ABB RELION 670 SERIES Manual page 73

1MRK 511 399-UEN B
Access rights
UserAdministration
Setting – Basic
Setting – Advanced
Control – Basic
Control – Advanced
IEDCmd – Basic
IEDCmd – Advanced
FileTransfer – Limited
DB Access normal
Audit log read
Setting – Change Setting Group
Security Advanced
670 series 2.2 IEC
Cyber security deployment guideline
Explanation
UserAdministration is used to handle user management e.g. adding new user
Setting – Basic is used for basic settings e.g. control settings and limit supervision
Setting – Advanced is used for the relay engineer to set settings e.g. for the protection functions
Control – Basic is used for a normal operator without possibility to bypass safety functions e.g.
interlock or synchro-check bypass
Control – Advanced is used for an operator that is trusted to do process commands that can be
dangerous
IEDCmd – Basic is used for commands to the IED that are not critical e.g. Clear LEDs, manual
triggering of disturbances
IEDCmd – Advanced is used for commands to the IED that can hide information e.g. Clear
disturbance record
FileTransfer - Limited is used for access to disturbance files e.g. through FTP
Database access for normal user. This is needed for all users that access data from PCM
Audit log read allows reading the audit log from the IED
Setting – Change Setting Group is separated to be able to include the possibility to change the
setting group without changing any other setting
Security Advanced is the privilege required to do some of the more advanced security-related
settings
IED users can be created, deleted and edited only in the SDM600 server. From the
LHMI or PCM600, no users can be created nor changed when Central Account
Management has been enabled in the IED. However, user rights are edited using
the PCM600 user tool (IEDUM) and password can be changed from PCM600 or
LHMI.
At delivery, the IED has a default Administrator defined with full access rights.
PCM600 uses this default user to access the IED. This user is automatically
removed in IED when users are defined in the SDM600 server and replicated to the
IED.
Only characters A - Z, a - z and 0 - 9 shall be used in user names.
User names are not case sensitive. For passwords see the Password
policies.
In order to allow the IED to communicate with PCM600 when
users are defined in the SDM600 server, the access rights
"UserAdministration" and "FileTransfer — Limited" must be
applied to at least one user. User rights are assigned using the
PCM600 user tool (IEDUM).
"DB Access normal" and "FileTransfer – Limited" are required for
PCM600 access to the IED.
Central Account Management
Section 5
67