For administrators - how to determine what permissions are applied to groups and objects

Q - Is there any way to see how the security permissions propagate down the hierarchy? Basically be able to see how the objects security is implemented as either parent (then which parent) or if individual (then stated as individual).

A - Yes. There is a database column "ACLInherited" which tells you if the object/group has got the ‘Inherited’ checkbox enabled (i.e. has no custom permissions at that level) or, if False then there are custom permissions at that level.

This query will tell you most of the info:

SELECT "FullName" AS "FullName", "Id","ACLAsText","ACLInherited" FROM CDBOBJECT WHERE "ACLInherited" = FALSE ORDER BY "FullName" ASC

The column "ACLAsText" will be truncated if the text of it is too long, so for a definitive list you’d need to read permissions using the client API.

Here’s a Python program to list the full ACLs in the root group:

# Import .Net runtime support - needs "pip install pythonnet", supported by Python 3.8, 3.9?
import clr
# Get Geo SCADA Library
CS = clr.AddReference( "c:\Program Files\Schneider Electric\ClearSCADA\ClearSCADA.Client.dll" )
import ClearScada.Client as CSClient

# Create node and connect, then log in. (Could read net parameters from SYSTEMS.XML)
node = CSClient.ServerNode( CSClient.ConnectionType.Standard, "127.0.0.1", 5481 )
connection = CSClient.Simple.Connection( "Utility" )
connection.Connect( node )
connection.LogOn( "your user", "your password" )

# Read Security ACLs
R = connection.GetObject("$Root")
ACL = R.GetSecurity()

if (ACL.InheritedFromParent == False):
    print( "ACL ", ACL.Count, " entries")
    for user in ACL.Keys:
        print( "Key: ", user, " ACL: ", ACL[ user].Permissions.ToObjectPermissions() )

There is a more complete example with recursion through all groups/objects and the permission names here:

https://github.com/GeoSCADA/Utilities-and-Examples/blob/main/PythonSamples/ListAllGroupACLs.py

(Please browse the GitHub site for other samples!)