3.

1 User Page 1 of 23

3.1 User
The operator logs on to a HIS using the user name assigned to the operator.
Each user belongs to a user group. The user security restricts the scope of operation and monitoring
permitted for the operator who has logged on to the HIS based on the user’s privilege level and the
scope of operation and monitoring permitted for the user group to which the user belongs.

SEE For more information about the relationship of user management in Windows and the CENTUM VP
ALSO system, refer to:
2.2, “User/Group Management” in CENTUM VP Security Guide (IM 33J01C30-01EN)

n Default User Names

The CENTUM VP security offers the following default user names. The privilege level of the user who
accesses from the User-in Dialog becomes valid when the mode switching key position of the operation
keyboard is OFF.

l Default Users in CENTUM Authentication Mode

Table 3.1-1 Default Users in CENTUM Authentication Mode

User name User group Privilege level Description

OFFUSER(*1) DEFGRP S1 User name for monitoring only
ONUSER DEFGRP S2 User name for operation and monitoring
ENGUSER DEFGRP S3 User name for maintenance
PROG(*2) DEFGRP S1 User name for accessing from a user program
TESTUSER DEFGRP – User name for executing a virtual test
*1: If the user group for OFFUSER is changed to NONGRP and the HIS is started, operation and monitoring
with the HIS will be disabled.
*2: Users cannot user-in as PROG.

• TESTUSER does not appear in the Security Builder.

• These users cannot be deleted in the Security Builder.
• All user groups and privilege levels are the defaults.

l Default Users in Windows Authentication Mode

Table 3.1-2 Default Users in Windows Authentication Mode

User User Privilege

Description
name group level
User which defines the user out state under the HIS Type Single
OFFUSER DEFGRP S1
Sign On
PROG DEFGRP S1 User name for accessing data from a user program
TESTUSER DEFGRP – User used for executing a virtual test

file:///C:/Program%20Files%20(x86)/YOKOGAWA/IA/iPCS/Products/CENTUMVP/Progr... 6/1/2021
3.1 User Page 2 of 23

• TESTUSER does not appear in the Security Builder.

• These users cannot be deleted in the Security Builder.
• If the user name is PROG, it cannot be used for user-in.
• All user groups and privilege levels are the defaults.
• ONUSER and ENGUSER are not provided. If you create these users, the users will be handled as the
general users.
• PROG and TESTUSER cannot be authenticatied on Windows.

n Restrictions On Default User Logon

The default users in CENTUM Authentication Mode, ONUSER and ENGUSER, may be restricted so as the
security level can be enhanced in the environments like HIS-TSE where the multiple users randomly
logon to the HIS.
Restrictions on the logon of the default users, ONUSER and ENGUSER, can be set on Security tab of HIS
Utility.
You can lockout ONUSER, ENGUSER in the HIS Security Policy Settings (CENTUM authentication mode)
area by checking the [Lockout ONUSER, ENGUSER] option to prohibit these users to logon. By the
default setting of HIS-TSE, this option is checked, i.e., the ONUSER and ENGUSER are locked out for the
User-In dialog box.
When ONUSER and ENGUSER are locked out, these users will not be displayed from the dropdown list of
users on the User-In dialog box.

file:///C:/Program%20Files%20(x86)/YOKOGAWA/IA/iPCS/Products/CENTUMVP/Progr... 6/1/2021
3.1 User Page 3 of 23

Figure 3.1-1 Security tab of HIS Utility, Legacy Model/Standard Model (CENTUM Authentication
Mode)

In the case of Standard model (Windows authentication mode), the ONUSER and ENGUSER are locked
out, therefore the option of [Lockout ONUSER, ENGUSER] is not displayed. Since the ONUSER and
ENGUSER are locked out, the ONUSER and ENGUSER are not displayed in the dropdown box of User-In
dialog box.

file:///C:/Program%20Files%20(x86)/YOKOGAWA/IA/iPCS/Products/CENTUMVP/Progr... 6/1/2021
3.1 User Page 4 of 23

Figure 3.1-2 Security Tab Windows Authentication Mode

n Switching Users
In the HIS, switching to a different user is called user-in, and the user switching back to the initial user
who logon the HIS is called user-out.
In the HIS, switching to a different user is called user-in, and the user switching back to the initial user
of the HIS is called user-out. To perform user-in or user-out, call up the User-In dialog box from the
System Message Banner and then enter the user name and the password.

SEE For more information about User-In dialog box, refer to:
ALSO “n User-In and User-Out” in 2.5.1, “Components of System Message Banner” in Human Interface
Stations Reference Vol.1 (IM 33J05A10-01EN)

l Limitation on Operation and Monitoring Window Call at User-out

State

file:///C:/Program%20Files%20(x86)/YOKOGAWA/IA/iPCS/Products/CENTUMVP/Progr... 6/1/2021
3.1 User Page 5 of 23

At the user-out state, whether or not to limit the operation and monitoring window call can be specified.
When the window call is limited, the operation and monitoring window cannot be called up in the case
that the mode switching key position of the operation keyboard is OFF and at the user-out state. If the
operation and monitoring window is called while the window call is limited, the error operation message
is displayed.
Whether or not to limit the operation and monitoring window call can be specified in the Security tab of
HIS Utility.
Check the [Limits the window call at user out state] check box on the HIS Security Policy Settings.

Even while the operation and monitoring window call is limited, the following
windows and dialog boxes can be called up.
• User-in dialog
• Message Monitor window
• Name Input toolbox of browser bar
The operation and monitoring window call from the Name Input toolbox is
limited.

l Valid or Invalid of [Limits the window call at user out state]

Option
The HIS settings may become valid or invalid depends on the user authentication mode and user sign on
settings defined when starting the HIS.
The option of [Limits the window call at user out state] setting may become valid or invalid depends on
the user authentication mode and user sign on settings. When Windows type single sign on is defined,
this option becomes invalid.
Table 3.1-3 Scope of Enabling of [Limits the window call at user out state] Setting

Windows authentication mode

CENTUM
authentication mode HIS Type Windows Type
Single Sign On Single Sign On
Setting of window call limitation based on
Enabled Enabled Disabled
the user out state under Single Sign On

n User Registration
▼ User Name, Comment
The user registration may be carried out in the Valid User tab on the Security Builder. Up to 250 users
can be defined per project.
In the Windows authentication mode, “(Windows Authentication Mode)” is shown in the title bar.

file:///C:/Program%20Files%20(x86)/YOKOGAWA/IA/iPCS/Products/CENTUMVP/Progr... 6/1/2021
3.1 User Page 6 of 23

Figure 3.1-3 Title Bar of Security Builder (Windows Authentication Mode)

l Rules on User Name Registration

The rules that apply when user names are registered are shown below.
Table 3.1-4 User Naming Rules

Number of
Not more than 16 characters
characters
Alphanumeric characters and symbols including the following ! # $ % ( ) - . ^ _ { } ˜ single-
Character types
byte characters.
Uppercase only.(*1)
Limitations The first character can be an alphanumeric characters and symbols including ^ _ { } ˜
characters. A period (.) cannot be used to end the name.
*1: ENG group user and HIS group user names can be created with capital letters only. Windows user names
are not case sensitive but it is recommended to use the capital letters.

l Differences Relating to Users

The differences between the CENTUM authentication mode and Windows authentication mode are
summarized in the table below.
Table 3.1-5 Differences Relating to Users

Item CENTUM authentication mode Windows authentication mode

Users provided by 5, including OFFUSER, ONUSER, ENGUSER,
3, including OFFUSER, PROG and TESTUSER
default PROG and TESTUSER
Handling of Not provided by default (not present in the
ENGUSER and Provided by default and cannot be deleted. builders immediately after a new project is
ONUSER created) and can be deleted.
Character types
permitted in user According to the table “User Naming Rules”
names
User lockout management is performed using
An asterisk (*) is appended at the
Display of locked a Windows administrative tool.
beginning of the user name for any user
out user The lockout status is not displayed (* is not
who is currently locked out.
appended) in the builders.
Locked out users are unlocked using a
Release Lockout
Function to unlock locked out users Windows administrative tool.
menu
No unlocking menu is displayed in the builders.
Function to check if the users in the Security
User name check None
Builder exist as Windows users.

file:///C:/Program%20Files%20(x86)/YOKOGAWA/IA/iPCS/Products/CENTUMVP/Progr... 6/1/2021