System Administration (Advanced)
TM-1301
TRAINING GUIDE
AVEVA Plant (12.1)
www.aveva.com
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
2
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Revision Log Date
Revision
22/07/2011 09/11/2011
0.1 0.2
10/11/2011 05/12/2011 29/02/2012 01/03/2012 06/03/2012
1.0 2.0 2.1 2.2 3.0
Description of Revision
Author
Reviewed
Issued for Review PDMS 12.1.1 Reviewed
BT BT
KB
Issued for Training PDMS 12.1.1 Issued with latest copyright footer Issued for Review PDMS 12.1.SP2 Reviewed Approved for Training PDMS 12.1.SP2
BT CF KB KB KB
Approved
KB -
NG CF
SB SB
NG
Updates In general, all headings containing updated or new material will be highlighted.
Suggestion / Problems If you have a suggestion about this manual or the system to which it refers, please report it to AVEVA Training & Product Support (TPS) at
[email protected] This manual provides documentation relating to products to which you may not have access or which may not be licensed to you. For further information on which products are licensed to you please refer to your licence conditions. Visit our website at http://www.aveva.com
Disclaimer 1.1
AVEVA does not warrant that the use of the AVEVA software will be uninterrupted, error-free or free from viruses.
1.2
AVEVA shall not be liable for: loss of profits; loss of business; depletion of goodwill and/or similar losses; loss of anticipated savings; loss of goods; loss of contract; loss of use; loss or corruption of data or information; any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses which may be suffered by the user, including any loss suffered by the user resulting from the inaccuracy or invalidity of any data created by the AVEVA software, irrespective of whether such losses are suffered directly or indirectly, or arise in contract, tort (including negligence) or otherwise.
1.3
AVEVA's total liability in contract, tort (including negligence), or otherwise, arising in connection with the performance of the AVEVA software shall be limited to 100% of the licence fees paid in the year in which the user's claim is brought.
1.4
Clauses 1.1 to 1.3 shall apply to the fullest extent permissible at law.
1.5
In the event of any conflict between the above clauses and the analogous clauses in the software licence under which the AVEVA software was purchased, the clauses in the software licence shall take precedence.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
3
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Copyright Copyright and all other intellectual property rights in this manual and the associated software, and every part of it (including source code, object code, any data contained in it, the manual and any other documentation supplied with it) belongs to, or is validly licensed by, AVEVA Solutions Limited or its subsidiaries. All rights are reserved to AVEVA Solutions Limited and its subsidiaries. The information contained in this document is commercially sensitive, and shall not be copied, reproduced, stored in a retrieval system, or transmitted without the prior written permission of AVEVA Solutions Limited. Where such permission is granted, it expressly requires that this copyright notice, and the above disclaimer, is prominently displayed at the beginning of every copy that is made. The manual and associated documentation may not be adapted, reproduced, or copied, in any material or electronic form, without the prior written permission of AVEVA Solutions Limited. The user may not reverse engineer, decompile, copy, or adapt the software. Neither the whole, nor part of the software described in this publication may be incorporated into any third-party software, product, machine, or system without the prior written permission of AVEVA Solutions Limited, save as permitted by law. Any such unauthorised action is strictly prohibited, and may give rise to civil liabilities and criminal prosecution. The AVEVA software described in this guide is to be installed and operated strictly in accordance with the terms and conditions of the respective software licences, and in accordance with the relevant User Documentation. Unauthorised or unlicensed use of the software is strictly prohibited. Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved. AVEVA shall not be liable for any breach or infringement of a third party's intellectual property rights where such breach results from a user's modification of the AVEVA software or associated documentation. AVEVA Solutions Limited, High Cross, Madingley Road, Cambridge, CB3 0HB, United Kingdom.
Trademark AVEVA and Tribon are registered trademarks of AVEVA Solutions Limited or its subsidiaries. Unauthorised use of the AVEVA or Tribon trademarks is strictly forbidden. AVEVA product/software names are trademarks or registered trademarks of AVEVA Solutions Limited or its subsidiaries, registered in the UK, Europe and other countries (worldwide). The copyright, trademark rights, or other intellectual property rights in any other product or software, its name or logo belongs to its respective owner.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
4
Contents 1
Introduction .............................................................................................................................................. 9 1.1 Aim..................................................................................................................................................... 9 1.2 Objectives ......................................................................................................................................... 9 1.3 Prerequisites .................................................................................................................................... 9 1.4 Course Structure .............................................................................................................................. 9 1.5 Using this guide ............................................................................................................................... 9 1.6 Setting up the Training Course .................................................................................................... 10 2 Extract Databases .................................................................................................................................. 11 2.1 Overview ......................................................................................................................................... 11 2.1.1 Creating Extract Databases ..................................................................................................... 11 2.1.2 Working in Extract Databases .................................................................................................. 11 2.1.3 Updating Changes from Extract Databases ............................................................................. 12 2.2 Types of Extract Databases .......................................................................................................... 12 2.2.1 Standard Extracts ..................................................................................................................... 12 2.2.2 Working Extracts ...................................................................................................................... 12 2.2.3 Variant Extracts ........................................................................................................................ 13 2.3 Write Access to an Extract Databases......................................................................................... 13 2.4 Extract Families.............................................................................................................................. 13 2.4.1 Querying Extract Families ........................................................................................................ 14 2.5 Choosing an Appropriate Database ............................................................................................. 14 2.6 Extract Data Control in Design ..................................................................................................... 15 2.6.1 The Get All Changes Button .................................................................................................... 15 2.6.2 The Update CE Button ............................................................................................................. 16 2.6.3 The Extract Claimlists Button ................................................................................................... 16 2.6.4 The User Claimlists button ....................................................................................................... 16 2.6.5 The Extract Button.................................................................................................................... 17 2.6.6 Extract Database Operations - Scope...................................................................................... 17 2.6.7 The Prefix Info Button .............................................................................................................. 17 2.6.8 Change Highlighting ................................................................................................................. 18 2.6.9 Rules and Connections ............................................................................................................ 18 2.6.10 The Flush Button ...................................................................................................................... 18 2.6.11 The Issue Button ...................................................................................................................... 19 2.6.12 The Drop Button ....................................................................................................................... 19 2.7 Creating Standard Extract Databases – A Worked Example) ................................................... 20 2.7.1 Create Teams........................................................................................................................... 20 2.7.2 Create Users ............................................................................................................................ 20 2.7.3 Create a Master Database ....................................................................................................... 21 2.7.5 Create Standard Extracts ......................................................................................................... 22 2.7.6 Create MDBs ............................................................................................................................ 23 2.7.7 Testing Standard Extract Databases in Design ....................................................................... 24 2.7.8 Extract Change Highlighting ..................................................................................................... 27 2.7.9 Outstanding in Extract .............................................................................................................. 28 2.7.10 Introduced by Get All Changes ................................................................................................ 29 2.7.11 Displaying Items Introduced by Get All Changes ..................................................................... 30 Exercise 1 – Extract Databases .................................................................................................................... 32 2.8 Creating Working Extracts – A Worked Example ....................................................................... 33 Exercise 2 - Testing Working Extracts in Design ....................................................................................... 34 3 Data Access Control (DAC) .................................................................................................................. 35 3.1 Data Access Control – Overview .................................................................................................. 35 3.2 ACRs - Roles and Scopes ............................................................................................................. 35 3.2.1 Permissible Operations (Perops) ............................................................................................. 36 3.3 Enabling DAC ................................................................................................................................. 36 3.4 Creating Scopes, Roles and Permissible Operations – A Worked Example ........................... 36 3.4.1 Creating a Scope...................................................................................................................... 36 3.4.2 Creating Roles and Permissible Operations ............................................................................ 37 3.5 Creating Access Control Rights –A Worked Example ............................................................... 38 3.5.1 Create an ACR for ALL ............................................................................................................ 39 3.6 Setting User Access – A Worked Example ................................................................................. 39 www.aveva.com 3.6.1 Using Access Control Assistant ............................................................................................... 40 5 © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
3.6.2 Using Create/Modify User ........................................................................................................ 40 3.7 Testing PDMS Access Control ..................................................................................................... 41 3.8 Querying User Access in Design ................................................................................................. 42 3.9 DAC –Negative Implementation.................................................................................................... 43 3.10 Setting DAC for use with MDS ...................................................................................................... 44 4 Project Setup Using Excel .................................................................................................................... 45 4.1 Export to Excel ............................................................................................................................... 45 4.2 Admin Excel Spreadsheet ............................................................................................................. 46 4.2.1 Admin Excel Spreadsheet – Extract Databases ...................................................................... 46 4.2.2 Admin Excel Spreadsheet – Working Extract Databases ........................................................ 47 4.2.3 Admin Excel Spreadsheet – Scope.......................................................................................... 47 4.2.4 Admin Excel Spreadsheet – Roles and Perops ....................................................................... 48 4.2.5 Admin Excel Spreadsheet – ACR ............................................................................................ 49 4.3 Import from Excel........................................................................................................................... 49 4.3.1 Selecting an MDB for User Defined Data ................................................................................ 50 4.4 Admin Database Rollback ............................................................................................................. 51 Exercise 3 – Project Setup Excel Export / Import ...................................................................................... 52 5 PML Encryption ...................................................................................................................................... 53 5.1 Overview of PML Encryption ........................................................................................................ 53 5.2 PML Encryption Utility Program ................................................................................................... 53 5.2.1 Typical workflow ....................................................................................................................... 53 5.2.2 Licensing .................................................................................................................................. 53 5.3 Using the PML Encryption Utility Program ................................................................................. 54 5.4 Choosing Files ............................................................................................................................... 55 5.4.1 Single File ................................................................................................................................. 55 5.4.2 All Files in a Folder ................................................................................................................... 55 5.4.3 Files in a pmllib -like Folder Tree ............................................................................................. 55 5.4.4 File/Folder paths....................................................................................................................... 55 5.5 Encryption Algorithms .................................................................................................................. 55 5.5.1 Encryption Type 0: No Encryption ............................................................................................ 55 5.5.2 Encryption Type 1: Trivial Encryption....................................................................................... 56 5.5.3 Encryption Type 2: Basic Encryption ....................................................................................... 56 5.5.4 Encryption Type 3: RC4 Encryption ......................................................................................... 56 5.6 Encrypting PML Files – A Worked Example ................................................................................ 56 5.6.1 Supplied Files ........................................................................................................................... 56 5.6.2 Directory Structure ................................................................................................................... 57 5.6.3 Testing using a Batch File ........................................................................................................ 58 5.6.4 Testing the None Option .......................................................................................................... 58 5.6.5 Testing the Trivial Option ......................................................................................................... 59 5.6.6 Encrypting Multiple Files .......................................................................................................... 59 5.6.7 Testing Encrypted Macros ....................................................................................................... 60 5.7 Buffering Encrypted Files ............................................................................................................. 62 5.8 Editing Published PML Files ......................................................................................................... 63 5.9 Using the $R Command ................................................................................................................ 63 5.10 Troubleshooting ............................................................................................................................. 63 6 Intellectual Property Rights Database Protection .............................................................................. 65 6.1 IPR Protection Overview ............................................................................................................... 65 6.2 Changes to Admin for Database Protection ............................................................................... 65 6.3 Changing Database Protection – A Worked Example ................................................................ 67 6.3.1 Testing Database IPR Protection for the Output Command .................................................... 67 6.3.2 Testing Database IPR Protection for the Copy Command ...................................................... 68 6.4 Attribute Protection ....................................................................................................................... 69 6.5 Checking Attribute Protection – A Worked Example ................................................................. 69 6.5.1 Creating an MDB in the MAS Project ....................................................................................... 69 6.5.2 Attributes as a Free User ......................................................................................................... 70 6.5.3 Attributes as a Restricted User ................................................................................................ 70 6.5.4 Comparing Results ................................................................................................................... 71 7 Enhanced Entry Scripts ........................................................................................................................ 73 7.1 Creating an Encrypted Entry Script ............................................................................................. 73 7.2 Typical Entry Macro ....................................................................................................................... 75 www.aveva.com 7.3 Typical Entry Batch File ................................................................................................................ 75 © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
6
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
7.4 Enhanced Entry Scripts (PML Publisher Available) ................................................................... 76 7.4.1 Typical User Macro .................................................................................................................. 76 7.4.2 Creating the Encrypted Entry Script ......................................................................................... 76 7.4.3 Typical Entry Batch File (PML Publisher Available) ................................................................. 77
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
7
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
8
CHAPTER 1
1
Introduction
The AVEVA Plant (12.1) System Administration (Advanced) training guide is designed as a continuation to the AVEVA Plant (12.1) System Administration (Basic) training guide. It builds on existing PDMS administration concepts and introduces additional functionality to assist administrators.
1.1
Aim
To provide administrators with the knowledge and skills necessary to administer PDMS projects using advanced features and functionality.
1.2
Objectives
Introduce PDMS concepts specific to Extract Databases, Data Access Control, Encryption of files, and Intellectual Property Rights Database Protection. Explain the basic concepts of Extract Databases. Show how to create Standard and Working Extract Databases. Create and edit data in an Extract Database. Explain how Data Access Control can be used to control PDMS data. Demonstrate how to create simple Data Access Control rules. Be able to encrypt PML forms, functions object and macros. Explain the basic concepts of Intellectual Property Rights Database Protection. Demonstrate the protection of a catalogue database.
1.3
Prerequisites
It is expected that trainees will have completed the TM-1300 AVEVA Plant (12.1) System Administration (Basic) training course. Trainees who can demonstrate a suitable understanding of PDMS administration may also be permitted to undertake the training.
1.4
Course Structure
Training will consist of oral and visual presentations, demonstrations, worked examples and set exercises. Each workstation will have a training project populated with model objects. This will be used by the trainees to practice their methods and complete the set exercises.
1.5
Using this guide
Certain text styles are used to indicate special situations throughout this document. Menu pull downs and button press actions are indicated by bold dark turquoise text. Information the user has to Key-in will be bold red text.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
9
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Additional information notes and references to other documentation will be indicated in the styles below.
Additional information Refer to other documentation
System prompts will be bold and italic in inverted commas i.e. 'Choose function'. Example files or inputs will be in the courier new font. If users are required to enter information as part of an example, appropriate fonts and styles previously outlined will be used.
1.6
Setting up the Training Course
Create a new project using the Project Creation Wizard. From the start bar select: Start > All Programs > AVEVA Plant > Design > PDMS 12.1.SP2 > Project Creation Wizard. Enter the following details for the project. Project Training Code
TRA
Address: C:\AVEVA\plant\PDMS12.1.SP2\project\Training Click the Create button.
Login to the Administration module of the new PDMS project using the details provided by the trainer. They will typically be similar to this:
Project
-
Training
Username
-
SYSTEM
Password
-
XXXXXX
Click the Login button.
It is not necessary to specify an MDB to enter Admin. Free Users, like SYSTEM, are NOT shown on the Username pull down.
In Admin select Utilities > Training Setup… from the main menu to display the Training Admin form. Select the Training Setup tab. From the Number of Designers option list select 1, then click the Create Project button. A Progress Bar is displayed in the lower right hand corner of the screen. Additional feedback is provided in the Command Window. This process sets the project to a known state, ready for the training course. The process may take several minutes, but when complete the user will be returned to the default Admin screen and the Training Setup form will close.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
10
CHAPTER 2
2
Extract Databases
PDMS allows a sub-set of databases to be copied from master databases. These sub-sets are referred to as Extract databases. Extract databases may be as simple as a single database allocated to one user, or they may be more complex, catering for multiple designers over a range of disciplines. Extract databases allow data from a master database to be shared and modified without effecting the master databases. New data can also be created in the extract databases. Any changes made in the extract databases can be returned to the master databases as and when the administrator requires it.
2.1
Overview
Extract databases provided a useful way of controlling data workflow within a discipline and controlling cross discipline modifications. They are also useful for workflows that require persistent claims or workflow in multiple locations (i.e. Global projects).
2.1.1
Creating Extract Databases
An extract can only be created from an existing multiwrite database (i.e. DESI, PADD, CATA and ISOD). As such, extract databases themselves are multiwrite. Extracts cannot be created from foreign databases and cannot be created from copy databases. Many Extracts can be created from one Master database. It is also possible to create an extract of an extract, thereby creating an Extract Family.
Extract Families are considered later in this training guide.
2.1.2
Working in Extract Databases
When an extract is created, it will be empty, with pointers back to the owning or master database. When elements are worked on in the extract database,they are claimed in the extract in a similar way to simple Multiwrite databases, so no other user can work on them. Claims are persistent from session to session. When work is saved, the changed data will be saved to the extract, not the master database. unchanged data will still be read via pointers back to the master database.
Any
Extract databases can be worked on by a user at the same time as another user is working on the master database or another extract. Any changes made in the master database can be updated in the extract database.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
11
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.1.3
Updating Changes from Extract Databases
At some stage in the design process it will be necessary to return information from the extract database to the master database. Two methods are available to facilitate this process:
Flush – copies changes to the master database, but claims on elements still persist. This allows other users to see the changes made but ensures that no changes can be made to the elements.
Issue – copies changes to the master database and removes all claims from the elements. Other users can see the changes made and make further modifications if required.
Alternatively, if the data is no longer required it may be Dropped. If data is dropped, no changes will be transferred to the master database but claims on model elements will remain.
2.2
Types of Extract Databases
Three different types of extract databases can be created. Features pertaining to each type of extract database are noted in the sections that follow.
2.2.1
Standard Extracts
Standard extracts are similar to normal multiwrite databases. They can be owned by any team, given any name, and added to MDBs in the usual way. The claim mode may be implicit or explicit. If an element is being worked on by any other user in the Extract Family, no other user can work on it.
2.2.2
Working Extracts
Working Extracts are created uniquely for an individual user, i.e. ‘one per user’. Working Extracts only require the use of a single MDB.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
12
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.2.3
Variant Extracts
Both Standard and Working extracts can be variant extracts. Variants are a special type of extracts in which elements are not claimed from the owner. They are designed to allow users to try out different designs which then may, or may not, be written back to the master database. When variants are used, all changes are merged together on issue. Changes are handled at attribute level, so that different users can change different attributes on the same element and then merge their changes. No locking is applied to a variant extract, and any locks applied to other extracts are ignored. This allows many users to modify the same element in a given session, but has the disadvantage that any conflicts will not be found until the changes are issued. If two users modify the same attribute, the last change to be merged takes precedence. PDMS will ensure that all merges comply with the basic database rules, that is, the data will comply with all DICE checking requirements. It cannot check that the data makes sense in design terms. It is recommended that data consistency and clash checks are always carried out on the resulting merged data.
2.3
Write Access to an Extract Databases
Write access to an extract database is controlled in the same way as any other database. The user must be a member of the Team owning the extract and the user must select an MDB containing the extract. Data Access Control can also be applied to limit operations available to users. Extracts in the same family can be owned by the same team or by different teams.
2.4
At this release, an extract can only be created at the bottom of an extract tree.It is not possible to insert a new extract between existing generations, or create a new master for the extract family.
Extract Families
A Master database may have up to 8000 extract databases. Extracts can be created from another extract, forming a hierarchy of extracts (to a maximum of 10 levels). All the extracts derived from the same master are described as an Extract Family. The original database is known as the Master database. The Master database is the owner or parent of the first level of extracts. If a more complex hierarchy of extracts is created, the lower level extracts will have parent extracts which are not the master. The extracts immediately below an extract are known as extract members. The following diagram illustrates an example of an extract family hierarchy:
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
13
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
In this example: PIPES
is the Master and the parent of PIPES_X1.
PIPES_X1
is a child of PIPES and the parent of PIPES_X10.
PIPES_X10
is a child of PIPES_X1.
The members of PIPES are PIPES_X1 and PIPES_X2.
2.4.1
Querying Extract Families
The following attributes can be queried to obtain information about the structure of an extract family: Database attributes EXTNO
Extract Number
EXTFAM
Extract Family
EXTOWN
Extract Owner
ISEXOP
Owner Primary Here
EXTMAS
Extract Master
ISEXMP
Master Primary Here
EXTALS
Extract Ancestors
ISEXAP
Ancestry Primary Here
EXTCLS
Extract Children
LVAR
Variant
EXTDES
Extract Descendants
LCTROL
Controlled
2.5
Choosing an Appropriate Database
It is often advantageous for administrators to use both master databases and extract databases in a project. Suggested use of extract and master database types is provided below: Use Extract Databases for: Controlling data workflow within a discipline. Controlling cross discipline modifications (e.g. supports). Persistent claims. Integrated working environment with other offices (Global 2). Use Master databases for: Enabling cross discipline review/approval of data. Catalogue, Library and Template data. Splitting data into smaller units to avoid mass data processing through large collections, clashing and spatial map updates. Controlling the visibility of data in working areas. Controlling the distribution of sub-contractors data. Separating common data for export across projects. Reducing the consequences of possible data corruption.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
14
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.6
Extract Data Control in Design
In the Design module extract data is managed using the Extract Data Control form. If extract databases are present in the selected MDB the form can be displayed by selecting Design > Extract Control… from the main menu. If no extract databases are present in the MDB an error message is displayed.
The following sections detail the functionality contained within the form.
2.6.1
The Get All Changes Button
The Get All Changes button updates an extract with changes made in the owning database. Get all changes can be to a first-level extract from a master database, or to a low-level extract from a higher-level extract (one level at a time). This is similar to doing a Get Work on a normal database.
The From parent extract only and From all extract ancestors radio buttons determine where the changes are taken from. www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
15
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.6.2
The Update CE Button
The Update CE button refreshes the claim list for the current element.
2.6.3
The prefix “E” is explained later in this chapter.
The Extract Claimlists Button
The Extract Claimlists button shows details of the items Extracted to a database. The items are not necessarily claimed by a user. The Extract Claim options list enables the data to be displayed for the CE, MDB, or a selected database.
2.6.4
The User Claimlists button
Clicking the User Claimlists button enables elements to be claimed in the same way as selecting Utilities > Claimlists… from the main menu.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
16
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.6.5
The Extract Button
Clicking the Extract button transfers the write access of a given primary element to an extract. A claim can be to a first-level extract from a master database, or to a low-level extract from a higher-level extract.
If the extract database has been set-up in Implicit claim mode then modifying the element will claim it automatically.
2.6.6
Extract Database Operations - Scope
The Element Hierarchy and Single Element radio buttons in the Extract DB Operations – Scope area of the form enable either the hierarchy below the identified element, or only the identified element, to be extracted.
Items can be claimed using Utilities > Claim Lists… from the main menu.
2.6.7
The Prefix Info Button
Clicking the Prefix Info button displays the Prefix Information form. The form contains the explanation of the prefix codes and can be used to remind designers of the claim and update condition of the database items.
In this example, Site /SITE-PIPES-AREA01 has prefix codes E and M, meaning that the Site is Claimed and Modified, whilst the zone ZONE-PIPING-AREA01 is just claimed to the extract.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
17
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.6.8
Change Highlighting
It is possible to highlight elements in an extract database that will be Issued, Flushed or Dropped or added to the database (following the Get All Changes command) using the Extract Data Control form. Items that are outstanding in the extract or that have arisen by getting changes from the master database can be displayed this way.
2.6.9
Rules and Connections
When the Always Issue / Flush Changed Rules / Connections checkbox is selected, any related items will also be Issued or Flushed.
This would typically be used where a claimed pipe is connected to equipment nozzles or another pipe. As such, it would be appropriate to Issue (or Flush) the equipment with the pipe and vice versa. Selecting Resultant Additional Elements… displays additional elements via the Changed Rules & Connections form.
2.6.10 The Flush Button Clicking the Flush button copies local changes to the owning database but the elements are not released. Users who have access to the owning database can now see the changes, but they cannot make changes to the elements.
After a Flush the Item is still claimed. This is an example of a persistent claim.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
18
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.6.11 The Issue Button Clicking the Issue button copies local changes to the owning database releases the elements. Users who have access to the owning database can now see the changes and can make changes to the elements.
Following an Issue the Item will not be claimed.
2.6.12 The Drop Button Clicking the Drop button will abandon local changes, i.e. there will be no change to the owning database and it will return to its state before the changes were made (even if the user has done a Save Work). The elements that were being worked on will not be released.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
19
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Creating Standard Extract Databases – A Worked Example)
2.7
This worked example creates a number of users, teams and MDB’s that will be used to create a number of extract databases. The effect of flushing and issuing information will also be demonstrated.
2.7.1
Create Teams
For this example three new Teams will be created. Using the Admin Elements form create the following Teams:
MASTERA EXTEAMB EXTEAMC
2.7.2
Create Users
Three new Users are also required. Create the following Users and Passwords: USER
Password
APPRUSERA
A
EXUSERB
B
EXUSERC
C
Make the Users members of the following teams: USER
Team
APPRUSERA
MASTERA
EXUSERB
EXTEAMB
EXUSERC
EXTEAMC
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
20
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.7.3
Create a Master Database
For this example, a new master database will be created. From this master database, extract databases will be created. When creating the master database, ensure that the Master DB radio button is active.
The database type required is a database. Name the database DESI.
Design
In the Create SITE textbox enter MASTER/DESI to create a top level element in the database. Set the Access Mode to Multiwrite and Implicit Claim.
As Extract databases can only be created from a Multiwrite master database it is important that this setting is made correctly.
Leave the other settings as the default displayed.
Click the Apply button and dismiss the form. Check that the new database MASTERA/DESI is displayed in the Database and Extracts list.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
21
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.7.5
Create Standard Extracts
T wo extracts of the database will be created and assigned to separate teams. On the Admin Elements form ensure Databases & Extracts is selected in the Elements option list.
Select the Create… button to display Databases & Extracts form and click the An Extract of a DB radio button.
Click the OK button to display the Create Extract form. Select MASTERA/DESI from the Select Database for Extract grid. Select EXTEAMB from the Owning Team grid. Enter DESI_X1 in the Name textbox. Select Implicit Claim from the Access Mode options list. Click the Apply button to create the extract. Repeat the process to EXTEAMC/DESI_X2 based MASTERA/DESI.
create on
As the extract databases are Multiwrite they appear in the Select Databases for Extract grid.
Extract databases are indicated in Administration forms with an ‘X’.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
22
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.7.6
Create MDBs
Copy MDB A-PIPING to create an MDB called MASA with a description of Master Extract MDB. Put the MASTERA/DESI database at the top of the Current Databases list. Create two further copies of MDB A-PIPING named EXTB, description Extract B, and EXTC, description Extract C, respectively.
Put the database EXTEAMB/DESI_X1 at the top of MDB EXTB and the database EXTEAMC/DESI_X2 at the top of MDB EXTC.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
23
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.7.7
Testing Standard Extract Databases in Design
Enter PDMS Design with Username APPRUSERA, Password A and MDB MASA. Make the main display window small in height and put it at the top of the screen.
Display the Command Window. Navigate to the World and check that the correct database is being used by entering Q DBNAME in the Command Window. The returned name should be MASTERA/DESI.
Enter PDMS with Username EXUSERB, Password B and MDB EXTB. Make the main display window small in height and put it at the bottom of the screen. Check the correct database is being used. The returned name should be EXTEAMB/DESI_X1.
In the APPRUSERA session (top of the screen), navigate to the Site MASTERA/DESI and rename it to SITE-MASTERA. Create a Zone named EQUIP-ZONE and two equipment elements named EQ1 and EQ2. Save Work.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
24
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
In the EXUSERB session (bottom of the screen), select Design > Extract Control… from the main menu to display the Extract Data Control form. Click the Get All Changes button. Click in the Elements grid to refresh the form. The re-named Site, the Zone and the two equipment elements are now displayed in the form and Design Explorer.
Close the Extract Data Control form.
In the EXUSERB session (bottom of the screen), create a new equipment element named EQ3 in the same Zone as EQ1 and EQ2.
The equipment is shown bold, indicating that it is claimed.
Savework.
In the APPRUSERA session (top of the screen) select Design > Get Work from the main menu. Note that the new equipment, EQ3, is not displayed in the session. This is because the equipment has not been Flushed or Issued to the master database.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
25
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
In the EXUSERB session (bottom of the screen) display the Extract Data Control form again. Note that the EQ3 equipment is prefixed by M, indicating that it has been Modified. The owning zone also has a prefix M, indicating that it has also been modified. Click the Flush button. As a Save Work has not been done before the Flush was initiated the following message is displayed:
Click the Yes button to save the changes.
The Extract Session Comment form is automatically displayed. Click the YES button to confirm the Flush.
Note that the Claim status of the equipment has changed in Extract Data Control form. When a Flush is performed the items are available in the owning database but remain claimed, i.e. EQ3 is prefixed by E, indicating that it is claimed by an extract in this MDB.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
26
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
In the APPRUSERA session (top of the screen) select Design > Get Work from the main menu. Note that the new equipment, EQ3, is now displayed in the session. This is because the equipment has been Flushed to the Master.
Try to modify the name of EQ3 in the APPRUSERA session. As the equipment is still claimed by the extract an error message is displayed.
In order for another designer to modify the equipment EQ3 it must be Issued to release the Claim.
2.7.8
Extract Change Highlighting
It is possible to highlight elements in an extract database that will be Issued, Flushed or Dropped or added to the database (following Get All Changes) using the Extract Data Control form.
In the EXUSERB session (bottom of the screen) navigate to the world element. In the Command Window type Q DBNAME. It will return Dbname EXTEAMB/DESI_X1 the name of the extract database.
Select Utilities > Training Setup from the main menu. On the Foundations Tab select the Add TRA.SITE radio button. Click the Apply button then dismiss the form.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
27
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
The newly created site will be displayed in the 3D view.
2.7.9
Outstanding in Extract
Select Design > Extract Control... from the main menu to display the Extract Data Control form.
Check the Outstanding in Extract checkbox.
All Design items will be coloured cyan as none of them have been Flushed, or Issued.
The Colour Button can be used to change the display colour.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
28
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
The effect of issuing various elements in combination with changing the scope can be seen in the example below. In this instance the Site TRA.SITE has been Issued with the scope set to Single Element. The Zone EQUIP.ZONE has also been Issued with the scope set to Element Hierarchy.
2.7.10 Introduced by Get All Changes Before the Get All Changes command can be used some new items must be created in the parent/master database. In the APPRUSERA session (top of the screen), navigate to and display Site TRA.SITE. Only the equipment is available.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
29
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Make a copy of equipment /Tank1 and move it North 5000mm.
Save Work.
2.7.11 Displaying Items Introduced by Get All Changes Return to the previous Design Session EXUSERB (bottom of the screen).
On the Extract Data Control form click the Get All Changes button.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
30
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Add the site TRA.SITE to the display.
Select the Introduced by Get All Changes checkbox.
The new equipment is displayed in cyan.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
31
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Exercise 1 – Extract Databases Enter PDMS with Username EXUSERC, Password C and MDB EXTC. Open the Extract Data Control form and click the Get All Changes button to see items that have been added to the Master database. Use Extract Change Highlighting to observe the differences in the graphical display. Create items as user EXUSERC. Use change highlighting to ensure the items are Outstanding in the Extract. Flush or Issue them back to the Master.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
32
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
2.8
Creating Working Extracts – A Worked Example
Working extracts are allocated to users. In the following worked example working extracts for three users, USERA, USERB and USERC will be created to database MASTERA/DESI.
Return to the Administration module of PDMS. Create Users USERA, USERB and USERC with Passwords A, B and C. Select Working Extracts from the Elements options list on the Admin Elements form. Click the Create… button to display the Create Working Extracts form. Select MASTERA/DESI from the Database to Create Working Extract From grid and USERA, USERB and USERC from the User List grid. Enter Extract of MASTERA/DESI in the Description textbox. Click the Apply button to create the Working Extracts.
A new MDB is not required for the Working Extracts. PDMS may be entered using the same MDB for all three Users as access is controlled by the Username. Add the three MASTERA.
Users
to
the
Team
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
33
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Exercise 2 - Testing Working Extracts in Design Enter PDMS Design with Username USERA, Password A and MDB MASA. Enter another session of PDMS with Username USERB, Password B and MDB MASA. Check the database name in each session by entering Q DBNAME in the Command Window. Create some equipment elements in the USERB session and Save Work. Use the Extract Data Control form to Flush or Issue the database changes back to the Master database. Check that the information is available to USERA following the Get All Changes command.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
34
CHAPTER 3 3
Data Access Control (DAC)
Being a member of the team that owns the database controls write access in PDMS. However, due to project security requirements or company working practises, it may be necessary to further restrict data access. By using Data Access Control (DAC) PDMS Administrators can restrict access to PDMS types, names, or particular areas, of the PDMS model.
Data Access Control – Overview
3.1
Data Access Control in regular PDMS projects is governed by team membership. Users must be a member of the Team owning the database in order to write to it. Normal PDMS data access control will apply to the Project unless the Data Access Control (DAC) option in the Administration module is switched on. Before implementing DAC, administrators need to be aware of the following considerations:
Once DAC is switched on, General Users will not have write access to any elements unless suitable Access Control Rights have been set up.
Free Users always have full access to all elements.
DAC can be applied to Update or Multiwrite databases.
When implementing DAC one of two underlying methods are considered.
Users are completely restricted from doing any operation and subsequent permissions allow certain tasks to be carried out.
Users are free to do any operation and subsequent permissions restrict certain tasks from being carried out.
The later method is sometimes refered to as Negative DAC’s.
At the heart of DAC is the creation of Access Control Rights (ACR’s) for each user. ACR’s allow the Administrator to:
Restrict access to named elements, given element types, or particular volumes of the model.
Restrict the type of operation a User can carry out on elements.
Restrict which attributes a User can set or change.
Further consideration of ACR’s is provided in the sections that follow.
3.2
ACRs - Roles and Scopes
Users can be given one or more ACR’s. Each ACR is made up of two parts, a Role and a Scope.
A Role defines what operations the designer can carry out on which elements e.g. Create, Modify and Delete all types of PDMS elements.
A Scope defines the part of the Design to which the Role applies e.g. a particular Site in DESIGN or Registry in DRAFT, or a specified volume within the model.
Roles and Scopes are referenced by ACR’s and must therefore be created before the ACR has its RoleRef and ScopeRef attributes set.
Roles are likely to be used on all Projects, but Scopes are usually Project specific.
© Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
www.aveva.com 35
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
3.2.1
Permissible Operations (Perops)
A Role is a set of Permissible Operations (Perops), which define the operations that can be performed on a given element type.
3.3
Enabling DAC DAC can be enabled by selecting Project > Data Access Control from the main menu in the Administration module. A confirmation message is displayed.
Clicking the Yes button turns DAC on project wide. The status of DAC is displayed on the Default Toolbar:
3.4
Creating Scopes, Roles and Permissible Operations – A Worked Example
The following worked example will create a Scope for ALL areas of the work, a Role for ALL, a Role for a Piping Designer and Permissible Operations for the Piping Designer.
3.4.1
Creating a Scope
Scopes define the area of the plant where the PDMS Designer can work. The following scope gives access to all areas of the plant.
Click the Access Control Assistant button on the main menu to display the Access Control Assistant form.
Select the Scopes tab in the upper pane of the form. Right click on Scopes and select New scope from the pop-up menu to display a new scope row. Double click in the Scope name field to edit the information contained within it. Enter ALLSCOPE in the Scope name textbox. In a similar manner enter All Scope in the Scope description text box. Enter ALL in the Scope selection text box. The Scope selection could be made more specific by entering the name of a SITE or ZONE, etc.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
36
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
The syntax used to define Scopes is similar to the syntax used in PML. Key words, such as ALL, can be used in a DAC context. An example of the type of syntax used to define a Scope would be: ALL WITH NAME OF SITE EQ ‘’.
3.4.2
Creating Roles and Permissible Operations
A Role defines the type of objects that can be created. Roles can be created in two ways; by adding access or by removing access. The removal of access may occur in situations where a designer is initially given full access rights which are then restricted.
3.4.2.1 Create Role and Perop for ALL Access
Select the Roles tab in the upper pane of the form. Right click on Roles and select New role from the pop-up menu to display the new role row.
Enter ALL-DESIGNER in the Role name textbox. Enter Can create ALL PDMS elements in the Role description text box.
A new Permissible Operation (Perop) for the role is required. Right click on the ALL-DESIGNER entry of the Role name and select New perop from the pop-up menu to display the new perop row. Enter ALLELE in the Perop name textbox, followed by ALL in the Element types textbox. Leave the Qualifying Condition as unset.
Open the Operations options list. Each entry, i.e. Create, Modify, Delete, etc, has three settings, Ignore, Disallow and Allow. Clicking each entry will cycle through these choices. Set all of the entries to Allow. Set the Attributes field to ALL and the Error message field to Can Create All.
3.4.2.2 Create Role and Perops for Piping Designer Access The Role of the Piping Designer will allow the creation of pipes and pipe branches providing that the pipe has not been issued. The Pipe Designer may also connect to, and orientate, nozzles. Right click on Roles again and select New role from the pop-up menu to display the newwww.aveva.com role row. © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
37
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Enter PIPING-DESIGNER in the Role name textbox and Piping Designer in the Role description textbox. Right click on PIPE-DESIGNER entry of the Role name and select New perop from the pop-up menu to display the new perop row. Enter PIPE-DESIGNER-PIPE in the Perop name textbox followed by PIPE in the Element types textbox. Enter (Purp of Zone eq 'PIPE' and Function neq ‘ISSUED’) in the Qualifying condition textbox. Set all the Operations entries to Allow and enter ALL in the Attributes textbox. Enter You can only create pipes in a Piping Zone that has not been Issued in the Error message textbox. Create a new perop row to allow the Pipe Designer the ability to orientate position and connect to nozzles. Enter PIPE-DESIGNER-NOZZ in the Perop name textbox followed by NOZZ in the Element type textbox. Leave the Qualifying condition as unset. In the Operations options list set Create, Output, Export and Copy to Disallow, Delete to Disallow and Modify, Claim, Issue and Drop to Allow. Enter ORI CREF and POS in the Attributes textbox and enter You can only position, rotate and connect to Nozzles in the Error message textbox. Create another Perop for the Pipe Designer that will allow Branches to be created if the Pipe has not been issued. Enter PIPE-DESIGNER-BRAN in the Perop name textbox followed by BRANCH HIERAR in the Element types textbox. Enter Function of Pipe neq ‘ISSUED’ in the Qualifying condition textbox. Set all the Operations entries to Allow then enter ALL in the Attributes textbox. Enter You cannot create a Branch or Branch Components if the Pipe has been Issued in the Error message textbox. The following Perops are now available.
Follow a similar process to create Roles and Perops for the Design Supervisor and the Equipment Designer. For the Role of the Equipment Designer, allow the creation of the equipment hierarchy only where the Purpose of the Zone is EQUIP.
3.5
There is no need to create separate SCOPES for the Supervisor, Piping Designer and Equipment Designer. Use the SCOPE /ALLSCOPE for all three users.
Creating Access Control Rights –A Worked Example
Access Control Rights (ACR’s) are used to link Roles and Scopes. To recap, a Role is what a User can do and a Scope is where the user can do it. www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
38
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
This worked example creates ACR’s for ALL items (e.g. a supervisor), for Pipe Designers and Equipment Designers.
3.5.1
Create an ACR for ALL
Select the ACR’s tab from upper pane of the Access Control Assistant form. Right click on ACR and select New ACR from the pop-up menu to display a new ACR row.
Enter ALL-DESIGN in the ACR name textbox. Enter Can create ALL items anywhere in the ACR description textbox.
Select the Scopes tab in the top pane. Select the ACR’s tab in the bottom pane. Using the left mouse button, drag and drop ALLSCOPE from the top pane onto the Scope entry below the ALL-DESIGN ACR entry in the bottom pane. Click the Roles tab and drag and drop ALL-DESIGN from the top pane onto the Role entry below the ALLDESIGN ACR entry in the bottom pane. Repeat this process to create ACRs for ALL-DESIGN, ALL-EQUIPMENT and ALL-PIPES.
Setting User Access – A Worked Example
3.6
Remember, once DAC has been set on then the default access to PDMS is no access, and ACR’s must be set for each User. In this worked example three users will be created and access rights set for each.
A.SUPERVISOR will be the Supervisor and will be given ALL access.
A.PIPER will be a Piping Designer and will be given Pipe Designer access.
A.EQUIP will be the Equipment Designer and will be given Equipment Designer access.
Create the following users:
A.SUPERVISOR should be a member of all Teams.
A.PIPER should be a member of PIPEN and PIPES.
A.EQUIP should be a member of EQUIPN and EQUIPS.
ACR can be set in two ways, using drag and drop on the Access Control Assistant or by using the Create User or Modify User on the Admin Elements Form.
www.aveva.com
© Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
39
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
3.6.1
Using Access Control Assistant
In the top pane select the ACRs tab. In the bottom pane select the Users tab. Drag ALL-PIPES onto A.PIPER.
3.6.2
Using Create/Modify User
Select Users in the Element options list of the Admin Elements form. Select A.SUPERVISOR and click the Modify… button to display the Modify User: A.SUPERVISOR form.
A.SUPERVISOR should be a member of all Teams. The bottom part of the form shows the ACRs. The left pane shows all the ACRs available on the project and the right hand pane shows the User’s ACRs. For A.SUPERVISOR select ALL-DESIGN in the Project ACRs list and move it to the User’s ACRs list with the right arrow button. Click the Apply button and then the Dismiss button. Repeat the process for A.EQUIP selecting the correct ACRs.
Make sure the Users are members of the correct team to write to the database.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
40
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
3.7
Testing PDMS Access Control
In the previous sections, a number of users have been created and ACR’s have also been created for each user. To re-cap: A.SUPERVISOR
can create anything anywhere.
A.PIPER
can only create pipes in a Zone with a Purp of PIPE and where the pipe has not been ISSUED.
A.EQUIP
can only create equipment in a Zone with a Purp of EQUI.
The effect of DAC can be seen by testing the ACR’s in design. Ensure that DAC is turned on for the Project then enter a Design session and test the following scenarios: A.SUPERVISOR
Can create Sites, Zones, etc.
A.PIPER
Can create Pipes, Branches and components. Can only create Pipes in a Zone with a Purp of PIPE. Can only modify Pipes where the Function of the Pipe is not ISSUED.
A.EQUIP
Test that Equipment can only be created in a Zone with a Purp of EQUI.
Enter Design as user A.PIPER and navigate to a Nozzle. Select Modify > Attributes from the main menu. Note that only Position, Orientation and Cref attributes can be modified. All other attributes are greyed out.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
41
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Make a Pipe the CE. Select Modify > Attributes… from the main menu. Update the Function attribute to ISSUED. In the Design Explorer navigate away from, then back to, the modified pipe. Note that all the attributes on the form are now greyed out as the Pipe has been Issued.
3.8
Querying User Access in Design
User access in Design may be queried by selecting Query > Project… from the main menu. The Query Project form will be displayed. The Users tab displays a list of users. Selecting a User from the list displays details about the user including Team membership.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
42
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
DAC may also be queried in Design by selecting Query > Data Access Control… from the main menu to display the Query Data Access Control form. The User Rights tab shows the Role, including the Perops, and the Scope for the current user. Selecting a Perop from the list displays the Perop Properties form.
3.9
DAC –Negative Implementation
Previous examples of DAC have focused on a method of implementation whereby Designers are generally denied access then granted only specific access to achieve certain tasks. An alternative implementation is where the designer is first given full access and is then restricted from undertaking certain tasks. This is sometimes refered to as Negative DAC’s. The advantage of using this method is that PDMS can display more meaningful messages. disadvantage is that there are more Perops for each Designer.
The
Earlier in this training guide the Role ALL-DESIGNER was created. This role will now be modified to prevent the designer creating equipment. In Admin modify the Role ALL-DESIGNER using the Access Control Assistant and create a new Perop.
Enter / select the following data: Perop name
NOT-EQUIPMENT
Element types
EQUIP HIERARCHY
Qualifying Condition
unset
Operations
Disallow (for all)
Attributes
ALL
Error Message
You cannot Create or Modify Equipment
© Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
www.aveva.com 43
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Enter PDMS as A.SUPERVISOR and check that all items except the Equipment Hierarchy can be created.
3.10 Setting DAC for use with MDS Consider the access that might be required for a pipe support designer. The support designer would need access to branch members to create ATTAs, swap elbows, tees etc. They would also need to create branches for Trunnions, create SNODS and joints on steel, and create structures, but only if the Purp of the Zone is SUPP. The following DAC could be used with the AVEVA Multi Discipline Support system (MDS). To help within this area a variable ‘!!MDSACCESS’ is set to ‘TRUE’ if MDS is running. The following is a list of the required PEROPs for MDS: Access to Element
Condition
BRAN HEIR
VTEXT !!MDSACCESS EQ 'TRUE'
REST HEIR
VTEXT !!MDSACCESS EQ 'TRUE'
SNOD HEIR
ATTRIB PURP OF ZONE EQ 'STL' AND VTEXT !!MDSACCESS EQ 'TRUE'
STRU HEIR
ATTRIB PURP OF ZONE EQ 'SUPP'
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
44
CHAPTER 4 4
Project Setup Using Excel
Project Setup Excel Import and Export is designed to make the process of setting-up an AVEVA Plant project easier by allowing Administration data to be imported via spreadsheets. It is important that the Excel Spreadsheets used for both the Import and Export functions are in the correct format. The required format is the same for both functions, therefore the correct format can easily be obtained by exporting data from the Administration module and examining the results.
4.1
Export to Excel The Export to Excel utility can be accessed by selecting Utilities > Export from the main menu of the Administration module. The Admin Export form will be displayed. From this form the User can enter a file path for the export file. Alternatively the suitable file location.
icon can be used to navigate to a
On clicking the OK button of the Admin Export form the Export process is started. An export summary screen is displayed. Task progress is displayed in this form. In the event of an error occurring during the export process, it will be noted in this form.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
45
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
4.2
Admin Excel Spreadsheet
The Admin Excel Spreadsheet has a specific format containing a keyword and the appropriate headings. The spreadsheet is split down into various tabs.This training course will focus on the Extracts and Data Access Control tabs.
4.2.1
Admin Excel Spreadsheet – Extract Databases
The required format for Extract Databases is shown below. Data in some columns can be altered without restriction (e.g. Description), while other columns reflect a value within an appropriate context (e.g. Claim Mode can only be Implicit or Explicit). Guidance on the values required in each column are provided below.
#Keyword
EXTRACT.
Owning Team
Name of the Team that owns the Extract Database.
Name
Extract Name (part after /).
Description
Description of Database.
Parent
Parent Database.
Claim Mode
IMPLICIT or EXPLICIT.
Variant
Yes or No.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
46
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
4.2.2
Admin Excel Spreadsheet – Working Extract Databases
The required format for Working Extract Databases is shown below. Data in some columns can be altered without restriction (e.g. Description), while other columns reflect a value within an appropriate context (e.g. Claim Mode can only be Implicit or Explicit). Guidance on the values required in each column are provided below.
#Keyword
WORKEXTRACT.
Owning User
Name of the User associated with the Working Extract Database.
Description
Description of Database.
Parent
Parent Database.
Claim Mode
IMPLICIT or EXPLICIT.
Variant
Yes or No.
4.2.3
Admin Excel Spreadsheet – Scope
On export, Data Access Control requirements are separated into their component parts, ACR,s, ACR Groups, Scopes, Roles and Perops. The required format for Scopes is shown below. As with the other spreadsheets considered, data in some columns can be altered without restriction (e.g. Description), while other columns reflect a value within an appropriate context (e.g. Selection could utilise the keyword ALL). Guidance on the values required in each column are provided below.
#Keyword
SCOPE.
Name
Name of Scope.
Description
Description of Scope.
Selection
ALL (keyword). Alternatively, Sites or Zones specific to the project could be used.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
47
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
4.2.4
Admin Excel Spreadsheet – Roles and Perops
Roles are specified followed by the associated Permissible Operation (PEROP). Roles require only three fields. Guidance on the values required to define the Role are given below.
#Keyword
ROLE.
Name
Name of the ROLE.
Description
Description of ROLE.
Permissable Operations require considerably more fields to account for all Create, Modify and Delete operations and any associated error messages. Guidance on suitable values is provided below.
#Keyword
PEROP.
Owner
Owning Role.
Name
Name of Perop.
© Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
www.aveva.com 48
AVEVA Plant (12.1) System Administration (Advanced) TM-1301 Element types
Element Type e.g. PIPE, EQUIPMENT HIERAR, ALL etc.
Qualifying condition
Qualifying Rule. Often this will utilise a Purpose or Function of a model element.
OpCreate
GRANT or DENY ability to Create Elements.
OpModify
GRANT or DENY ability to Modify Elements.
OpDelete
GRANT or DENY ability to Delete Elements.
OpClaim
GRANT or DENY ability to Claim Elements.
OpIssue
GRANT or DENY ability to Issue Elements.
OpDrop
GRANT or DENY ability to Drop Elements.
OpOutput
GRANT or DENY ability to Output Elements.
OpExport
GRANT or DENY ability to Export Elements.
OpCopy
GRANT or DENY ability to Copy Elements.
Attributes
Specify attributes that can be changed or ALL.
Error message
Error Message displayed to the User.
4.2.5
Admin Excel Spreadsheet – ACR
The required format for an ACR is shown below. As with the other spreadsheets considered, data in some columns can be altered without restriction (e.g. Description), while other columns reflect a value within an appropriate context (e.g. Scope will reference a valid Scope in the project). Guidance on the values required in each column are provided below.
#Keyword
ACR.
Name
Name of ACR.
Description
Description of ACR.
Scope
Name of the Scope.
Role
Name of Role.
4.3
Import from Excel The Import from Excel utility can be accessed by selecting Utilities > Import from the main menu of the Administration module. The Admin Import form will be displayed. From this form the User can specify a file path for the file to be imported. Alternatively the icon can be used to navigate to a suitable file location.
© Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
Before attempting an Excel Import make sure that the Access Control Assistant is not displayed. www.aveva.com 49
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Once the file has been specified, clicking the OK button on the Admin Import form instigates the Import operation. If the project references a Foreign Project the User will be prompted to give suitable login credentials for an a Free User in the referenced project.
An import summary screen is displayed. Task progress is displayed in this form. In the event of an error occurring during the export process, it will be noted in this form.
If errors are present it is possible to role back the System database until a point before the import operation was instigated.
4.3.1
Selecting an MDB for User Defined Data
Once the import operation has finished, the System Administrator is prompted to supply an MDB if one has not previously been set.
If the imported data contains UDA’s or UDET’s then the MDB selected should contain a Lexicon Database. As DAC may contain references to UDA’s or UDET’s it is important that this is checked prior to importing the data. If DAC has not been specified, and neither UDA’s or UDET’s have been used, the System Administrator can select .
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
50
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
4.4
Admin Database Rollback
The Admin Database can be rolled back following an Excel import in the event that errors were encountered.
The Rollback utility can be accessed Utilities > Rollback from the main menu.
by
selecting
The Rollback form is displayed showing the items that will be deleted. Selecting the Rollback button in the middle of the form instigates the process. Due to the nature of this process, confirmation is immediately sought from the User.
Selecting the Yes button continues the process, while selecting the No button stops the process.
If the Rollback process is continued, the lower portion of the Rollback form will be populated with tasks that have taken place. The user can verify the results of the Rollback process by refreshing the view of the Admin Explorer.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
51
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Exercise 3 – Project Setup Excel Export / Import Use the Export to Excel utility on the Training Project. Open the spreadsheet produced and create some new Teams, Users and Databases. Import the modified spreadsheet into the Training project, checking for any errors. Use the database Rollback function to restore the project to the point immediately before the Export utility was used.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
52
CHAPTER 5 5
PML Encryption
This chapter describes how to create and use PDMS PML Encryption or Published PML. Various levels of encryption can be applied to any PML functions, forms, objects, and macros.
5.1
Overview of PML Encryption
PML is the AVEVA Programmable Macro Language. The details of the language may be found in the PDMS Software Customisation Guide and the PDMS Software Customisation Reference Manual, supplied with the product. PML functions, objects, forms and macros may be encrypted using the tools described in this chapter. Once encrypted they may be used within PDMS but cannot easily be read. Please note that the encryption used is of limited strength, and is not secure against all possible attacks. Details of the encryptions used are described later. Once a PML file has been encrypted, it is no longer possible to read or edit the file. The Published PML toolkit does not include a tool for un-encrypting files. It is good practise to ensure that a safe copy of the original file is retained, in case further modifications are required later.
5.2
PML Encryption Utility Program
The encryption utility program is a command window program designed to be included in the PML software development process.
5.2.1
Typical workflow
When undertaking PML encryption tasks the following workflow should be adhered to:
Ensure that a current backup of the source PML is available.
Copy the source folders to a new location.
Encrypt from the source location to the new location.
Check the encryption is successful and the files work in the expected manner.
Not all files within a PML folder hierarchy are always PML. Images, for example, should not be encrypted, but may need to be supplied with the encrypted versions of the PML.
Automating the encryption procedure via batch files, perl script, or a PML script will make it easier to create the encrypted PML files when the source PML is updated.
5.2.2
Licensing
The pmlencrypt.exe utility program requires a PML Publisher licence in the license file (the feature name is VPD-PMLPUBLISHER). If this is not present in the license then the program will not run.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
53
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
5.3
Using the PML Encryption Utility Program
The form of the PML Encryption Utility Program can be seen by running pmlencrypt.exe without arguments (or with an invalid set of arguments). An output similar to that below is produced.
The command is of the form: pmlencrypt [-rc4|-basic|-trivial|-none] [-buffer N] [-folder|-pmllib] from_path to_path Where: -rc4
uses 40-bit RC4 encryption from the Microsoft Base Cryptographic Provider (default).
-basic
uses a simple low-security encryption algorithm.
-trivial
uses a human-decipherable encryption scheme - for testing only.
-none
no encryption, but can be used with -buffer N.
-buffer N
causes the file to be retained in memory until a module switch once it has been read N times (the default is never).
-folder
is used to encrypt ALL files from the folder from_path to to_path.
-pmllib
is used to encrypt ALL .pmlobj .pmlfnc .pmlfrm and .pmlmac files from the folders in a PMLLIB-type folder structure beneath from_path to to_path.
from_path
is the file or folder to be encrypted.
to_path
is the output file or folder.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
54
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
5.4
Choosing Files
PML files are not required to have particular file extensions. PML2 functions, objects, forms and macros are normally stored in files with the extensions .pmlfnc, .pmlobj, .pmlfrm and .pmlmac respectively. However, other PML files such as those in the pdmsui folder of a PDMS installation do not have a file extension. As any PML file (with or without a file extension) may be read with a $m command, care must be taken when choosing files to encrypt. Other files, such as icon images and configuration files cannot be used by PDMS when encrypted.
5.4.1
Single File
If neither of the –folder or –pmllib options are used the from_path and to_path arguments are taken to be single file-names or paths (which should not include embedded spaces). The to_path file is created or overwritten, as appropriate. This option may be used whenever there is a single file to encrypt, and can also be useful within a script, where the file selection is handled by the script itself. No assumptions are made about file extensions.
5.4.2
All Files in a Folder
If the –folder option is used the from_path and to_path arguments are taken to be names or paths of folders (which should not include embedded spaces). All files in the from_path folder are encrypted into the to_path folder. The to_path folder is created, if required, and the files inside it are overwritten. No file extension is required, so care must be taken not to encrypt non-PML files.
5.4.3
Files in a pmllib -like Folder Tree
If the –pmllib option is used the from_path and to_path arguments are taken to be names or paths of folders (which should not include embedded spaces). All folders beneath the from_path folder are scanned, and files with extensions .pmlfnc, .pmlobj, .pmlfrm or .pmlmac are encrypted to a matching structure constructed or overwritten beneath the to_path folder. As this option is file-extension sensitive, it will not encrypt, or copy, image or other unrelated files in the hierarchy.
5.4.4
File/Folder paths
Care must be taken when the from_path and to_path arguments are given. The from path must precede the to_path, otherwise the wrong file may be overwritten. The from_path and to_path arguments cannot be identical. This is to reduce the risk of accidental overwriting of the source-files. Embedded spaces are not supported in the paths.
5.5
Encryption Algorithms
There are four encryption options that use different encryption algorithms. The following sections describe the four options.
5.5.1
Encryption Type 0: No Encryption
Encryption Type 0 (No Encryption) adds a standard Published PML header to the file, i.e. ---Published PML 12.0 >--, but does not otherwise encrypt the file. It can be selected by choosing the –none option in the encryption call.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
55
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
5.5.2
Encryption Type 1: Trivial Encryption
Encryption Type 1 (Trivial Encryption) is designed for testing purposes only. It provides no security, as the lines can be read backwards. It is used to establish that the encryption system is functioning correctly and that an incompatible version of PDMS has not been installed. It can be selected by choosing the –trivial option in the encryption call.
5.5.3
Encryption Type 2: Basic Encryption
Encryption Type 2 (Basic Encryption) is an alternative simple encryption algorithm which is implemented directly and does not rely on external libraries. It can be selected by choosing the –basic option in the encryption call.
5.5.4
Encryption Type 3: RC4 Encryption
Encryption Type 3 (RC4 Encryption) is the recommended and default option. This encryption uses the Microsoft Base Cryptographic Provider, which is included in Windows 2000, Windows XP, and Windows 7 operating systems as well as Microsoft® Internet Explorer version 3.0 or later. It is anticipated that all PDMS compatible computers will include the libraries required for this algorithm. 40-bit keys are used to operate within limits imposed by (historic) limitations of encryption technology. It can be selected by choosing the –rc4 option in the encryption call.
Although this is the most robust encryption algorithm provided, it is still of limited strength and is not secure against all possible attacks.
5.6
Encrypting PML Files – A Worked Example
In this worked example supplied PML files will be encrypted using various options.
5.6.1
Supplied Files
The pmlencrypt.exe by default is installed in the C:\AVEVA\Plant\Manage\PMLPublisher1.1 folder. The following are the simple PML files that will be used for the encryption. The Trainer will provide these files by copying them from the Training Setup. Typically C:\AVEVA\Plant\Training12.1.1\Training\testencrypt. The files are as follows: C:\testencrypt\pmllib_original\forms\hello.pmlfrm setup form !!hello Title ‘My Form Title’ Paragraph .Message text ‘Hello world’ button .bye ‘Goodbye’ OK exit C:\testencrypt\pmllib-original\functions\area.pmlfnc define function !!area(!Radius is REAL) is REAL !CircleArea = !Radius.Power(2) * 3.142 return !CircleArea endfunction
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
56
AVEVA Plant (12.1) System Administration (Advanced) TM-1301 C:\testencrypt\pmllib-original\objects\life.pmlobj define object LIFE member .Answer is REAL endobject define method .Life() !This.Answer = 42 endmethod define method .Answer() is REAL return !This.Answer endmethod define method .Answer(!Value is REAL) !this.Answer = !Value endmethod C:\testencrypt\pmllib-original\macros\newsite.pmlmac new site /ENCRYPT-SITE handle(41,12) $p site /ENCRYPT-SITE exits DELETE SITE return endhandle
C:\testencrypt\pmllib_original\macros\NZONE /ENCRYPT-SITE handle(2,109) $p Site /ENCRYPT-SITE does not exist return endhandle new zone /ENCRYPT-ZONE handle(41,12) $p site /ENCRYPT-ZONE exits DELETE ZONE return endhandle
5.6.2
Directory Structure
The PML files should be stored in the correct PML directory structure.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
57
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
5.6.3
Testing using a Batch File
It is recommended that a batch file be created to encrypt the PML files. In this example a simple batch file will be written to test each option. In a suitable text editor open the batch file, encrypt.bat, in the folder C:\testencrypt most of the lines are commented out using rem with the exception of the second to last line which would display help.
Keep the file open for editing. Ensure all of the sub-folders in the C:\testencrypt\pmllib-encrypt folder are empty.
5.6.4
Testing the None Option
The first test uses the –none option on the area.pmlfnc file to see if the encryption process is working. The encrypt batch file needs to be edited (remove ‘rem’) to allow this line of the file to be run. The batch file should look like this:
Run the batch file by locating encrypt.bat with Windows Explorer then double clicking on it. A cmd window will be displayed. To check the result, navigate to the C:\testencrypt\pmllib-encrypt\functions folder and edit the area.pmlfnc. The function should look like this:
The file is not encrypted but a header is added to the macro.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
58
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
5.6.5
Testing the Trivial Option
Edit encrypt.bat and enter rem at the start of the line containing the none option. Remove the rem from the start of the line containing the trivial option. The batch file should look like this:
Save the file and double click on it to run the encryption. The file, hello.pmlfrm, has been encrypted using the –trivial option. Navigate to the C:\testencrypt\pmllib-encrypt\forms folder and edit the hello.pmlfrm. The function should look like this:
Note that the file is readable backwards, i.e. mrof putes is setup form.
5.6.6
Encrypting Multiple Files
All files with valid pml extensions can be encrypted in one command using the –pmllib option. Edit the encrypt .bat file by entering rem at the start of the line containing the trivial option. Remove the rem from the start of the line containing the rc4 pmllib option. The batch file should look like this:
Save the file and double click on it to run the encryption. Navigate to each of the sub-folders of pmllib-encrypt and note that all pml files have been encrypted with the exception of NZONE as this does not have a valid pml file extension. All Files without a valid pml extension can be encrypted in one command using the –folder option, however, care must be taken using this option as some files may not be pml macros.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
59
AVEVA Plant (12.1) System Administration (Advanced) TM-1301 Edit the encrypt .bat file by entering rem at the start of the line containing the rc4 pmllib option. Remove the rem from the start of the line containing the rc4 folder option. The batch file should look like this:
Save the file and double click on it to run the encryption. Navigate to the macro sub-folder of pmllib-encrypt and note that the file NZONE has now been encrypted.
5.6.7
Testing Encrypted Macros
When PDMS recognises an encrypted macro it is decrypted in memory as it is used. In this section the encrypted macros will be tested. In order to test the encrypted macros the pointer to pmllib must be changed to point to a multi path. Edit the file evars.bat. This batch file can be found in the %PDMSEXE% directory typically C:\AVEVA\Plant\PDMS12.1.SP2. Close to the bottom of the file add the line: set pmllib=C:\testencrypt\pmllib-encrypt %pmllib%
Make sure there is a Blank Line at the Bottom of the file.
Save the file and close the editor. Enter PDMS using the following options: Project Training, Username A.PIPER, Password A, MDB /A-PIPING, Module Design
Ensure DAC is turned off.
5.6.7.1 Checking the pmllib Path The environment variable pmllib should now be set to a multi-path that includes the C:\testencrypt folder. Open the Command Window and enter Q EVAR PMLLIB.
The file pml.index needs to be updated to include the new files in the extended path. Enter PML REHASH ALL in the Command Window to regenerate the file. If further files are encrypted the file should be refreshed using this command.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
60
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
5.6.7.2 Area function The area function returns the area of a circle. In the Command Window enter !area = !!area(100). The function calculates the area of a circle with 100mm diameter. Enter q var !area in the Command Window to find the answer stored in variable !area
5.6.7.3 Hello Form PML forms are displayed using the show command. Enter show !!hello in the Command Window to show the Hello form.
5.6.7.4 Life Object A method of an object may return a result into a member of the object using the return command. Enter !Marvin = object LIFE() in the Command Window. The method .Life() is called automatically and the value !marvin is 42. Enter !Number = !Marvin.Answer() in the Command Window. Enter q var !Number in the Command Window. !Number is set to the value 42 because no values were specified. The value of the variable Number may be changed. Enter the following in the Command Window: !Marvin.Answer(50) !Number = !Marvin.Answer() q var !Number
5.6.7.5 Running the pml macros Macros are executed using the $m/ syntax in the Command Window. Enter the following in the Command Window: $m/C:\testencrypt\pmllib-encrypt\macros\newsite.pmlmac $m/C:\testencrypt\pmllib-encrypt\macros\NZONE
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
61
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
The newsite.pmlmac macro creates a site named ENCRYPTSITE. The NZONE macro creates a Zone under the new site named ENCRYPT-ZONE.
5.7
Buffering Encrypted Files
Reading an encrypted pml file takes longer than reading a plain-text version. In some circumstances PML files may be re-read many times during a session, thus encrypting files may have some impact on performance. The command PML STATISTICS displays information on the numbers of times each file has been read, together with some additional information useful to AVEVA when testing the Published PML functionality.
In order to reduce the time taken to re-read the files, Published PML files may contain a buffering directive in the header-line, i.e. the first line in the file. If a dash and a number are included directly after the three-digit encryption algorithm id, then PDMS will retain the file in memory indefinitely once it has been read the specified number of times. Heavily used files may be edited to add buffering to the header by hand. For example: ---- Published PML 1.1 >-Alternatively, the n option, where n is the number of times the file is to be read before buffering, of pmlencrypt.exe may be used. For example: C:\AVEVA\pmlencrypt -rc4 –buffer 5 %from%\functions\area.pmlfnc %to%\functions\area.pmlfnc.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
62
AVEVA Plant (12.1) System Administration (Advanced) TM-1301 A value of 5 is a good number to start with. Many files are read precisely once during module start up. There is little benefit in buffering these files. Using a value of 5 will avoid that, but will benefit all heavily used files. If a PML file that is being actively developed has a header including buffering, it will not be re-read as often as usual. To force all buffered files to be cleared from memory, if they are not in current use, the commands PML REHASH or PML INDEX may be used or a module switch performed.
5.8
Editing Published PML Files
Most changes made to an encrypted PML file will make it unusable, i.e. PDMS will report a corrupt file if attempted, however, there are a few exceptions: As noted in the previous section, a buffering value may be added or changed in the Published PML header-line. For example: ---- Published PML 1.1 >-- may be changed to ---- Published PML 1.1 >-Adding a buffering value of 5. The second line of rc4 or basic encrypted files may be edited to report a different error or message. For example: ---- Published PML 1.1 >-return error 99 'This file is not readable by this version of PDMS' $** 9ad7b51fc44384a8601979728b185f52 may be changed to ---- Published PML 1.1 >-return error 66 'You need a PDMS patch – ring Ian on extension 6655' $** 9ad7b51fc44384a8601979728b185f52 Lines in trivial encrypted or un-encrypted files may be changed.
5.9
Using the $R Command
If an attempt to display or record encrypted PML using the $R commands is made, all lines are replaced by the text . Error messages and trace-backs will include function names, but not the text of each line. The only circumstance in which hidden lines can become visible is during a macro which includes a moduleswitch. After a module switch, any remaining lines in that macro may be traceable.
5.10 Troubleshooting PDMS will issue an error if any of the following occurs: Attempting to read an encrypted PML file in an incompatible version of PDMS. Attempting to read an encrypted file that has become corrupted (e.g. editing encrypted text). Attepting to read files encrypted with algorithms added in future versions of pmlencrypt.exe. Attempting to read an rc4 encrypted file on a computer without the Microsoft Base Cryptographic Provider installed.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
63
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
64
CHAPTER 6
6
Intellectual Property Rights Database Protection
PDMS enables strict Intellectual Property Rights (IPR) Protection to be applied at database level, allowing a project administrator to restrict the ability to extract data held within a database.
6.1
IPR Protection Overview
Protected databases are marked as uniquely belonging to the project such that restricted users cannot copy data from that database into another project, even through a physical copy of the database file. Functionality that permits copying of data from a protected database is not available to restricted users. For example: OUTPUT command (DATAL). COPY command, when copying across databases. EXPORT command. Data Access Routines (DARs). In addition, read access to certain attributes is restricted in order to obstruct an unauthorised user from writing their own DATAL like functionality in PML.
6.2
Changes to Admin for Database Protection
The Administration command syntax has been extended to allow the project administrator to set (or clear) protection on any database within a project, and to set (or clear) an expiry date for that database. The CHANGE command has been extended to change the protection on a named database, and control timed expiry by optionally specifying a future date, using the standard date format used in existing commands. The extended syntax is as follows: CHANGE databasename PROTection [ ON | OFF ] [ EXPires future-date ]. The CREATE DB command has been similarly extended, with the following syntax: CREATE DB dbname dbtype [ SUBTYPE MARINE ] PROTected [ EXPires future-date ]. The following pseudo attributes are associated with all DATABASE elements to query the Protected status and the expiry date of the represented database. LProtected - returns a True if the database is protected and False if it is unprotected. Expiry - returns a text value giving the expiry date of the database in ISO date format, YYYY-MM-DD. The pseudo attribute is unset if the database has no expiry date.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
65
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
The Create Database form enables the Project Administrator to toggle protection on a database. This can be done by adding an expiry date via checkboxes and options lists. Clicking the Protected checkbox toggles the Protected mode on and off. When toggled on, the Expires checkbox is enabled.
Clicking the Expires checkbox toggles the expiry date on and off. When toggled on, the three date option lists are enabled.
The date entered must be valid and in the future. Invalid dates and past dates output an error message and disable the Apply button.
The Modify Database form has the same functionality as the Create Database form except that the Expiry cannot be toggled off if previously set, however the date may be changed. The end-user experience is unchanged except where that user is restricted with respect to a protected database. In these cases meaningful errors are displayed to indicate that user privileges are not sufficient to complete the requested operation. Data Access Routines (DARs) have been restricted so that they cannot access data in a protected database. An indicative error message is displayed in these circumstances.
Foreign databases are always read only.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
66
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
6.3
Changing Database Protection – A Worked Example
This worked example sets the protection on an existing catalogue database. Enter PDMS using the following options: Project MAS, Username SYSTEM, Password XXXXXX, MDB None, Module Admin.
In Admin select Databases & Extracts from the Admin Elements form. Select MASTER/PIPECATA from the grid and click the Modify… button to display the Modify Database form. Click the Protected checkbox to toggle database protection on. Click the Apply button and then the Dismiss button. Select Admin > Exit from the main menu to leave PDMS. Designers with Read Only access to the protected database, i.e. from the Training (TRA) project, will now be unable to use the following:
6.3.1
OUTPUT command (DATAL).
COPY command, databases.
EXPORT command.
Data Access Routines (DARs)
when
copying
across
Testing Database IPR Protection for the Output Command
The Catalogue MASTER/PIPECATA is used as the Piping catalogue reference in the TRA project. As the catalogue is now protected the OUTPUT Command for catalogue items should be unavailable for this catalogue. Enter PDMS using the following options: Project Training, Username A.PIPER, Password A, MDB /A-PIPING, Module Paragon. The Paragon user interface should be set to display the Catalogue Explorer and a Command Window.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
67
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
Using the Catalogue Explorer navigate to the Catalogue World called MASTER/PIPECATA, the CATA called PDMSPIPE.CATA-ANSI and the SECT called ELBOW-ANSI. This section can be checked to see if it is in the protected catalogue database by entering Q DBNAME in the Command Window. It should return MASTER/PIPECATA. The OUTPUT command may also be tested in the Command Window by entering OUTPUT CE. As the MASTER/PIPECATA is protected an error message is displayed.
6.3.2
Testing Database IPR Protection for the Copy Command
The COPY command should also be unavailable, preventing information being transferred from a protected database to an unprotected database. Navigate to and expand the PIPING/CATA-A World in the Catalogue Explorer to show the CATA element /CATA-PIPING-A previously created with the database. Enter Q DBNAME in the Command Window. It should return PIPING/CATA-A. A new SECT and CATE will be created in this database using the Command Window, the CATE will be a copy of an existing MASTER component. Enter the following commands in the Command Window: NEW SECT /Elbows NEW CATE /AAEA200-PIPE COPY /AAEA200 RENAME /AAEA200 /AAEA200-PIPE
Make sure DAC is turned OFF on the project or that no DAC is applied to Paragon.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
68
AVEVA Plant (12.1) System Administration (Advanced) TM-1301 The new SECT and CATE will be created but the existing CATE cannot be copied as it is in a protected database and an error message will be displayed. Click the OK button to dismiss the form. Note that the new CATE has been created but no contents have been copied from the protected database.
6.4
Attribute Protection
When the attributes of an item in a protected database are queried, some of the attributes will not be displayed, i.e. some attributes are invisible to restricted users in a protected database. The restricted attributes are mostly in the catalogue, but there are also some in the Properties and Design Databases. As not all the attributes are visible it makes it very difficult to create a macro that would be able to recreate the database items. Typical attributes that are invisible are the height of a cylinder in the catalogue and the nominal bore of a component connection point.
6.5
Checking Attribute Protection – A Worked Example
To check attribute protection a catalogue database is entered as a Free User and the attributes of a primitive are queried. A check is made on the same item as a Restricted User. To see what attributes are available an MDB is created in the MAS project and the protected database MASTER/PIPECATA added to it. Paragon may then be used to compare attributes between a protected database and an unprotected database.
6.5.1
Creating an MDB in the MAS Project
Enter PDMS using the following options: Project MAS, Username SYSTEM, Password XXXXXX, MDB None, Module Admin.
Select MDBs from the Element options list on the Admin Elements form. Click the Create… button to display the Create Multiple Database form. Enter CATA in the Name textbox. Enter Catalogue in the Description textbox. Select MASTER/PIPECATA and move it down into the Current Database grid. Click the Apply button and then the Dismiss button.
Select Admin > Exit from the main menu to leave PDMS. © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
www.aveva.com 69
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
6.5.2
Attributes as a Free User
Enter PDMS using the following options: Project MAS, Username SYSTEM, Password XXXXXX, MDB CATA, Module Paragon.
Enter /AAEA200NN in the Command Window to navigate to the SCOM. Enter GOTO GMREF in the Command Window to navigate to the geometry set and then enter SCTO1 to navigate to the circular torus primitive.
The SCOM AAEA200NN is an ANSI elbow that is constructed from a circular torus primitive.
Select Query > Attributes… from the main menu to display the Attributes form.
6.5.3
Attributes as a Restricted User
Enter PDMS using the following options: Project Training, Username A.PIPER, Password A, MDB A-PIPING, Module Paragon.
Enter /AAEA200NN in the Command Window to navigate to the SCOM. Enter GOTO GMREF in the Command Window to navigate to the geometry set and then enter SCTO1 to navigate to the circular torus primitive. Select Query > Attributes… from the main menu to display the Attributes form.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
70
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
6.5.4
Comparing Results
Comparing the two Attribute forms it can be seen that the Pdiameter attribute is missing from the Restricted Users query.
Free User
Restricted User
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
71
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
72
CHAPTER 7
7
Enhanced Entry Scripts
A new form has been introduced to allow generation of encrypted command scripts. This form is activated from the Create Script button on the Admin Elements form. It is activated by selecting Users or MDBs from the Elements pull down list.
7.1
Creating an Encrypted Entry Script
Enter the PDMS Admin Module, Project Training, Username SYSTEM, Password XXXXXX. From the Admin Elements form select Users, select the user TRAINER and click the Create Script Button.
If a User is selected in the main Admin form element list, that user will be specified in the Command Script Generation form. If an MDB element is selected, the MDB option will be checked and that MDB will be specified in the form. The new form requires entry and confirmation of the correct password for the specified user. It also requires entry or selection, via the Browse button, of an output filename. MDB selection is optional, as is the selection of an input command script.
The Input option is only available if a PML Publisher license is available in the current environment.
A further set of “environmental” conditions can be applied if required. clicking on the Conditions button, which activates the following form.
The conditions are specified by
A set of allowable Windows usernames and a set of allowable host computer names can be entered into the two lists. Optionally a full or partial time period can be specified using the Before and After toggles and date controls. Clicking the OK button on this form records the specified conditions to be applied to the generated script.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
73
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
The User name TRAINER will automatically be set. Enter the following details: Password
T
Confirm
T
Click the Browse button.
By default, the browser will navigate to %pdmsuser% typically: C:\AVEVA\Plant\Data12.1.SP2\pdmsu ser. A default name file name projectentry.mac will be populated in the file name field. Click the Save button.
On the Command Script Generation form select the OK button.
If the file exists the user is prompted to overwrite it.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
74
AVEVA Plant (12.1) System Administration (Advanced) TM-1301 Navigate to the newly created Entry Script file projectentry.mac and open the file using a suitable text editor.
The file has been encrypted using the same technology as PML Publisher.
7.2
This file should not be edited as it could render it inoperable.
Typical Entry Macro
Create the following entry macro and save it as entry.pmlmac in the %pdmsuser% directory typically C:\AVEVA\Plant\Data12.1.1\pdmsuser. -- call entry macro $m/C:\AVEVA\Plant\Data12.1.SP2\pdmsuser\projectentry.mac dev tty ALPHA log /C:\AVEVA\Plant\Data12.1.SP2\pdmsuser\aa.log over /A-PIPING Design q mem alpha log end finish The above macro runs the entry script created previously and allows access to PDMS without user names and passwords being displayed. It sets an MDB, enters Design, sets a log file, queries the members and exits PDMS.
7.3
The Macro must Exit PDMS. An example of the above file can be found in the Training Setup Directory typically C:\AVEVA\Plant\Training12.1\Training\pdmsuser.
Typical Entry Batch File
Create the following entry batch file and save it as no-pub-batch.bat in the %pdmsuser% directory typically C:\AVEVA\Plant\Data12.1.SP2\pdmsuser. set pdms_installed_dir=C:\AVEVA\Plant\PDMS12.1.SP2\. set PDMSEXE=C:\AVEVA\Plant\PDMS12.1.SP2 set PDMSWK=C:\AVEVA\Plant\Data12.1.SP2\pdmswk call "%pdms_installed_dir%\evars" "%pdms_installed_dir%" %PDMSEXE%\mon tty -macro=%PDMSEXE%\pdmsuser\entry.pmlmac The above batch file sets the required environment variable for PDMS and the Project and runs the entry macro.
An example of the above file can be found in the Training Setup Directory typically C:\AVEVA\Plant\Training12.1\Training\Admin.
www.aveva.com
© Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
75
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
7.4
Enhanced Entry Scripts (PML Publisher Available)
The Script Generation form has the option to include a user supplied macro which is included into the encrypted script. This option is only available if a PML Publisher License is available in the current environment.
7.4.1
Typical User Macro
Create the following macro and save it as doit.mac in the %pdmsuser% directory typically C:\AVEVA\Plant\Data12.1.SP2\pdmsuser. dev tty /A-PIPING Draft ALPHA log /C:\AVEVA\Plant\Data12.1.SP2\pdmsuser\aa.log over q mem alpha log end finish The above macro will be added to the encrypted entry script that is subsequently created. The macro sets an MDB, enters Draft, opens a log file, queries the members and exits PDMS.
The Macro must Exit PDMS.
7.4.2
Creating the Encrypted Entry Script
Using the entry script created above, create an encrypted entry script using the Input File doit.mac.
The entry script file now includes the supplied macro.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
76
AVEVA Plant (12.1) System Administration (Advanced) TM-1301
7.4.3
Typical Entry Batch File (PML Publisher Available)
Create the following entry batch file and save it as pub-batch.bat in the %pdmsuser% directory typically C:\AVEVA\Plant\Data12.1.SP2\pdmsuser. set pdms_installed_dir=C:\AVEVA\Plant\PDMS12.1.SP2\. set PDMSEXE=C:\AVEVA\Plant\PDMS12.1.SP2 set PDMSWK=C:\AVEVA\Plant\Data12.1.SP2\pdmswk call "%pdms_installed_dir%\evars" "%pdms_installed_dir%" %PDMSEXE%\mon tty -macro=%PDMSEXE%\pdmsuser\projectentry.mac The above batch file sets the required PDMS and Project environment variables and runs the entry macro. The projectentry.mac macro file includes both encrypted entry and encrypted input and can therefore be run standalone.
An example of the above file can be found in the Training Setup Directory typically C:\AVEVA\Plant\Training12.1\Training\Admin.
www.aveva.com © Copyright 1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
77