Role Based Access Control
RBAC Definition
Role-based access control is a way to assign different levels of access to the users that define the features they can access.
RBAC is supported by MasterPacT MTZ, ComPacT NSX, and PowerPacT H-, J-, and L-frame circuit breakers only.
Access to the IFE interface is checked by RBAC mechanism when the connection is made through:
-
IFE interface webpages
-
EcoStruxure Power Commission (EPC) software
For information about enabling RBAC when the connection is made through EPC software, refer to IP Network Services .
Role Definition
The following roles are defined for remote access by default:
-
Security Administrator (SECADM)
-
Engineer
-
Installer
-
Operator
-
Viewer
The security administrator assigns a role to each of the users. Each role includes a set of permissions for the IFE interface users.
The security administrator can manage the users of IFE interface:
-
On the IFE interface webpages
-
With the EcoStruxure Cybersecurity Admin Expert (CAE) software
EcoStruxure Cybersecurity Admin Expert Software
Cybersecurity Admin Expert (CAE) software is used for security configuration of the IFE interface with firmware version 004.009.000 and later.
The security administrator can use CAE software to:
-
Manage the users of IFE interface
-
Define the security policy of the IFE interface
-
Upload security configurations to multiple IFE interfaces
-
Change Device Specific Settings (DSS) of each IFE interface independently
For more information, refer to EcoStruxure Cybersecurity Admin Expert Guide in Related Documents.
-
Enable HTTPS for secure transfer of configurations from CAE software to IFE interface.
-
Enable DPWS for discovery of the IFE interface on CAE software.
CAE Software Settings
The security administrator can set the following parameters in the CAE software:
|
Parameter |
Description |
Value |
|---|---|---|
|
|
After this duration without any action from the user, IFE interface webpages are locked. |
|
|
|
The maximum login attempts |
|
|
|
After this duration the locked user account will be unlocked. |
|
|
|
to enable the user account |
Default setting: Disabled |
|
to enter the server IP address of the Syslog server. |
– |
|
|
to enter the Syslog server port number. |
|
|
|
|
while creating a role. |
Default setting: Disabled |
CAE Device Specific Settings
The Device Specific Settings (DSS) is unique to the IFE interface which enables the configuration to be tailored for each individual device. For example, by using this feature it is possible to activate Modbus secure on a specific IFE interface while leaving it inactive on others.
The following device specific settings are available on the CAE software:
|
Parameter |
Description |
Default Setting |
|---|---|---|
|
|
Activates DPWS discovery on the IFE interface. |
Enabled |
|
|
Activates FTP server on the IFE interface. |
Disabled |
|
|
Activates Modbus secure on the IFE interface. |
Disabled |
|
|
Activates Modbus TCP on the IFE interface. |
Enabled |
Permission for Each Role
The security administrator can modify the permissions for each role using the CAE software.
The following table describes the permissions allowed for each role by default:
|
Permission |
Roles |
||||
|---|---|---|---|---|---|
|
Viewer |
Engineer |
Operator |
Installer |
Security Administrator |
|
|
Maintenance Information Read |
– |
✔ |
✔ |
✔ |
– |
|
Maintenance Settings Write |
– |
✔ |
– |
✔ |
– |
|
Maintenance Control Write |
– |
✔ |
✔ |
✔ |
– |
|
Public Information Read |
✔ |
✔ |
✔ |
✔ |
✔ |
|
Device Measures Information Read |
✔ |
✔ |
✔ |
✔ |
✔ |
|
Device Measures Settings Write |
– |
✔ |
– |
✔ |
– |
|
Device Measures Control Write |
– |
– |
✔ |
– |
– |
|
Device Settings Write |
– |
✔ |
– |
✔ |
– |
|
Device Information Read |
✔ |
✔ |
✔ |
✔ |
✔ |
|
Communication Information Read |
– |
✔ |
✔ |
✔ |
– |
|
Communication Settings Write |
– |
✔ |
– |
✔ |
– |
|
Communication Control Write |
– |
✔ |
– |
✔ |
– |
|
Date and Time Settings Write |
– |
✔ |
– |
✔ |
– |
|
Date and Time Information Read |
✔ |
✔ |
✔ |
✔ |
✔ |
|
Security Information Read |
– |
– |
– |
– |
✔ |
|
Security Settings Write |
– |
– |
– |
– |
✔ |
|
Security Control Write |
– |
– |
– |
– |
✔ |
|
Breaker Control Write |
– |
– |
✔ |
– |
– |
|
Breaker Settings Write |
– |
✔ |
– |
✔ |
– |
|
Breaker Information Read |
– |
✔ |
✔ |
✔ |
– |
|
Protection Information Read |
– |
✔ |
✔ |
✔ |
– |
|
Protection Settings Write |
– |
✔ |
– |
✔ |
– |
|
Protection Control Write |
– |
✔ |
– |
✔ |
– |
|
Input Output Information Read |
– |
✔ |
✔ |
✔ |
– |
|
Input Output Settings Write |
– |
✔ |
– |
✔ |
– |
|
Input Output Control Write |
– |
✔ |
– |
✔ |
– |
|
Security Logs Information Read |
– |
– |
– |
– |
✔ |
|
Security Logs Settings Read |
– |
– |
– |
– |
✔ |
|
Security Logs Settings Write |
– |
– |
– |
– |
✔ |