Overview 1
Who Should Use This Guide 1
Conventions Used in This Guide 1
Related Documents 2
Contact Us 2
Oracle Security 3
Introducing Security Administration 3
Introduction 3
Overview of Security Administration 3
Creating the First Security Administrator Application User 4
Oracle and Windows Users 5
Using the Security Configuration Forms 6
Introduction 6
Using the Change User Password Form 6
Using the Commit All Permissions Form 8
Using the Update a Role Form 9
Using the Update Users Form 10
Using the Menu Access Configuration Form 11
Using the Menu Caption Configuration Form 12
Using the Role Configuration Form 13
Using the Role Permissions Configuration Form 15
Using the User Profile Configuration Form and User Role Configuration Form16
Introducing TPI Administration 17
Configuring Permissions for the Business FLEX Application Server 17
Configuring the UNISERVER Permissions 17
Granting Permissions for the Application Server 17
SQL Server Security 19

SQL Server User Accounts and Permissions 19
Introduction 19
Run-time and Install-time Accounts 19
Mapping Run-time and Install-time Accounts to EDS Data Access Services
Data Sources 19
Experion Application Framework 21

Configuring Windows Integrated Authentication for EAF Data Access 21
Issues with Impersonation and Localized Files 22
Per User Data Source Credentials Support In EAF Data Access 22
Business FLEX Reference Guide  iii

Contents
Managing Access to Data Sources Using Security Roles 24

User Security Credentials 27
Business FLEX Base Account 27
Logging into PHD from the Web-Enabled Operations Management
Applications 28
Security Managed by Assets 28
Introduction 28
Identifying Equipment Used for Security Assignment 29
Synchronizing Equipment Used for Security Assignments With EAF 33
Enabling Security Managed by Equipment 34
Configuring Security Managed by Equipment in EAF 35
Security for KPI Manager 41
KPI Hierarchical Security 41
Synchronizing KPIs Used for Security Assignments with EAF 41
Enabling Hierarchical Security for KPI Manager 43
Configuring Security Managed by KPIs in EAF 45
Using Windows Server Group Policy to Install Client Software 51
Group Policy Overview 51
Workspace Security 52
Overview 52
Hide the Administration Workspace 52
Control the Administration Workspace Access Permissions 53
Business FLEX System-Level Security Concerns 54

Virus Scanning 54
General Information on Virus Scanning 54
Security Hot Fixes 54
Uploading Files to the Web Server 55
Considerations for High Security Deployment 57
Program Files Directory Permissions 57
ASPNET Directory Permissions 57
Auditing 58
Overview 58
Auditing Details 58
Configuring the jobs for auditing 59
Configuring Application Audit Job 61
Configuring Purge Application Audit Job 63
Configuring Insert User Details Job 66
Enabling auditing of users 69
Viewing the auditing data 70
iv  Business FLEX Reference Guide

0BSecurity within Business FLEX 241
Overview
Security within Business FLEX 241
Overview
This document provides an overview of the various security models and security
settings that are required as part of the configuration of a complete Business
FLEX System.
This guide covers the settings required in Oracle (if installed), SQL Server,
Experion Application Framework (EAF), and the base platform.
Who Should Use This Guide

This guide is intended for Honeywell employees who are responsible for
installing Business FLEX 241 products.
Conventions Used in This Guide

The following typographic and stylistic conventions are used throughout this
guide:
This… Indicates this…
Click To position the mouse over a topic, button, box, or window area and
then click the left mouse button.
Double-click To position the mouse over a topic, button, box, or window area and
then click the left mouse button twice in succession.
Right-click To position the mouse over a topic, button, box, or window area and
then click the right mouse button.
Courier A command you type or a file or directory location.
Italics Another Business FLEX document.
Bold A button or menu command you click in a window.
In addition, these symbols are used:

Symbol Definition
ATTENTION: Identifies information that requires special consideration.
TIP: Identifies advice or hints for the user, often in terms of performing a
task.
CAUTION Indicates a situation which, if not avoided, may result in equipment or work
(data) on the system being damaged or lost, or may result in the inability to
properly operate the process.
Business FLEX Reference Guide  1

0BSecurity within Business FLEX 241
Related Documents
Related Documents
Further information about Business FLEX Database and related applications can
be found in the following documents.
Document Title
BF-INS-241 Business FLEX Installation Guide
TPI-ADM-USR- TPI Administration User Guide
241
SCO-USR-241 Business FLEX System Console User Guide
For more information on the other Business FLEX applications, see the
Documentation folder on the Business FLEX 241 Software DVD.
Contact Us
Please send any comments or questions to the Help Desk at
support@honeywell.com. Ensure that you type Business FLEX Security in the
subject line of your e-mail.
2  Business FLEX Reference Guide

1BOracle Security
Introducing Security Administration
Oracle Security
Introduction
The Business FLEX Oracle security is divided into two functional areas:
 the need to manage the system
 the requirement to access data.
The first is the responsibility of the System Administrator. The second may be a
general requirement with users being restricted to specific subsets of access
based on roles. Roles are assigned functional levels of permission. Users may
belong to more than one role definition and inherit the highest level of
permission from each role.
Overview of Security Administration

System Administrators perform functions from menus and forms not generally
available to application users. System management functions include:
 Install Client Application
 Customize application menu captions
 Database Attachment (Attach Tables)
 Role/Function Definition
 Create new roles
 Drop roles
 Assign function security to roles
 Assign menu access to roles
 User Enrollment
 Create new users
 Grant users to roles
 Revoke users from roles
 Activate and deactivate existing users

1BOracle Security
 User Password Administration

 Change user passwords
 Application Security
For Business FLEX 140 and later, selected administration rights may be granted
to specific users.
Assign this role… To users who…
IPC_USER_DEF Perform user security using the Update Users form found in
the Security Administration application. This role has the
privileges to perform the grants, revokes, creates, and alters
to maintain user permissions.
IPC_ROLE_PERM_DEF Perform role security using the Update a Role form found in
the Security Administration application. This role has the
privileges to perform the grants, revokes, creates, drops,
and object privileges to maintain role permissions.
Perform role security functions using the Commit All
Permissions form. This role has the privileges to perform the
grants, revokes, creates, drops, and object privileges to
maintain all permissions.
IPC_PASSWORD_DEF Maintain user’s passwords using the Change Users
Password form found in the Security Administration
application. This role has the privileges required to change
other user passwords.
Creating the First Security Administrator Application User

You must create and assign the necessary roles to the first security administrator
application user using the Database Administration form. Refer to the TPI
Installation Guide for instructions on creating the shortcut that opens the
Database Administration form. Once you configure the new security
administrator application user, run either Commit All Permissions or Update
Users to create and grant the required roles configured for this user in the User
Roles Configuration form. From this point on, assuming that the new security
administrator application user was granted all of the required security roles, this
new user can create all other security administrator application users, and all
regular users.
Function Security
A role can be assigned to a specific function group or groups. If a user is not a
member of at least one role matching the list of required roles assigned to read,
write, or configure a particular function, the system will deny the attempted
access to that function.
Functions definitions are grouped together using the Function Group field found
on the Function Definition configuration form. The user must first define desired
Function Group names in the Plant Reference Model by using the Lookup Value
Configuration form.

1BOracle Security
Oracle and Windows Users
UNISERVER User
The Oracle user UNISERVER is used by the Business FLEX Application
Scheduler for logging on to the Oracle database.
The name UNISERVER is used throughout this document, but any site-specific
name can be used, as long as the domain name and this name combined total 30
or fewer characters. UNISERVER needs to be a member of the Windows
Administrators group.
ATTENTION: Although Oracle and TPI allow longer names, the

domain\username combination must be no more than 30 characters to ensure
successful installation and configuration.
The Business FLEX database install/upgrade automatically adds the Oracle user
UNISERVER to the Business FLEX user table. The TPI COMMIT ALL
PERMISSIONS routine creates/activates the user in Oracle.
During installation/upgrade of the Business FLEX Database System, the
Windows user, UNISERVER, is configured to run the Business FLEX
Application Scheduler. UNISERVER is setup the same as the Windows user,
TOTALPLANT.
OPS$TOTALPLANT User Is Dropped

Prior to Uniformance R201, there was a need to create and maintain an
Oracle/TPI user of OPS$TOTALPLANT in the database. The purpose of user
OPS$TOTALPLANT was to enable the NT services to log on to the Oracle
database using the /@ logon entry (no username/password).
In order for the services (Application Scheduler) to log on to the Oracle database
using /@, they had to run in Windows as user TOTALPLANT. When the services
logged on to the Oracle database using /@ as a Windows user TOTALPLANT,
they became OPS$TOTALPLANT in the Oracle database (assuming the
OS_AUTHENT_PREFIX value was set to OPS$, the default prior to
Uniformance R201).
In Business FLEX 241, OS_AUTHENT_PREFIX is set to ‘nothing’ (“”)
therefore TOTALPLANT cannot logon as user OPS$TOTALPLANT in the
Oracle database.

1BOracle Security
Using the Security Configuration Forms
Introduction
The following summary shows which form to use to perform the security
definitions:
Task Business FLEX TPI
Application install or Attach Tables
upgrade.
Commit All Permissions
Create a new user(s), User Profile Configuration
assign existing roles.
User Role Configuration
Update Users
Create a new role, assign Role Configuration
existing users.
Role Permissions Configuration
Menu Access Configuration
Update Role
Assign an existing user to User Role Configuration
an existing role.
Update Users
Assign a new user to a new User Profile Configuration
role.
Role Configuration
Role Permissions Configuration
Menu Access Configuration
Commit All Permissions
Change logon password. Change User Password
Change roles assigned to a User Role Configuration
user.
Update User
Change role permissions. Role Permissions Configuration
Update Role
Change menu access for a Menu Access Configuration
role.
Deactivate a user. User Profile Configuration
Update User
Using the Change User Password Form

You can use the Change User Password form to alter the passwords for the user
accounts. This may be done for security reasons and for synchronizing the server
database and application accounts in client/server implementations of the
application.

1BOracle Security
Following is the Change User Password form:
Fields
The following fields appear on the Change User Password form. The asterisk (*)
indicates mandatory fields.
In this field… Do this…
*User Name Enter the user for which you want to change the password. A list
of values is available.
The password can be changed only for password authenticated
users.
*New Password Enter the new value for the user password. Passwords can
consist of upper and lower case letters ( A-Z ), numbers ( 0-9 ),
the underscore ( _ ), a period ( . ) and a hyphen ( - ).
*Verify Enter the new password again to prevent typing mistakes.
Buttons
The following buttons appear on the Change Password form:

Click this… To do this…
OK Commit the password change.
Clear Clear all the fields on the form.
Close Close the Change Password form without making the change.
Previous changes where you clicked OK are still saved.
The form does not close until you click Close. This allows you to change several
users' passwords without re-opening the dialog each time.
Accessing the Form

How you access the Change User Passwords form, determines whose passwords
you are allowed to change, as shown in the following table.
If you access the form Then you can change this…
from here…
Plant Reference Model The only password you can change is your own.

1BOracle Security
If you access the form Then you can change this…

from here…
Security Administration You can change any user's password if you have the
application IPC_PASSWORD_DEF role assigned to you in the User
Roles Configuration form. This role has the privileges
required for you to change other users' passwords. Once
you are assigned this role, commit permissions must be run
before this role takes effect.
Database Administration You can change any users' password without special roles
form required.
Assigning Permission to Change Passwords

You can assign the “SA CHANGE USER PASSWORD” function to a specific
role on the following forms to allow the role to access the Change Users
Password form and to change passwords:
Use this form… To do this…
Menu Access Configuration Assign permission to access the Change Users
form Passwords form
Role Permissions Assign permission to insert, update, and delete
Configuration form passwords
Note: New users do not exist in the system and cannot have their passwords
changed until the user has been established by clicking Update Users, Update a
Role, or Commit All Permissions on the Database Administration form or from the
Security Administration application.
Using the Commit All Permissions Form

You can use the Commit All Permissions button on the Commit All Permissions
form to do the following:
1. To update the roles, users, and permissions defined in the application security
system.
2. To commit updates after changing role, user, or permission definitions.
3. To commit all permissions after re-attaching the database tables.
Note: Menu permissions are not affected by the Commit All Permissions
process, since menus become available for newly specified forms and reports
immediately after they are defined.
You can commit permissions using the Security Administration application once
you are assigned the IPC_ROLE_PERM_DEF role through the User Role
Configuration form.
You can use the “SA COMMIT ALL PERMISSIONS” function to assign insert,
update, and delete permissions to this form in the Role Permissions
Configuration form and to assign menu access to this form in the Menu Access
Configuration form.

1BOracle Security
Following is the Commit All Permissions form:
Buttons
The following buttons appear on the Commit All Permissions form:
Commit All Update the roles, users, and permissions defined in the
Permissions application security system.
Cancel Close the form without making the change.
A log file, BFX_SECURE.LOG, is created in the Log Files folder located under
the main Business FLEX folder whenever Commit All Permissions is executed.
Using the Update a Role Form

You can use the Update a Role form to update a specific role instead of updating
the permissions for all roles. This allows users to update a role’s permissions
much faster than running Commit All Permissions. This form is useful when the
permissions for a particular role are added, modified, or deleted in the Role
Permissions Configuration form.
The Update a Role form updates the necessary permissions for a particular role
by granting and revoking the permissions for the role when needed. When you
run the process, any new or modified user and role information is updated or
created, however only the selected role’s object permissions are updated.
You can update a role as long as you are assigned the IPC_ROLE_PERM_DEF
role in the User Roles Configuration form. This role has the privileges necessary
for you to update a role. Initially, when you are assigned this role, the commit
permissions process must be run by a user with the required permissions before
this role takes effect for you.
The “SA UPDATE A ROLE” function assigns insert, update, and delete
permissions to this form in the Role Permissions Configuration form and assigns
menu access to this form in the Menu Access Configuration form.

1BOracle Security
Following is the Update a Role form:
Fields
The following fields appear on the Update a Role form. The asterisk (*) indicates
mandatory fields.
*Role Name Select the role for which you want to update permissions.
A list of values is available and is validated against the
Role Configuration form.
Buttons
The following buttons appear on the Update a Role form:

Ok Update the role’s permissions.
Close Close the Update a Role dialog form.
Using the Update Users Form

You can use the Update Users form to update users’ permissions. This form is
useful if a user is added or modified in the User Profile Configuration form or if a
user is assigned to a role in the User Roles Configuration form. This allows you
to update users’ permissions quickly.
The Update Users form updates the necessary user permissions by performing
grants, revokes, alters, and creates. When you run this process, any new or
modified user and role information is updated or created except for changes made
to roles in the Role Permission Configuration form.
You can run Update Users if you are assigned the IPC_USER_DEF role. This
role has the privileges required for you to update other users' permissions.
Initially, when you are assigned this role, the commit permissions process must
be run by a user with the required permissions before this role takes effect for
you.
The “SA UPDATE USERS” function assigns insert, update, and delete

1BOracle Security
Following is the Update Users form:
Buttons
The following buttons appear on the Update Users form:
Update Users Update user permissions.
Cancel Close the Update Users form without making the change.
Using the Menu Access Configuration Form

You can use the Menu Access Configuration form to control which forms and
reports are available for a particular role. This level of security controls the
ability to access data using reports or queries. You can configure form or report
access by assigning a role to the Form/Report menu item name. If the menu item
is not configured here for a role, it does not appear in the Select Application,
Select Form, or Select Report lists of the Main Menu form.
You must grant menu access to the Form/Report menu item and to the
Application menu item before a custom menu item appears in the menu. The “SA
MENU ACCESS” function assigns insert, update, and delete permissions to this
form in the Role Permissions Configuration form and assigns menu access to this
form in the Menu Access Configuration form.

1BOracle Security
Following is the Menu Access Configuration form:
Buttons
The following fields appear on the Menu Access Configuration form. The
asterisk (*) indicates mandatory fields.
*Role Select the role name for which the menu item is enabled. Only
entries configured using the Role Definition form appear in the list.
*Menu Item Select the menu item name of the form or report enabled for the
role. The menu item names in the list are restricted to licensed
products.
Using the Menu Caption Configuration Form

You can use the Menu Caption Configuration form to define the text that appears
on the main menu, and to link the text to the form or report that opens when you
double-click the menu item.
The “IFM MENU CAPTION CONFIGURATION” function assigns insert,
update, and delete permissions to this form in the Role Permissions
Configuration form and assigns menu access to this form in the Menu Access
Configuration form.

1BOracle Security
Following is the Menu Caption Configuration form:
Fields
The following fields appear on the Menu Caption Configuration form. The
*Language Select the multi-language file that contains the menu caption.
*Menu Item Select the menu item name for the form or report. The menu item
names in the list are restricted to licensed products.
Help File Enter the help file document that opens when you press F1 or enter
“N/A” if there is none.
Context ID Nothing. This field is not used.
*Menu Caption Enter the actual menu item text that appears on the main menu.
Status Bar Text Enter the text that appears at the bottom of the Microsoft Access
window when the menu item is selected.
Using the Role Configuration Form

The Business FLEX security system is based on roles. Roles are assigned
functional levels of permission for the application forms and menu-level access
to the forms and reports. Users may belong to more than one role definition and
will inherit the highest permissions from each role. The additive permissions for
user enrollment help you keep the number of role definitions required to a
relatively small number.
The first step in configuring the security system is to define the role names used
by the application. This is done using the Role Configuration form that is
accessed from the Roles menu in Security Administration application.

1BOracle Security
You cannot delete the following roles using this form:

Role Use
IPC_PASSWORD_DEF This is required for the Change Password form.
IPC_ROLE_PERM_DEF This is required for the Update a Role and Commit All
Permissions forms.
IPC_USER_DEF This is required for the Update Users form.
The “SA ROLE CONFIGURATION” function assigns insert, update, and delete
Following is the Role Configuration form:
You can click the Initialize Role button on the title bar and grant full
permissions/full menu access to the application for a role. This is not usually
recommended with roles other than the FULLPERMISSION role. However, you
can use this method to simplify the process of adding a large number of
permissions and menu access to a role. Instead of adding a long list of
permissions, you need to remove only the unwanted permissions for the role.
You can use the “SA INITIALIZE ROLE” function to grant insert and delete
permissions in the Role Permissions Configuration form to any role assigned to a
user who uses the Initialize Role button. If the user’s role is granted insert and
delete permission for the “SA MENU ACCESS” function and the “SA ROLE
PERMISSIONS” function, then you do not need to grant insert and delete
permission on the “SA INITIALIZE ROLE” function.

1BOracle Security
Fields
The following fields appear on the Roles Configuration form. The asterisk (*)
indicates mandatory fields.
*Role Enter the name assigned to a group of security and menu access
permissions. You cannot change or delete this field value if
dependent definitions exist. Only characters A-Z, 0-9, and _ are
valid entries for role names.
*Description Enter additional descriptive text to describe the role definition.
Using the Role Permissions Configuration Form

You can use the Role Permissions Configuration form to define the data
manipulation function each role can perform on each form in the application.
Roles have the following functional permissions for each form:
Permission Description
INSERT The ability to insert new records.
UPDATE The ability to update existing records.
DELETE The ability to remove records from the database.
The ability to select or retrieve data is implied with the above functions and is
implicitly granted on all forms to all roles. The Menu Access Configuration form
is used to permit or prevent access to specific forms and reports, while the Role
Permissions form is used to define the type of data manipulation permitted on
those forms. The “SA ROLE PERMISSIONS” function assigns insert, update,
and delete permissions to this form in the Role Permissions Configuration form
and assigns menu access to this form in the Menu Access Configuration form.

1BOracle Security
Following is the Role Permissions Configuration form:
Fields
The following fields appear on the Role Permissions Configuration form. The
*Role Select the role name granted to the function and permissions.
Only entries configured via the Role Definition form appear in the
list.
*Function Select the application form or function on which the permission is
granted. Only the functions for which the application is licensed
appear in the list of allowed functions.
Insert Select insert authority for the role. A  indicates that the role has
insert authority for the selected function.
Update Select update authority for the role. A  indicates that the role has
update authority for the selected function.
Delete Select delete authority for the role. A  indicates that the role has
delete authority for the selected function.
Using the User Profile Configuration Form and User Role

Configuration Form
For more details on using the User Profile Configuration Form and User Role
Configuration Form, refer to the section Using the User Profile Configuration
Form and Using the User Role Configuration Form in TPI Administrator User
Guide (TPI-ADM-USR-241).

1BOracle Security
Introducing TPI Administration
Introducing TPI Administration

For more details on the TPI administration, refer the section Introducing TPI
Administration in the TPI Administrator User Guide (TPI-ADM-USR-241).
Configuring Permissions for the Business FLEX

Application Server
Configuring the UNISERVER Permissions

In this document and in all examples that follow in this section, we use the name
UNISERVER but this can be any name that the site chooses. UNISERVER needs
to be a member of the Windows Administrators group.
For more details on using the User Profile Configuration Form and User Role
Configuration Form, refer to the section Using the User Profile Configuration
Form and Using the User Role Configuration Form in TPI Administrator User
Guide (TPI-ADM-USR-241).
Granting Permissions for the Application Server

Several authentication-related procedures must be completed in order for the
Applications Scheduler (IP_Schedule.exe) to operate correctly. Ensure that you
have completed the procedures explained in the Business FLEX Installation
Guide.
Refer to Part II, “Business FLEX Server Installation” section’s post-installation
instructions. Specifically, see “Granting Permissions for the Application Server”
in the “Post-Installation Procedures” section.

2BSQL Server Security
SQL Server User Accounts and Permissions
SQL Server Security
SQL Server User Accounts and Permissions
Introduction
SQL Server is the database used by Experion Desktop Server and many of the
Business FLEX applications. The following section describes the recommended
path for users to follow when installing Business FLEX 241 applications that will
run against the Experion Desktop Server.
Run-time and Install-time Accounts

It is recommended that the reader consider the creation of two separate SQL
Server accounts that will be used for the EDS and Business FLEX installations:
install-time account and a run-time account. The install-time account could the
SQL Server ‘sa’ account – although this is not recommended. It is recommended
that a run-time user is created using the standard SQL Server Enterprise manager
tool and that this user is assigned the Database Creator role.
In addition, the reader should create a run-time account that will be used by the
Business FLEX applications to make connections to SQL Server. It is advisable
that this account have a lower security level than the install-time account. During
the installation of the applications, this run-time account will be assigned the
db_datareader and db_datawriter permissions for the Base Components database
and application specific databases that get created.
Mapping Run-time and Install-time Accounts to EDS Data Access

Services Data Sources
During the installation of the Business FLEX Base Components (and also for the
individual application installs) the install-time account will be assigned to
CoreAdmin role for the BaseBusiness data source (and application data
sources). the run-time account will be mapped to the Default role for the
BaseBusiness data source (and application data sources).

3BExperion Application Framework
Configuring Windows Integrated Authentication for EAF Data Access
Experion Application Framework
Configuring Windows Integrated Authentication for

EAF Data Access
EAF Data Access supports configuring “Windows Integrated Authentication” to
underlying data sources. This feature requires the desktop application to
impersonate users accessing the Data Access Console pages. The EAF
installation defaults impersonation to “false” for the desktop application.
Impersonation should be manually enabled by the EAF administrator.
CAUTION Enabling impersonation will reduce the performance of EAF Desktop
services.
To enable impersonation, change the “impersonate” attribute value of the

“Identity” element to “true” in the web.config file. The web.config file is located
at "%EAF Install Location%\Application Framework\Desktop" in the
Experion Desktop Server. The default EAF installation location is "%OS
Drive%\Program Files\ Honeywell\Experion PKS". The following figure
shows the <identity impersonate> element, that needs to be changed in the
web.config file, updated with a value of true.
ATTENTION: IIS servers configured with Windows NT Challenge/Response

authentication run into a problem called the “double-hop” issue. This issue will
affect EAF data access if “Windows Integrated Authentication” is used to
configure a data source under certain conditions. Please refer to the following
link http://support.microsoft.com/default.aspx?scid=kb;en-us;329986#3 to
understand the “double-hop” issue.

Issues with Impersonation and Localized Files
Issues with Impersonation and Localized Files

While the above mentioned Impersonate feature can be used to access underlying
data sources through the web server, this process introduces a new issue with
access to language-specific resources files for sites that are using non-English
resources.
Microsoft has documented this issue in the following link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;903902.
In Summary
There is a problem when using <Identity impersonate=”true” /> in a web
application. When trying to load a satellite assembly, for example, for user with
locale fr-FR (after an IISReset), the assembly cannot be found if the user is not a
local administrator on the machine. So the user just gets the default resources,
rather than those of fr-FR. Once a user who has write access to the temporary
ASP.NET folder (that is, a local administrator) (same fr-FR locale) tries to load
the satellite assembly, it succeeds. Then all subsequent users of fr-FR locale see
the correct satellite assembly.
Workaround
Microsoft recommends that the impersonated identity Write and Modify
permissions on the Temporary ASP.NET Files folder. For Business FLEX
applications this would involve giving web server connected users access to this
folder.
Per User Data Source Credentials Support In EAF

Data Access
EAF Data Access allows data source credentials to be configured for individual
users. Previous releases only supported credentials to be configured for EAF
Security Roles.
Users who have the EAF CoreAdmin and StorageAdmin roles can configure
credentials for any user to any data source. Users that do not have the
StorageAdmin role can only configure data source credentials for themselves.
Perform the following steps to associate user-based credentials to a data source.
1. Log onto the computer where the Experion Desktop Server was installed
using an account that has EAF CoreAdmin and StorageAdmin privileges.
2. Start Experion Desktop.
3. In the Public Workspaces pane select Administration.
4. In the Administration menu, select Data Access Services.
5. In the Data Source Name list, click the data source that needs to be
associated to a user.

Per User Data Source Credentials Support In EAF Data Access
6. Select the Users subtab.

7. Select the user from the Available list and click the > button to move the user
to the Associated list. Click the Update button to associate the list of users in
the Associated list to the data source.
8. Select the User Credentials subtab.

9. Select the user in the User Name list.
10. Provide the credentials in the Username and Password fields and click
Update. Alternatively select the Use Windows Integrated Authentication option
and click Update.
This completes the task of associating a user to a data source.

Managing Access to Data Sources Using Security Roles
Managing Access to Data Sources Using Security

Roles
EAF Data Access allows data source credentials to be configured for security
roles which can then be assigned to individual users or groups of users.
Creating Security Roles and Assigning Them to Users or Groups

Users who have the EAF CoreAdmin role can create security roles, and assign
them to users or groups.
Perform the following steps to create a security role.
using an account that has EAF CoreAdmin privileges.
4. In the Administration menu, select Security.
5. In the Role Admin tab, click the Create button.
6. Enter a Name and Description and click Update.
Perform the following steps to assign a security role to a group.

1. In the Administration - Security display, select the Group Admin tab.
2. In the Group Names list, click the group that needs to be associated to the
security role.
3. Select the Roles subtab.
4. Select the role from the Available list and click the > button to move the role
to the Assigned list.

The same steps as above can be followed to assign a security role directly to a
user.
Configuring Role-Based Access to Data Sources

Users who have the EAF CoreAdmin and StorageAdmin roles can configure
credentials for role-based access to a data source.
Perform the following steps to associate a role-based credential to a data source.
using an account that has EAF CoreAdmin and StorageAdmin privileges.
4. In the Administration menu, select Data Access Services.
5. In the Data Source Name list, click the data source that needs to be
associated to a role.
6. Select the Roles subtab.

7. Select the role from the Available list and click the > button to move the role
to the Associated list. Click the Update button to associate the list of roles in
the Associated list to the data source.
8. Select the Role Credentials subtab.

9. Select the role in the Role Name list.
10. Provide the credentials in the Username and Password fields and click
Update. Alternatively select the Use Windows Integrated Authentication option
and click Update.
This completes the task of associating a role to a data source.

User Security Credentials
User Security Credentials

For Business FLEX applications that make use of data sources configured in
EAF (SQL Server and/or Oracle databases, or the PHD Server), it is important to
note the following. In addition to specifying a set of data source credentials that
grant users access to the data source, users must have the appropriate roles
configured for them in the EAF Security Console. Failure to do so can result in
the applications not behaving as users would expect.
When users without applicable roles try to access certain Business FLEX
displays, they will see error messages indicating “error occurred while loading
page.”
Business FLEX Base Account

Starting with Business FLEX 200, a new configuration entry has been added to
help sites manage the accounts that are being used by the applications to
communicate internally to EDS. This new configuration entry, BaseAccount
located under HPI in the Configuration Console represents the user account
that MUST have CoreAdmin rights on the EDS server.
If this account does not have CoreAdmin rights, users may see errors messages
indicating “User is not a security administrator”.

Logging into PHD from the Web-Enabled Operations Management Applications
Logging into PHD from the Web-Enabled Operations

Management Applications
The web-enabled version of the OM/OI application logs into PHD using an
account called ASPNET worker process. This worker process account is a
LOCAL account on the Experion Desktop Server. When Public Read and Public
Write are ON (PHD Tag Security is off), PHD allows any account in any trusted
domain to log on and read/write data. Users will be able to activate Instructions
because ASPNET worker process account has all the privilege it needs.
When Public Read and Public Write are OFF, access to tags is governed by PHD
Tag Security. In this case, it is necessary to grant the ASPNET worker process
user sufficient rights to download tag values to PHD. If not, the worker process
will not have access to any tags, and Instruction Activation will fail with a
security violation.
To ensure that this issue will not arise, complete the following steps.
ATTENTION: Depending upon the operating system you are running, these
accounts will have different names:
Windows 2000 Server – Machinename\ASPNET
Windows 2003 Server – Machinename\Network Service
1. Create the ASPNET worker process user in TPI (either ASPNET or Network
Service depending upon operating system – see previous note).
Note: If you are trying to create the NETWORK SERVICE account in TPI
be aware that TPI does not support the direct entry of names with spaces
(although these domain names are valid). To get around the issue, it is
recommended that the NETWORK SERVICE name be copied into the TPI
form from NOTEPAD or some other application.
2. Put Node Name in Domain Name field.
3. Grant FULLPERMISSION role to this account.
4. Run Update users.
Tag Security for all tags being written to from web-enabled version of OMOI
must be granted to the ASPNET worker process account.
Security Managed by Assets
Introduction
The asset-based security capability extends security configuration to allow the
assignment of security entitlements to perform tasks based on the equipment
hierarchy. Using the asset-based security configuration, it is possible to grant
someone a role or Application Operation for selected units in the plant hierarchy
so, for example, that they will be able to approve shift summary reports for only
selected units and not all units in the plant.

ATTENTION: Asset-based security is currently only supported by the Operations

Management Web applications: Operating Instructions, Operations Monitoring
and Operations Logbook.
Asset-based security is based on the Experion Application Framework (EAF)

Hierarchical Security functionality.
Asset-Based Security Example

A large plant is divided into “North” and “South” process areas with each area
having a control building and a shift supervisor. There is a single planner for the
plant.
The planner issues instructions for each of the process units each Thursday. The
North area supervisor approves instructions for the units in North area, but is not
able to approve instructions for units in the South area. Similarly, the South area
supervisor can only approve instructions for the South area.
An operator is able to activate instructions for his assigned unit, and while he is
able to see other instructions, he cannot activate them.
The North area supervisor approves shift summary reports created for the units in
the North area, but is not allowed to approve shift summary reports for units in
the South area. Similarly, the South area supervisor can only approve shift
summary reports for the South area.
A North area operator is able to create shift summary reports only for his
assigned unit, and while he can see other shift summary reports in the North area,
he is not able to create them. In addition, the North area operator cannot see shift
summary reports for the South area.
The plant has decided that only supervisor reports will be visible outside the
control rooms. No one in the North area can see the position reports created by
operators in the South area. The South area supervisor’s report is visible to
everyone in the plant.
With the traditional, system wide role-based security, this level of security
entitlement assignment is not possible, rather anyone that is granted the right to
create a shift summary report can do so for any equipment in the plant. Similarly,
someone authorized to activate instructions can do so for any instruction in the
plant.
Identifying Equipment Used for Security Assignment

The first step in implementing asset-based security is to identify the equipment
that security assignments will be made against. While it is possible to assign
security entitlements to all equipment in your plant, it is generally not practical to
do so for a number of reasons, among which are:
 Users generally have the same security entitlements for multiple equipment
in the plant which are grouped together through the hierarchical nature of the
Plant Reference Model.

 Users that are authorized to perform a task for a unit, generally are
authorized to perform that task for all of the equipment that are part of that
unit.
To facilitate effective configuration, you first identify which equipment in the
Plant Reference Model will serve as assignable assets. Equipment identified as
such are imported into Experion Application Framework and are used to form the
basis for security configuration. The security settings configured for an
assignable asset are inherited by its children in the equipment hierarchy, as long
as those children are not themselves assignable assets. 1
Example
An example of an abbreviated plant hierarchy is shown below:
North Area
Unit 1
Equipment A
Equipment B
Unit 2
Equipment C
Equipment D
Unit 3
Unit 4
Designating North Area as the only assignable asset would cause all equipment
in Units 1, 2, 3, and 4 to use the security assignments made against the North
Area.
If in addition, Unit 2 was identified as an assignable asset, then Equipment C and
D would use the same security assignments as those on Unit 2, while Unit 1, 3, 4
and the equipment in each of these units would use the security assignments
made against the North Area.
Only those equipment entities that have been identified as assignable assets can
have security settings assigned to them in Experion Application Framework.
While each of these assignable asset, equipment entities may receive different
security assignments, they may also share many assignments. The Experion
Application Framework hierarchical security configuration provides convenient
options for propagating security across a number of assignable asset, equipment
entities.
The primary difference between an equipment entity identified as an assignable
asset and one that is not, is that the equipment entity without the assignable asset
designation will always have security evaluated based on the assignments that
1
Stated another way: If you do not designate an equipment entity as an assignable
asset, it will inherit the security settings from its closest parent equipment that is an
assignable asset.

have been applied against its nearest ancestor in the PRM that holds an
assignable asset designation.
Configuring Assignable Assets in TPI

In TPI, there are two ways to identify the equipment that will be used for security
assignments. The first is via the Operations Management Configuration form.
The right-most column (Security On/Off) in this form is used to identify the
equipment that will be used for security configuration.

The second way to identify equipment used for security assignments is to assign
the SECURITY_ASSET attribute to the equipment entities in the Equipment
Configuration form as shown in the following figure.
Considerations
When identifying which equipment will be used to for security assignments, it is
important to consider a number of factors:
 What level of granularity is needed for security assignments?
 Fewer equipment identified for security assignments will yield better
performance, while,
 More equipment identified for security assignments will allow for more
granular assignment of security entitlements.
 The topmost ASSET node in the Plant Reference Model is not enabled for
security assignments. If you have multiple equipment that appear directly
below ASSET, security assignments will have to be done against each one.
 A new parent equipment may be created below ASSET that can act as
hierarchy parent to these other equipment entities.
 If the topmost equipment entity is not designated as an assignable asset, there
will be no way to associate security with that equipment entity.

Synchronizing Equipment Used for Security Assignments With EAF

With the identification of the equipment used for security assignment completed,
the next step is to synchronize that information and the PRM with Experion
Application Framework. Synchronization must also be preformed whenever there
is a change to the equipment hierarchy in the Plant Reference Model.
ATTENTION:
1. You cannot proceed with security configuration until assignable assets have
been identified in TPI and those assignable assets have been synchronized
in EAF.
2. The Hierarchical Security (HS) configuration tabs in the EAF Administration -
Security display are only available after an application that supports asset-
based security has been installed.
Security authorization decisions are based on the equipment hierarchy that has
been synchronized with EAF. As a result, it is important to synchronize the
equipment hierarchy after changes are made to the PRM equipment hierarchy.
TIP: The only changes synchronized with Experion Application Framework are
those that reflect the hierarchical nature of the equipment model (parent/child
relationships) for equipment entities that have been identified as assignable
assets. It is not necessary to synchronize the PRM with Experion Application
Framework for other changes.
Procedure
The following figure shows the EAF Administration - Security display - HS
Synchronization tab. This is where synchronization between the PRM and
Experion Application Framework is performed.
Only users who have the EAF CoreAdmin role and who have permissions to
read from the BaseBFDatabase database instance (where the PRM is stored) can
perform the synchronization tasks.
In the HS Synchronization tab selected, select the ASSET hierarchy in the
Hierarchy Name list, and ensure that the BaseBFDatabase is selected in the
Datasource field. If this data source is not selected, select it from the list and
click Update.

There are two ways in which the PRM can be synchronized with Experion
Application Framework.
Bulk Loadis used to initially load the PRM into the Experion Application
Framework (Initial Load option) or to replace the PRM and all security
assignments (Force Load option).
CAUTION The Force Load option will remove all existing security assignments. If you
wish to import changes made to the PRM into Experion Application
Framework while preserving existing security configuration, use Bulk
Synchronization.
Bulk Synchronization is used to update the Experion Application Framework

version with changes made to the PRM. Note: The Force Load and Initial Load
options are not used in Bulk Synchronization.
Enabling Security Managed by Equipment

By default, asset-based security is not enabled. You must enable this option for
each application that supports asset-based security. This is accomplished in the
EAF Administration - Security display - HS Application tab.
Only those applications that support asset-based security are shown in the
Applications list in this tab. To enable asset-based security, select the appropriate
applications in the Applications list and click the Enable Application button. At a
later time, if you wish to revert to system wide role-based security, this same
configuration screen can be used to Disable asset-based security for a selected
application.

Configuring Security Managed by Equipment in EAF

Unlike system wide role-based security configuration, where a role is assigned
directly to a user or group, asset-based security combines roles, users/groups, and
equipment to define an authorization scheme that manages security entitlements
by equipment.
Configuring asset-based security is done on the Person Admin or Group Admin
tabs in the EAF Administration - Security display. When a user or group is
selected, the HSSecurity subtab is used to perform this task. Throughout this
section, the displays show security configuration for a person. Similar displays
apply to group security configuration.
The HSSecurity subtab for a person's security configuration is shown in the
following figure.
This subtab brings together the three elements of asset-based security

configuration, the role, the equipment, and the person/group. The Person/Group
names appear in the list on the left of this display.
The equipment is displayed in the Item Tree (in the second column) when
ASSET is selected in the Hierarchy list. Note: This equipment hierarchy is not
the entire PRM, but is the list of equipment entities that were configured as
assignable assets in the PRM.
The roles are displayed in the Application Operations list (in the third column).
The set of roles are filtered by the Application selected directly above the
Application Operations list. In this display they application specific roles that are
used for asset-based security are called Application Operations, but they mean
and provide for the same capabilities that the same named roles grant. See the
application specific documentation for information on what rights the application
roles convey.

The Configured Permission region (on the right side of the display) shows the list
of security assignments, and also serves as the location for making or changing
security assignments for the selected person/group and is described in the
following paragraphs.
 With an equipment entity and one or more roles are selected, the Add button
is enabled. Clicking Add assigns the selected roles for the selected equipment
to the person/group.
 Select the Enable Propagation option to make the same assignments for all
child equipment. If propagation is not enabled, the security assignments
apply only to the selected equipment entity and its children that are not
assignable assets. If propagation is enabled, the security assignments will
apply to all child equipment (whether or not the child equipment entities are
assignable assets).
 The Configured Permissions list is where the list of security assignments
for the selected equipment can be viewed, as well as where changes to
security assignments can be made. Security assignments with a white
background are security assignments that have been made directly against the
selected equipment entity. Security assignments with a gray background are
security assignments that have been propagated from an equipment that is
higher in the equipment hierarchy.
 Propagation can be changed by selecting or deselecting, one or more
assignments in the Propagate column, and clicking Update Propagation.
 A security assignment can be removed by selecting the associated Delete
option and clicking Delete Checked Items.
Note: For propagated security assignments, the only change that can be made is
to change the propagation. On an inherited security setting, you can stop
propagation to assignable asset equipment that is lower in the hierarchy by
deselecting the associated Propagate option, and clicking Update Propagation.
Example
Following is an example of a fictitious equipment hierarchy that has been loaded
into the Experion Application Framework. Only assignable assets are shown.
WESTHOLLOW
ALUMINA
OPERATION CENTRE 1
DIGESTER UNIT 2
OPERATION CENTRE 2
FILTER UNIT 1
CHEMICALS
…

Ed Engineer requires the following security entitlements:

 OIUser role for the entire plant
 OIAuthorizer role for all equipment in Operation Centre 1 and the
equipment in the Alumina area that does not reside in Operation Center 2
 OIAuthor role for all equipment in Operation Centre 2
To configure these security entitlements, the first step is to grant Ed Engineer the
OIUser role.
1. In the EAF Administration - Security display, open the Person Admin tab
and select Ed's name in the Person Names list.
2. In the HSSecurity subtab, select the WESTHOLLOW plant in the Item Tree
for the ASSET hierarchy.
3. In the Applications list, select OI.
4. In Application Operations list, select the OIUser role.
5. Select the Enable Propagation option and click Add.
The results are shown in the following figure.
By adding the OIUser role on the WESTHOLLOW equipment entity and

selecting the Enable Propagation option, the role is applied to all equipment in the
plant for Ed.

Next, the OIAuthorizer role is granted to Ed for only the equipment in the
ALUMINA area.
1. In the Item Tree, select ALUMINA.
2. In Application Operations list, select the OIAuthorizer role.
3. Clear the Enable Propagation option and click Add.
With the Enable Propagation option cleared when the OIAuthorizer role is
granted to Ed Engineer, Ed receives the OIAuthorizer role for only the
ALUMINA equipment entity and for the equipment in the ALUMINA area that
have not been designated as assignable assets. Note: The OIUser operation that
was propagated from the WESTHOLLOW equipment is also shown and appears
with a gray background indicating an assignment that was inherited.

Next, grant Ed the OIAuthorizer role for all equipment in OPERATION

CENTRE 1.
1. In the Item Tree, select OPERATION CENTRE 1.
2. In Application Operations list, select the OIAuthorizer role.
With Enable Propagation selected when the OIAuthorizer role is added, Ed is

granted the OIAuthorizer for all equipment in OPERATION CENTRE 1. Note:
While the OIUser operation that was propagated from the WESTHOLLOW
equipment and appears with a gray background, the OIAuthorizer operation is
not inherited and appears with a white background.
The following figure shows that both the OIUser and OIAuthorizer propagated
permission on DIGESTER UNIT 2.

Next, grant Ed the OIAuthor role for all equipment in OPERATION CENTRE 2.
1. In the Item Tree, select OPERATION CENTRE 2.
2. In Application Operations list, select the OIAuthor role.
With Enable Propagation selected when the OIAuthor role is added, Ed is granted
the OIAuthor role for all equipment in OPERATION CENTRE 2.
The following figure shows that both the OIUser and OIAuthor propagated
permission on FILTER UNIT 1.

Security for KPI Manager
KPI Hierarchical Security

KPI security provides a KPI-name-based Security model. Both KPIDefinitions
and Asset hierarchical security use EAF’s hierarchical security, but for
KPIDefinitions, the security is configured on the KPI level itself from General
tab of KPI configuration page.
Proper KPI Hierarchical security roles have to be associated to the KPIs under
KPI Definitions tree in EAF to view the KPI history records from KPI
Monitoring pages. This prevents users from viewing the KPI Unapproved period
records from the KPI Monitoring page. Unapproved period records will be
displayed only after those records are approved.
Synchronizing KPIs Used for Security Assignments with EAF

After all the KPIs are configured in the KPI Manager Configuration user
interface, the next step is to synchronize that information with Experion
Application Framework. Synchronization must also be performed whenever there
is a change to the KPI hierarchy tree in the KPI Configuration user interface.
ATTENTION: The Hierarchical Security (HS) configuration tabs in the EAF
Administration - Security display are available only after an application that
supports Hierarchical Security (HS) has been installed. For example, KPI
Manager or Operations Management.
Security authorization decisions are based on the KPI hierarchy that has been
synchronized with EAF. As a result, it is important to synchronize the KPI
hierarchy after changes are made to the KPI definitions hierarchy using the KPI
Definition user interface.
TIP: The only changes synchronized with Experion Application Framework are
those that reflect the hierarchical nature of the KPIDefinitions tree (parent/child
relationships). It is not necessary to synchronize the KPI with Experion
Application Framework for other changes like the changes in other hierarchies.
For example, KPI Groups and KPI Templates.
Procedure
The following figure shows the EAF Administration - Security display - HS
Synchronization tab. This is where synchronization between the KPIDefinitions
hierarchy and Experion Application Framework is performed.

Only users who have the EAF CoreAdmin role and who have permissions to
read from the BaseBFDatabase database instance can perform the
synchronization tasks.
In the HS Synchronization tab, select the KPIDefinitions hierarchy in the
Hierarchy Name list, and ensure that the BaseBFDatabase is selected in the
Datasource field. If this data source is not selected, select it from the list and
click Update.
The two methods for synchronizing the KPIDefinitions hierarchy with Experion
Application Framework are Bulk Load and Bulk Synchronization.
Bulk Load is used to initially load the KPIDefinitions hierarchy into the Experion
Application Framework (Initial Load option) or to replace the KPIDefinitions
hierarchy and all security assignments (Force Load option). The Initial Load
option is disabled after the first bulk load operation.
CAUTION The Bulk Load option removes all existing security assignments enabled for
the KPIs. If you need to import changes made to the KPIDefinitions hierarchy
into Experion Application Framework while preserving existing security
configuration, use Bulk Synchronization.
Bulk Synchronization is used to update the Experion Application Framework

version with changes made to the KPIDefinitions hierarchy.
After renaming KPI, the Bulk Synchronization operation fails in the EAF
Administration > Security display > HS Synchronization tab. EAF displays the
following diagnostics message.
Core Principal cannot be null

Failed in Updating Hierarchy Item Name

Hence, perform a Bulk Load from Administration > Security > HS
Synchronization tab after renaming the KPI. Hierarchical Security (HS) roles for
already assigned KPIs need to be reassigned.
Bulk Synchronization fails when hierarchical order of the KPIs is interchanged.
Hence, perform a Bulk Load operation instead of Bulk Synchronization from
Administration > Security > HS Synchronization tab after KPI hierarchy is
interchanged. The HS security roles for already assigned KPIs need to be
reassigned.
Enabling Hierarchical Security for KPI Manager

By default, KPIDefinitions hierarchy security is not enabled. You must enable
this option for KPI Manager. This is accomplished in the EAF Administration -
Security display - HS Application tab (shown in the following figure).
Only those applications that support Hierarchical Security are shown in the
Applications list in this tab. To enable Hierarchical Security, select the KPI
Manager in the Applications list and click the Enable Application button.
Note: The HS Application tab is also used if, at a later time, you need to revert to
system wide role-based security. In that case, click Disable Application to disable
Hierarchical Security for KPI Manager.
The following table describes each security role and its privileges for KPI
Manager:

Role… Privileges of…

KPIApprover KPIViewUnapproved and KPIView roles.
KPIView Unapproved KPIView role.
KPIView KPIView role.
Refer to the KPI Manager Configuration Guide for more details.

Configuring Security Managed by KPIs in EAF

Unlike system wide role-based security configuration, where a role is assigned
directly to a user or group, Hierarchical Security combines roles, users/groups,
and KPIs to define an authorization scheme that manages security entitlements
by KPI.
HSSecurity Subtab Display

Configuring Hierarchical Security is done on the Person Admin or Group Admin
tabs in the EAF Administration - Security display. When a user or group is
selected, the HSSecurity subtab is used to perform this task. Throughout this
section, the displays show security configuration for a person. Similar displays
apply to group security configuration.
The HSSecurity subtab for a person's security configuration is shown in the
following figure.
This subtab brings together the three elements of Hierarchical Security

configuration:, the role, the KPI, and the person or group. The Person/Group
names appear in the list on the left of this display.
The KPIs under the KPIDefinitions tree are displayed in the Item Tree (in the
second column) when KPIDefinitions is selected in the Hierarchy list.
Note: This KPI hierarchy is not the entire KPI Definitions Hierarchy, but is the
list of KPI entities that were configured as secure in the KPI Manager
Configuration user interface.
The Hierarchical Security roles are displayed in the Application Operations list (in
the third column). The set of roles are filtered by the Application selected directly
above the Application Operations list.

Using the Display

To enable the role for KPI Manager, select KPI Manager from the Applications
list. In this display, roles that are used for Hierarchical Security are called
Application Operations. Refer to Enabling Hierarchical Security for KPI
Manager for information on what privileges the application roles convey.
The Configured Permission region (on the right side of the display) shows the list
of security assignments, and also serves as the location for making or changing
security assignments for the selected person/group and is described in the
following paragraphs.
 With a KPI and one or more roles are selected, the Add button is enabled.
Clicking Add assigns the selected roles for the selected KPI to the person or
group.
 Select the Enable Propagation option to make the same assignments for all
child KPIs. If propagation is not enabled, the security assignments apply only
to the selected KPI entity and its children that are not secured. If propagation
is enabled, the security assignments will apply to all child KPIs (whether or
not the child KPI entities are secured).
 The Configured Permissions list is where the list of security assignments for
the selected KPI can be viewed, as well as where changes to security
assignments can be made. Security assignments with a white background are
security assignments that have been made directly against the selected KPI.
Security assignments with a gray background are security assignments that
have been propagated from a KPI that is higher in the KPIDefinitions
hierarchy.
 Propagation can be changed by selecting or clearing one or more assignments
in the Propagate column, and clicking Update Propagation.
 A security assignment can be removed by selecting the associated Delete
option and clicking Delete Checked Items.
Note: For propagated security assignments, the only change that can be made is
to change the propagation. On an inherited security setting, you can stop
propagation to secure KPI that is lower in the hierarchy by deselecting the
associated Propagate option, and clicking Update Propagation.

Example Overview
Following is an example of a fictitious KPI hierarchy that has been loaded into
the Experion Application Framework. Only secure KPIs are shown.
KPI Definitions
Area_1
Area_2
Area_3
Area_4
Area_5
Blend1-M
The following table describes the security entitlements required for KPI User1.
Role… To obtain the privileges of… In order to view…
KPIApprover KPIView Unapproved and Unapproved period records to approve
KPIView roles. them
The approved period records.
A period-to-date record.
KPIView KPIView role. The unapproved records but cannot
Unapproved approve them.
The approved period records.
KPIView KPIView role. The approved period records.
The following examples describe how you can configure these security
entitlements.
KPIView Role Example

For KPIUser1 to view all the KPI records, the first step is to grant KPI User1 the
KPI View role.
1. In the EAF Administration - Security display, open the Person Admin tab
and select KPI User1 in the Person Names list.
2. In the HSSecurity subtab, select KPIDefinitions in the Item Tree.
3. In the Applications list, select KPIManager.
4. In Application Operations list, select the KPIView role.
The results are shown in the following figure. The KPIView role is added in the
Configured Permissions list.

By adding the KPIView role on KPIDefinitions and selecting the Enable

Propagation option, the KPIView role is applied to all the child KPIs under the
KPIDefinitions tree. For example, in the following image, for the KPI Area1, the
role KPIView is propagated.
KPIApprover Role Example

Next, the KPIApprover role is granted to KPIUser1 to approve the KPI period
records.
1. In the Item Tree, select Area_3.
2. In Application Operations list, select the KPIApprover role.
3. Click Add.
The results are shown in the following figure. The KPIApprover role is enabled
for Area_3 and the KPIApprover role is added in the Configured Permissions
section.

Note: If you want to add the KPIApprover role to all the child KPIs under
Area_3, select the Propagate option in the KPIApprover role and click Update
Propagation.
The results are shown in the following figure:
Note: The KPIView role that was propagated from KPI Definitions is also shown
and appears with a gray background. This indicates that the KPI period Area_3
and all its child KPIs can be viewed and approved.
KPIViewUnapproved Role Example

Next, grant KPIUser1 the KPIViewUnapproved role to view all the unapproved
KPI records.
1. In the Item Tree, select Blend1-M.
2. In Application Operations list, select the KPIViewUnapproved role.
3. Click Add.
If you want to add the KPIViewUnapproved role for the child KPIs under
Blend1-M, select the Propagate option in the KPIViewUnapproved role and click
Update Propagation.
Note: The KPIView operation that was propagated from KPI Definitions appears
with a gray background. This indicates that the KPI period records can be viewed
but cannot be approved as the role KPIApprover role has not been added.
TIP: When a role is added to a parent KPI, if you want to propagate the same
role to all of its children, select the required role in the Applications Operations
list for the parent. Select the option Enable Propagation and click Add. The role
is added to the parent KPI and propagated to all its children.

Security Granted Only for Child KPI Period Records Example

You can grant a security role only to a child KPI period record. Following is an
example of a fictitious KPI hierarchy:
Crude-Unit2 (security roles not granted)
Crude-Unit3 (security role ViewUnapproved granted)
Crude-Unit4 (security role ViewUnapproved granted)
Taking this example, in the KPI Manager Monitoring user interface:
 The parent KPI period record Crude-Unit2 is enabled but you cannot view its
records. A message stating that you do not have permission to view this KPI
displays.
 You can view the unapproved records of Crude-Unit 3 and Crude-Unit4.
A sample of Crude-Unit 3 with the Chart tab details is shown in the following
figure:

Using Windows Server Group Policy to Install Client Software
Using Windows Server Group Policy to Install Client

Software
Group Policy Overview

The domain in which your Application Server is installed includes Windows
Group Policy services for managing your user and computer environment. The
policies are part of the active directory of your domain controller. You can
establish Group Policy settings to define the various aspects of your users'
desktop environment, including software distribution and installation.
Honeywell recommends (especially for non-administrative users) that you use
Group Policy settings (Group Policy Objects or GPOs) to manage the installation
of client software at your site when site security policy prohibits individual users
from installing software. This approach provides greater control over installation
and ease of administrating the client nodes. Using GPOs eliminates issues
surrounding the administrative rights required for installation, because the
Windows Installer service can perform the installation on the user's behalf.
Publishing the components allows users to install them through Add/Remove
Programs in the Windows Control Panel, so that they can select the correct type
of installation (Typical or Complete), depending on their responsibilities (and as
allowed by your license agreement).
For details on using Windows Group Policy to install applications, see your
Windows documentation and Group Policy Management Console online Help.
Several related articles are also provided on the Microsoft Web site.

Workspace Security
Workspace Security
Overview
By default all users that connect to the Experion Desktop Server will see the
Administration menu in the list of Installed Products. The following steps
describe how to secure the Administration workspace, workbooks and
worksheets, by hiding the menu from the default view. (See the Experion
Application Framework documentation for more details.)
Hide the Administration Workspace

1. Log onto the computer using an account that has EAF CoreAdmin privileges.
4. In the Administration menu, select Desktop.
5. Expand the Public Workspaces.
6. Select Administration.
7. Select the Security tab, and in the View Role list chose the role that is to
have access to the Administration menu. Click Update.

Workspace Security
Control the Administration Workspace Access Permissions

The following procedure describes how to configure the Administration
workspace access permissions for the following example:
 Group A users to have access to the Security and Data Access Services
displays.
 Group B users to have access to the Diagnostics display.
 Group C users to have access to the Configuration display.
1. Create a new role called EDSAdmin.
2. Configure the Administration application to have EDSAdmin for the view
role.
3. Assign EDSAdmin to all three groups above.
4. Assign CoreAdmin to group A. (No other groups should have CoreAdmin.)
5. Do not assign EDSAdmin to the any other groups. Assigning this role to the
other groups will make the Administration workspace available to those
groups.
6. Create another new role called DiagnosticsUser.
7. Configure the Diagnostics workbook to have DiagnosticsUser for the view
role.
8. Assign DiagnosticsUser to group B.
9. Create another new role called ConfigurationUser.
10. Configure the Configuration workbook to have ConfigurationUser for the
view role.
11. Assign ConfigurationUser to group C.

4BBusiness FLEX System-Level Security Concerns
Virus Scanning
Business FLEX System-Level

Security Concerns
Virus Scanning
Honeywell provides extensive documentation for customers on suggested virus
scan packages and also documents versions that have been included in our
testing. For details on the virus scanning options, consult
http://hpsweb.honeywell.com/; in Quick Links, click Microsoft Security
Information, then AntiVirus Information in the security information menu.
General Information on Virus Scanning

 Excessive CPU use may be encountered when Virus Scanning products
are activated due to Microsoft Index Server service building (or
rebuilding) search indexes
 There are different mitigation techniques available depending on the
capability of your Virus Scanning Package – please consult the
Honeywell Process Solutions Antivirus Information website (see above)
for additional details.
 If directory exclusion route is followed, the directories identified in
Index Server for search indexing should be added as exclusions in your
Virus Scanning software.
 It is recommended that you follow this with additional procedural actions

that help mitigate the spread of viruses such as locking the directories
down removing write access to all but a select few named users, ensuring
that all documents placed in excluded directories are marked as read-
only, performing virus scans prior to placing in the excluded directories,
and periodically executing a manual scan against these directories
Security Hot Fixes

Honeywell provides extensive documentation for customers on suggested virus
scan packages and also documents versions that have been included in our
testing. For details on the virus scanning options, consult
http://hpsweb.honeywell.com/; in Quick Links, click Microsoft Security
Information. From this menu the user is able to download documents that
describe the level of Microsoft Security support by the Business FLEX
applications (including Workcenter). These documents are located under the

Uploading Files to the Web Server
following links: Current Month Microsoft Security Updates and All Previous
Microsoft Security Updates. Business FLEX application information is
contained under the Uniformance groupings.
The reader is advised to check these updates prior to installing a Microsoft
security fix to ensure it has been properly validated by Honeywell.

Many applications (Operating Instructions, Operations Monitoring, Operations
Logbook, Workcenter, etc.) provide the capability for users to upload content to
the web server for sharing with other users. In order for these applications to
enable this capability for users, file system level access must be granted to users.
Complete the following steps to upload the documents to the web server, which
is the Experion Desktop Server. By default the folder location corresponds to the
environment variable BFDataFiles.
1. Navigate to the BFDataFiles folder. For example
Program Files\Honeywell\DataFiles
2. Right-click the folder and select Properties.

3. In the Properties dialog, select the Security tab.

4. Click the Add button and add the appropriate aspnet worker process account
(Windows 2000 Server - Machinename\ASPNET or for Windows 2003
Server - Machinename\Network Service) and give Full Control access for
this account as shown in the following figure.
5. Click OK to complete the process.

Note: Depending upon the operating system that the applications are being
installed on, the dialogs may appear slightly different.

Considerations for High Security Deployment
Considerations for High Security Deployment
Program Files Directory Permissions

In high security configurations, permissions to various directories in the file
system are restricted to read access. For Business FLEX software, READ,
READ+EXECUTE and List Folder Contents permissions need to be granted to
all files in the Business FLEX and Experion Application Framework directories
for all users that require access to the Business FLEX applications.
The default location for the Business FLEX software is <drive>:\Program
Files\Honeywell. When applying the READ, READ+EXECUTE and List
Folder Contents permissions, be sure that the permissions are applied on
<drive>:\Program Files\Honeywell, and on all directories and files in all
child objects.
ASPNET Directory Permissions

In addition to the requirement for READ, READ+EXECUTE and List Folder
Contents permissions for the Business FLEX directories and files, the
ASPNET_CLIENT directory also requires these same permissions for all users
that require access to the Business FLEX applications.
The default location for the ASPNET_CLIENT directory is
<drive>:\Inetpub\wwwroot\aspnet_client. Similar to the procedure above,
be sure to apply READ, READ+EXECUTE and List Folder Contents
permissions on this folder and all child objects.

5BAuditing
Overview
Auditing
Overview
Auditing functionality enables tracking, recording, and reporting the total number
of named users who use the system. The auditing of users is performed only for
web applications. Service users or clients such as TPI, OMOI desktop tool, and
PB clients are not included for auditing.
The auditing information helps to understand the following.
 When the user logged in to the system first time in a day?
 Number of times the user has connected to the system in a day.
Auditing Details
Auditing displays the following details:
 User Name
 Application Name
 Login Date and Time
 Client IP Address
Auditing happens once for each session. Updating the existing records does not
happen during auditing. Whenever user opens the application in a new internet
explorer or a new session is created, a new record is inserted to a database table.
The following tables are created in the base components database for performing
auditing.
 The BC_ApplicationAudit table contains the records of each user along with
the login date and time, application name and the IP address for each new
session created. The records can be viewed in the Business FLEX System
Console under the Application Audit node
 The BC_ApplicationAuditHistory table contains the records of each user
along with the application name, first login, last login time, and the number
of times the application is used for a particular user. The records can be
viewed in the Business FLEX System Console under the Application Audit
History node.
 The BC_AuditSummary table contains the consolidated data of each user
along with the user name, first login time, last login time, and the number of

5BAuditing
Configuring the jobs for auditing
times the user has connected in a day. The records can be viewed in Business
FLEX System console under the Audit Summary node.
NOTE: No separate reports are developed for viewing the auditing details. The
auditing records can be viewed through the Business FLEX System Console.
Refer to the Business FLEX System Console User Guide for viewing the data.
In Business FLEX., following applications are included for auditing.
 Experion Desktop Server
 Operations Monitoring
 Operating Instructions
 Operations Logbook
 KPI Manager
 Blend Management
 Production Balance

Currently, all jobs that need to be configured through the scheduler client are
seeded through the installation itself. All the jobs are disabled by default.
However, if you want to use any job, you must enable the job through scheduler
client.
To enable the jobs through the scheduler client
1. Double-click the jobs in the Job Summary dialog box.

5BAuditing
The Job Details dialog box is displayed.
2. Select the Enabled check box.

For more details, refer to the section Seeding of jobs in Scheduler Client in the
Operations Management Suite Configuration Guide.

5BAuditing
If you want to change the configuration of the jobs, you can change and save it.
Configuring Application Audit Job

You need to create a job in the Honeywell Scheduler for copying data from
BC_ApplicationAudit table to BC_ApplicationAuditHistory and
BC_AuditSummary tables. You can configure the job using Honeywell
Scheduler client.
Perform the following steps to create an Application Audit Job.
1. Go to <Drive>Program Files > Business FLEX > Scheduler folder.
2. Run the Honeywell.HPI.Utilities.SchedulerClient.exe.
3. Type the SQL Password and click OK.
4. Successful log on displays the Scheduler Client with all the scheduled jobs.
5. Expand the Scheduler by clicking the + sign, and select the Scheduled Job.
6. Select the Job Summary and click Add Job.
A new job details form is displayed in the Job Details tab.
7. Complete the following in the Job Details tab:

Field Name Value
JobName ApplicationAuditJob
Type Assembly

5BAuditing
Field Name Value

Execution String <Drive>:\Program Files\Honeywell\Experion PKS\Application
Framework\Desktop\Bin
\Honeywell.HPI.Common.ApplicationAudit.dll
Parameter <MethodInfo Name='InsertApplicationAudit' Type='Method'
NameSpace='Honeywell.HPI.Common.ApplicationAudit'
ClassName='ApplicationAuditHistory'> <Parameters><Parameter
Type='System.String'>HPI</Parameter><Parameter
Type='System.String'><Drive>:\Program Files\Honeywell\Business
FLEX\HPI\WFL\Data\DDAObjects1.xml
</Parameter></Parameters></MethodInfo>
8. Choose an interval in the Occurrence section of the Job Details tab. The
available options are: Once on and Recurring.
9. If you select Once on option, choose from list the desired date and time.
Go to step 11.
 If you select Recurring, click Edit to open the EditRecurringJob dialog
box. Select the desired Occurs, Frequency, and Duration options. The
Frequency (Time Frequency) and the Duration sections change depending
on the selected Occurs option.
 By default, the Start date and time in the Duration section takes the
current date and time. However, ensure that the Start time is always
greater than the current time.
 It is recommended to set the scheduler to run every day.

5BAuditing
10. Click OK to save and close the Edit Recurring Job dialog box.
11. Click Save to save the new job details.
A confirmation message is displayed on successful saving of the tree data
details.
12. Click OK. You can view the new scheduler job (created in the Job Details tab)
in the Job Summary tab.
Configuring Purge Application Audit Job

The BC_ApplicationAudit table contains the records of each user along with the
application name and the IP address for each new session created. The number of
days to hold the record is available in the lookup table present in the Base
Components database. By default, the PurgeAuditTable lookup value contains
the data for 30 days.
The BC_ApplicationAuditHistory table contains the records of each user along
with the application name, first login, last login time, and the number of times the
application is used for a particular user. The number of days to hold the records is
available in the lookup table present in the Base Components database. By
default, the PurgeAuditHistoryTable lookup value contains the data for 390 days.
You need to create a job in the Honeywell Scheduler to purge the data from the
application audit table. You can configure the job using the Honeywell Scheduler
client.
Perform the following steps to create the Purge Application Audit Job.

5BAuditing


Field Name Value
JobName PurgeApplicationAudit
Type Assembly
Parameter <MethodInfo Name='PurgeApplicationAudit' Type='Method'
ClassName='ApplicationAuditHistory'> <Parameters><Parameter

5BAuditing
Go to step 11.

5BAuditing
details.
Configuring Insert User Details Job

User details such as username, first name, last name, and email are present in the
security tables of ExperionCoreServices database. This information is required
for displaying the reports.
You need to create a job in the Honeywell Scheduler for inserting data to the
Base Components database from the ExperionCoreServices database. You can
configure the job using Honeywell Scheduler client.
Perform the following steps to create the Insert User Details Job.

5BAuditing

Field Name Value
JobName InsertUserDetailsJob
Type Assembly
Parameter <MethodInfo Name='InsertOrUpdateUserDetails' Type='Method'
ClassName='UserDetails'> <Parameters><Parameter

5BAuditing
Go to step 11.

5BAuditing
details.
Enabling auditing of users

Auditing of the users are done with the user name, application name, login date
time and the IP address of the client.
The auditing feature is optional. You can either enable or disable the setting to
perform auditing.
NOTE: You need to create the EnableAuditing key before changing the
web.config files. To add the EAF configuration key for enabling auditing and
also for Web.config file settings, refer to the section Post-installation steps for
auditing in the Business FLEX Overall System Installation Guide.
To enable auditing
In the Web Administration > Configuration display > Path Admin tab,
perform the following steps to enable auditing.
1. Expand the HPI node in the Path Admin tab.

5BAuditing
2. Select the EnableAuditing node to view the user configuration available.

3. Select the Values tab and enter the desired value.
The default value is True. If you set the value as False, auditing feature is
disabled.
4. Click Update to save the changes.
Viewing the auditing data

The auditing data is displayed in the BF Audit table in Business FLEX System
Console. To view the auditing data, refer to the Business FLEX System Console
User Guide.

5BAuditing

BF Ref 241

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BF Ref 241

Uploaded by

Copyright:

Available Formats

Business FLEX® 241

Copyright, Notices, and Trademarks

About Business FLEX®

ii  Business FLEX Reference Guide

SQL Server Security 19

Experion Application Framework 21

Business FLEX Reference Guide  iii

Managing Access to Data Sources Using Security Roles 24

Business FLEX System-Level Security Concerns 54

iv  Business FLEX Reference Guide

Security within Business FLEX 241

Who Should Use This Guide

Conventions Used in This Guide

In addition, these symbols are used:

Business FLEX Reference Guide  1

2  Business FLEX Reference Guide

Introducing Security Administration

Overview of Security Administration

Business FLEX Reference Guide  3

 User Password Administration

Creating the First Security Administrator Application User

4  Business FLEX Reference Guide

Oracle and Windows Users

ATTENTION: Although Oracle and TPI allow longer names, the

OPS$TOTALPLANT User Is Dropped

Business FLEX Reference Guide  5

Using the Security Configuration Forms

Using the Change User Password Form

6  Business FLEX Reference Guide

Following is the Change User Password form:

The following buttons appear on the Change Password form:

Accessing the Form

Business FLEX Reference Guide  7

If you access the form Then you can change this…

Assigning Permission to Change Passwords

Using the Commit All Permissions Form

8  Business FLEX Reference Guide

Following is the Commit All Permissions form:

Using the Update a Role Form

Business FLEX Reference Guide  9

Following is the Update a Role form:

The following buttons appear on the Update a Role form:

Using the Update Users Form

10  Business FLEX Reference Guide

Following is the Update Users form:

Using the Menu Access Configuration Form

Business FLEX Reference Guide  11

Following is the Menu Access Configuration form:

Using the Menu Caption Configuration Form

12  Business FLEX Reference Guide

Following is the Menu Caption Configuration form:

Using the Role Configuration Form

Business FLEX Reference Guide  13

You cannot delete the following roles using this form:

14  Business FLEX Reference Guide

Using the Role Permissions Configuration Form

Business FLEX Reference Guide  15

Following is the Role Permissions Configuration form:

Using the User Profile Configuration Form and User Role

16  Business FLEX Reference Guide

Introducing TPI Administration

Configuring Permissions for the Business FLEX

Configuring the UNISERVER Permissions