How to
Removing Command Permissions from User Account Groups
You remove a user account goup's path permission to remove the permission to a folder or an object the user account group no longer is to have permissions to.
Software permissions can be assigned to individual user accounts and to user account groups.
Path permissions can be assigned to both, individual user accounts and user account groups. Command permissions can be assigned to user account groups only and cannot be assigned to individual user accounts. If you want to assign command permissions to individual user account, you need to create a group with one individual. You assign command permissions to modify specific permissions that user account groups possess to specific objects on the given path.
Relative path permissions and type permissions can be assigned to both, individual user accounts and user account groups.
If no software permissions are configured for a user account or user account group, the user has no access to EcoStruxure Building Operation software. By default, new user accounts and new user account groups have no permissions to access EcoStruxure Building Operation software. Changes to the software permissions of a user account group or user account are applied the next time the user logs on.
You can also combine software permissions with other general policies for the user accounts that are members to the user account groups. For example, you can enable or disable the ability of the group members to change their passwords or to choose the workspace.
For optimal efficiency, assign software permissions to user account groups rather than individual user accounts, wherever possible. Using this approach, you can associate user accounts to at least one user account group for controlled permission to EcoStruxure Building Operation applications. A user account group can comprise both user accounts and other user account groups. You group user accounts and user account groups with similar interests. For instance, you can group software permissions with user accounts based on common tasks and responsibilities
You create a user account for Paul and associate him with the two user account groups: Administrators and Janitors. You associate Paul with those two user account groups. You grant Administrators and Janitors certain software permissions. Paul inherits software permissions of both user account groups.
You use command permissions to configure exceptions from path permissions. You can set the following permissions for a command: no setting, deny, allow.
No Setting: No Setting is the default command permission setting. No Setting means that the Command property in the path permission, for the folder where the object is located, decides whether the user has permission to modify the object or not.
Deny: Users are not allowed to use the command.
Allow: Users are allowed to use the command.
You allow a user account group only to add comments to trend log records. All other command permissions for trend logs have the Deny permission. Users with the Deny command permission can comment on existing records but are not allowed to perform other actions such as adding records or clearing the trend log. This assumes that the users have path permission to access the trend logs.
In another example, the user account group has the path permissions read, write, create, delete, edit, force, and command to a folder that contains BACnet objects. To prevent the users in the user account group from updating the BACnet firmware, you use the Deny command permission for this action. All other command permissions are changed to No Setting. Due to the full set of path permissions, the users can perform all commands on BACnet devices, but not update the firmware.
In afinal example, the user account group has the path permission Read to the Enterprise Server. To enable the users in the user account group to perform all commands on trend logs in the system, you change all the command permissions on the Trends category to Allow.
A user account can be a member of several user account groups with different permissions. The priority between different permissions follow a set of permission rules. You can use these permission rules to manage the type of data and commands the user has access to within a workspace, panel, or domain. For more information, see Software Permissions Rules Management .
In WorkStation, in the System Tree pane, select the EcoStruxure BMS server you want to configure.
Click the Control Panel tab.
Click Account management .
In the account management control panel, in the Domain list box, select the domain the user account group belongs to.
In the User Account Groups list box, select the user account group, whose command permissions you want to remove.
Click Software permissions .
In the Permissions tab, in the Command Permissions area, in the Category column, select a category, whose command permisions you want to remove.
In the Command column, select a command.
In the Permission list for the command, select No Setting .
Click the Save button
.action_zoom_plus_stroke 
Command Permissions
Command Permissions Rules
Software Permissions, User Accounts, and User Account Groups
Assigning Command Permissions to User Account Groups
Editing Command Permissions of User Account Groups