DOCA0084EN-11

Role Based Access Control

RBAC Definition

Role-based Access Control (RBAC) is a way to assign different levels of access to the users that define the features they can access.

RBAC is supported only by:

  • MasterPacT MTZ circuit breakers with MicroLogic X control unit.
  • ComPacT NSX circuit breakers.
  • PowerPacT H-, J- and L-frame circuit breakers.

Access to the IFE server is checked by RBAC mechanism when the connection is made through:

  • IFE server webpages

  • EcoStruxure Power Commission (EPC) software

    For information about enabling RBAC when the connection is made through EPC software, refer to IP Network Services.

Role Definition

The following roles are defined for remote access by default:

  • Security Administrator (SECADM)

  • Engineer

  • Installer

  • Operator

  • Viewer

The security administrator assigns a role to each of the users. Each role includes a set of permissions for the IFE server users.

The security administrator can manage the users of IFE server:

  • On the IFE server webpages

  • With the EcoStruxure Cybersecurity Admin Expert (CAE) software

EcoStruxure Cybersecurity Admin Expert Software

Cybersecurity Admin Expert (CAE) software is used for security configuration of the IFE server with firmware version 005.001.000 and later.

The security administrator can use CAE software to:

  • Manage the users of IFE server

  • Define the security policy of the IFE server

  • Upload security configurations to multiple IFE servers

  • Change Device Specific Settings (DSS) of each IFE server independently

For more information, refer to the EcoStruxure Cybersecurity Admin Expert Guide in Related Documents.

NOTE:
  • Enable HTTPS for secure transfer of configurations from CAE software to IFE server.

  • Enable DPWS for discovery of the IFE server on CAE software.

CAE Software Settings

The security administrator can set the following parameters in the CAE software:

Parameter

Description

Value

Minimum inactivity period

After this duration without any action from the user, IFE server webpages are locked.

  • Range: 1–3600 s

  • Default value: 600 s

Maximum login attempts

The maximum login attempts

  • Range: 1–32

  • Default value: 3

Locking period duration

After this duration the locked user account will be unlocked.

  • Range: 0–3600 s

  • Default value: 60 s

LoggingPolicy

Enabled to enable the user account

Default setting: Disabled

SyslogServerIPAddress to enter the server IP address of the Syslog server.

SyslogServerport to enter the Syslog server port number.

  • Range: 1–65534

  • Default value: 601

Device measure read permission

Enabled while creating a role.

Default setting: Disabled

NOTE: CAE software supports a maximum of 12 users and 10 user roles for the IFE server.

CAE Device Specific Settings

The Device Specific Settings (DSS) is unique to the IFE server which enables the configuration to be tailored for each individual device. For example, by using this feature it is possible to activate Modbus secure on a specific IFE server while leaving it inactive on others.

The following device specific settings are available on the CAE software:

Parameter

Description

Default Setting

DPWS Discovery Status

Activates DPWS discovery on the IFE server.

Enabled

FTP Server Status

Activates FTP server on the IFE server.

Disabled

Modbus Secure Status

Activates Modbus secure on the IFE server.

Disabled

Modbus TCP Status

Activates Modbus TCP on the IFE server.

Enabled

Permission for Each Role

The security administrator can modify the permissions for each role using the CAE software.

The following table describes the permissions allowed for each role by default:

Permission

Roles

Viewer

Engineer

Operator

Installer

Security Administrator

Maintenance Information Read

Maintenance Settings Write

Maintenance Control Write

Public Information Read

Device Measures Information Read

Device Measures Settings Write

Device Measures Control Write

Device Settings Write

Device Information Read

Communication Information Read

Communication Settings Write

Communication Control Write

Date and Time Settings Write

Date and Time Information Read

Security Information Read

Security Settings Write

Security Control Write

Breaker Control Write

Breaker Settings Write

Breaker Information Read

Protection Information Read

Protection Settings Write

Protection Control Write

Input Output Information Read

Input Output Settings Write

Input Output Control Write

Security Logs Information Read

Security Logs Settings Read

Security Logs Settings Write

QR Code is a registered trademark of DENSO WAVE INCORPORATED in Japan and other countries.

Was this helpful?