Suppressing SetPoint Auditing Based on User ID

A feature is available to suppress the creation of setpoint audit records in the AUD service database based on a security setting for the user ID performing the setpoint request.

This option allows you to manage your AUD service database, preventing it from overfilling with setpoint audit records, while still allowing the creation of audit records when a user changes a value on a point tag. Unchecked setpoint requests from script can cause the AUD service database to swell to an unmanageable size. Setpoint audit records may be caused by scripts setting point values in the UIS, in the HSS, external VBScripts, Job Runner scripts, or PowerShell scripts.

To Suppress the Creation of SetPoint Audit Records

  1. Configure the following keywords in the service configuration file for each CVS (HSS, OPCIS, SVCMON, UIS) where setpoint operations will be received:

    1. Set AUDIT_LEVEL_SETPOINT to '1' to ensure setpoint auditing is enabled.
    2. Set AUDIT_SETPOINT_USERSEC_ENABLED to 'YES'.

  2. Configure the following security event for the user ID performing the setpoint request:

    1. Add the SUPSPAUD event to the UIS application in the ACS.
    2. Add the permission for the user ID with the access level set to '5-Admin'.

How Audit Record Suppression Works

When the AUDIT_SETPOINT_USERSEC_ENABLED keyword is set to 'YES' (and setpoint auditing is enabled), CygNet queries the ACS associated with the CVS to determine whether the user ID performing the setpoint request has proper permissions to create an AUD entry. The security application is resolved for the target point tag, considering any possible PNT and FAC security application overrides. Once the security application is determined for the target point, the ACS is queried for configured user access. If the user's access level for the SUPSPAUD event is '5-Admin', the creation of an audit record for the setpoint operation is suppressed.

Note that merely setting AUDIT_SETPOINT_USERSEC_ENABLED to 'YES' does not suppress audit record creation. The user ID performing the setpoint request must be assigned the proper security application and '5-Admin' access level for the SUPSPAUD event. Only then will any setpoint operation received by the CVS originating from a session associated with that user ID be blocked from recording an associated entry.

Logging

If the creation of an audit record for a setpoint operation is suppressed, a MIN_TRACE log entry (basic debug mode) will be made in the associated CVS log file and to the Event Logging Service (ELS) to aid with diagnostics.

Service Monitoring

An CVS info item, SETPOINT_USERSEC_ENABLED (Setpoint User Sec Enbld) (UDC is SVMCVSSPAS), is available to indicate whether setpoint audit record creation in the AUD service database is suppressed based on user ID. Use the Service Details dialog box or the CygNet ServiceMon Administration utility to view this statistic. The corresponding SVCMON point, CYGDEMO_UIS_SVMCVSSPAS, will display as either 'SET' or 'NOT SET'.

Back to top