Adding an operator account

The server software is installed with a default traditional operator account of mngr. The security level for this account
is mngr and the default password is mngr1. You use this default operator account and password to set up access for all
other users. You should change the password for the mngr operator account from the default value as soon as possible.
ATTENTION:
• If you use integrated accounts, the operator must have an appropriate Windows account, and belong to the
appropriate Windows group.
• Anyone who uses configuration tools, or who creates or modifies custom displays or Station setup files must
have their Windows account added to the Product Administrator group.
• To view data on displays like the Suppression Status display or on the Tracker pane in the Alarm Summary,
users must be logged on as a member of one of the following Windows groups on the Experion server to which their
Station is connected: Local Ack View Only Users, Local View Only Users, Local Operators, Local Engineers, Local
Supervisors, or Product Administrators.

Prerequisites
• To add operator account, you need to have the security level specified in the Change Operator Configuration
Security Level setting of the Sign-On Administration display (choose Configure > Operators > Sign-On
Administration).
• You also need to be logged on at a security level higher than the operator whose account you want to add.
• If adding an Integrated Windows Group account, ensure that the Windows group exists before you define the
account in Experion.
 • If adding Integrated Windows accounts, check that the Windows account exists and is added to the appropriate
Windows group. For example, if the operator needs to use configuration tools, the operator's Windows account
must belong to the Product Administrator group.

To view data on displays like the Tracker or the Suppression Status display, users must be logged on as a member
of one of the following Windows groups on the Experion server to which their Station is connected:Local Ack View
Only Users, Local View Only Users, Local Operators, Local Engineers, Local Supervisors, or Product Administrators.

To add a Traditional, Integrated Windows, or Intergrated Windows Group operator

account:
1. In the Configuration Explorer of Configuration Studio, click System Access.

2. Click an empty row.

This opens the Operator Configuration display.

3. From the Type list, choose the appropriate operator type:

a. Traditional Operator
b. Integrated Windows
c. Integrated Windows Group

4. For Traditional or Windows Operator accounts, type the name of the operator in the User name field.
5. For Traditional or Windows Operator accounts, type the full name of the operator in the Full name field.

The full name appears in the operator configuration display, and is recorded with events if the Event Summary is
configured to show this information.

6. For Integrated Windows accounts with a Windows account on a domain, type the name of the domain in
the Domain field, and the operator's job title in the Job Title field..

7. For Integrated Windows Group accounts, type the Windows group name In the Group name field and the

This is a unique identifier for the Experion Windows group, which can have a maximum of 32 alphanumeric
characters. The name specified here must be exactly the same as the Windows group already defined in the
Windows operating system.
Whenever a member of the Experion Windows group makes a change at a Station (for example, to control a point or
acknowledge an alarm) and that change is logged as an event, the operator user name is recorded with the event in
the following format: domain\user name

8. For Integrated Windows Group accounts, In the Group name box, type the name of the Windows group and the
name of the domain in the Domain field.

9. If Show operators full name in the event summary on the Summary Displays tab of the Server Wide Settings display
is selected, then the full name of the operator is recorded with events in place of the user name.

10.Click Change Password.

The Change Password dialog box appears.

11.Type the operator password in the New Password and Confirm New Password boxes, and then click OK.

12.Do one of the following:

Option Description

If advanced parameter security is enabled In the Parameter security level list, click the appropriate parameter security level for
this operator.

The name of the underlying security level of the parameter security level appears
in Security level.

If advanced parameter security In the Security level list, click the appropriate security level for this operator.
is not enabled

13. All operator actions in Experion require the operator to have a minimum security level.
[IO 11 Nov 2020] Support for low-impact casual users added for R520.1 OPCUAS2/BNAC project.
Honeywell recommends that you configure casual users to have View Only access. For more information, see
"Supporting casual user access."

13.If you have configured points with control levels, in the Control level box, type the control level that is appropriate
for this operator.

If the operator is required to control points with a control level of 250, then the operator requires a control level of
250.
 14.On the Assignment tab, review or configure any settings as appropriate for this operator.

15.On the Time Access tab, review or configure any settings as appropriate for this operator.

16.On the Station Access tab, review or configure any settings as appropriate for this operator.

17.On the Advanced tab, review or configure any settings as appropriate for this operator.

You can use the list at the top of the Operator Configuration display to view or change the details of any operator
who has already been entered in the system.

Operator definition, General tab

The Operator Configuration display is used to define the details for a new operator or to amend the details for an existing
operator. Specify the information as follows:

Property Description

Operator or Windows Group Details

Property Description

Type Choose the type of operator account you want to configure:

• Choose Traditional Operator if you are not using Windows accounts. With this type of account
user authentication is carried out by the Experion server against credentials stored in Experion.
• Choose Windows Operator to integrate the Experion operator account with a Windows user
account. The Windows user account can be a local account or a domain account.
• Choose Windows Group to use an integrate account that allows you to add multiple operators by
adding the Windows group to the Experion server. The Windows group can be a local Windows
group or a domain Windows group.

With both Windows Operator and Windows Group accounts authentication is done by Windows
while authorization is done by the Experion server.

• Choose Automated System to configure:

• an Application Services account, or
• a DSA Advanced Security account

An Application Services account manages batch and procedure activities from an external
application via the Application Services API.
A DSA Advanced Security account manages the transfer of data across a group of DSA-connected
servers.

• Choose API Client to create an account that enables third-party applications to use the
Experion Web API as a web service to read equipment data over the internet
Property Description

Enabled If selected, indicates the operator account is active and the operator has access to the server.

The operator's access to the server can be disabled by clearing this check box. The operator details are
retained.

User name Applicable only to Traditional Operator and Windows Operator accounts.

A unique identifier for the operator. You can use a maximum of 20 alphanumeric characters.

If you are using Windows accounts, the user name specified here must be exactly the same as the Windows
account.

Whenever an operator makes a change at a Station (for example, to control a point or acknowledge
an alarm) and that change is logged as an event, the operator user name is recorded with the event in one of
the following formats:

• user name—for traditional operator accounts

• .\user name—for local Windows integrated accounts
• domain\user name—for domain Windows integrated accounts
If Show operators full name in the event summary on the Summary Displays tab of the Server Wide
Settings display is selected, then the Full name is recorded with events instead of the User name.

Group Applicable only to Windows Group accounts.

Property Description

The name of the Windows Group that you want to add to Experion. This is a unique identifier for
the Experion Windows group, which can have a maximum of 32 alphanumeric characters. The name
specified here must be exactly the same as the Windows group already defined in Windows.

Whenever a member of the Experion Windows group makes a change at a Station (for example, to control a
point or acknowledge an alarm) and that change is logged as an event, the operator user name is recorded
with the event in the following format:

domain\user name

Domain Applicable only to Windows Operator or Windows Group accounts.

The name of the domain where the Windows accounts exists. If the Windows account is a local account,
leave blank.

Only use the short domain name, because the Fully Qualified Domain Name (FQDN) is not supported.

Full name Applicable only to Traditional Operator and Windows Operator accounts.

The operator's name. If you are configuring a Windows operator account, this information is updated
automatically from the Windows account and is read-only.

The full name is recorded with events if the Show operators full name in the event summary on the
Summary Displays tab of the Server Wide Settings display is checked.

Job title Applicable only to Traditional Operator and Windows Operator accounts.
Property Description

The operator's title, if applicable.

Password last changed Applicable only to Applicable only to Traditional Operator and Windows Operator accounts. accounts.

Click Change Password to change the operator's password.

Notes:

• Passwords are case-sensitive.

• Traditional operator accounts cannot use accented passwords.

Client Friendly Name The name used to represent the client in notifications throughout the system.

Client ID The ID that was configured in the OpenID client credentials.

Authority

Parameter security level Displayed only if advanced parameter security is enabled.

The parameter security level assigned to this operator.

Security level The security level assigned to the operator.

If advanced parameter security is enabled, this is read-only and displays the underlying security level of the
selected parameter security level. Where advanced parameter security is not applied within
the Experion system, this underlying security level is used.
Property Description

ATTENTION: Not applicable for DSA Advanced Security.

Control level Defines the control level assigned to the operator (from 0 to 255). The default is 255.

When a point is configured in the server database, a control level can be specified for that point to define the
level of authority required to control that point. With operator-based security, an operator must have a
control level greater than or equal to the control level defined for a selected point in order to control that
point.

ATTENTION: Not applicable for DSA Advanced Security.

Log Application Services function Applicable only to Automated System and API Client accounts.
changes by this account to the
database as events When selected, this option logs activity of this account in the event log.

ATTENTION: Not applicable for DSA Advanced Security. Selecting this option may flood the event log and
adversely affect system performance.
Operator definition, Advanced tab
Property Description

Asset Use this option to specify the asset that must be assigned for viewing this operator's configuration
details. Only Stations or operators with this asset assigned are permitted to view the details display
for this operator.

Operator is allowed to login at more than If selected, this operator ID can log on concurrently on multiple Stations using the same user name
one Station simultaneously and password.

This option is also known as the "Multi-user" option: it only applies to traditional operator accounts or
integrated Windows operator accounts. It does not apply to Windows group accounts.

Ignore any Windows group settings for this Applicable only to Windows operator accounts.
operator
Selecting this option means that any Windows group settings are ignored if the operator is also a
member of an Experion Windows group account.

Password expiry disabled Applicable only to traditional operator accounts.

This setting disables password expiry for this account only.

Idle time-out If selected, the specified time is the idle time-out value, in seconds, for this operator. When this time
is exceeded without any operator activity, the operator has to re-enter their password.
Property
Start up display
Print the following Alarms/Events on
Station Alarm/Event printer
Description
This idle time-out overrides the idle time-out specified for server-wide Station settings.
If selected, the specified display is the startup display for this operator.
This setting overrides the start up display defined for the Station.
• URGENT priority alarms & events. Enables printing of urgent alarms and points going
out of urgent priority alarm conditions to Station's printer when the operator is logged on
to the Station.
• HIGH priority alarms & events. Enables printing of high alarms and points going out
of high priority alarm conditions to Station's printer when the operator is logged on to the
Station.
• LOW priority alarms & events. Enables printing of low alarms and points going out of
low priority alarm conditions to Station's printer when the operator is logged on to the
Station.
• Journal priority alarms & events. Enables printing of events and journal alarms and
points going out of journal priority alarm conditions when the operator is logged on to the
Station.
• Print Operator changes. Enables printing of all changes to points an operator has
made from the Station.
Property Description

ATTENTION: When the operator logs on to Station, these settings override the default Station
settings. The printer assigned to the Station as the alarm/event printer is used to print the alarms
and events.

Select all Select Set all to select all the print options.

Deselect the check box to deselect all the print options.

About security levels

The current security level of a Station is displayed in the Status Bar (right-hand side). If no operator is logged on to the
Station, this part of the Status Bar is blank.

Figure Y-10: Status bar showing the current security level setting ('MNGR')
You can use up to six different security levels in Experion. These levels are shown in the following table in ascending order of
access.

Table Y-1: Security levels

Default Security Level Acronym Default Meaning

View Only, previously called Lvl1 (Available with operator-based security only) View-only mode

Ack Only, previously called Lvl2 (Available with operator-based security only) Alarm acknowledgement mode

OPER Operator mode

SUPV Supervisor mode

ENGR Engineer mode

MNGR Manager mode

NOTE: The security level MNGR gives full scope of responsibility regardless of which assets are assigned to the Operator
or Station.

If you have configured a Station to use operator-based security:

• The Station prompts you to log on, and you cannot access any Station functions until you have successfully
logged on.

If you have configured a Station to use single signon (available only if you are using Windows accounts):
• The Station starts with the credentials of the current Windows account if the equivalent operator definition
exists in Experion or if the Windows account is a member of a Windows group configured in Experion.

If you have configured a Station to use Station-based security:

• The Station starts at a security level of OPER, but you need to enter a password if you want to access a higher
level of security.

The security levels OPER through MNGR can be assigned to server functions. In order to use the function, the current
security level used to run Station must be equal to or greater than the security level assigned to the function. For example, a
push button on a display might be assigned a security level of SUPV when a custom display is built. In order for an operator
to use the push button, the Station security level must be either SUPV, ENGR, or MNGR.