A primary way to protect a system from improper usage is to control the deployment of the tools used for access. Without adequate viewing tools, most users will never be tempted to access sensitive controlled information. Curtailing the distribution of modification tools can diminish the likelihood of inadvertent changes to data. Maintaining tight control over security administration tools reduces the temptation for users to perform their own ad hoc system management.
A well-maintained system will provide enabling applications for individuals to carry out their job functions without exposing sensitive features. For example, attempting to retrieve and view PI data without any tools would require a good deal of knowledgeable programming, coupled with some good guessing or lax system security. Providing PI ProcessBook to users who need to view PI data satisfies this requirement with minimal risk to data. PI-DataLink can be used to enter and modify PI data, given some skill in writing Excel Visual Basic macros. PI-DataLink is a good general-purpose tool for a trusted user who needs great flexibility. Developing small data entry applications in Visual Basic or Excel is an ideal way to provide focused applications that enhance the users productivity while minimizing unwanted changes and access.
The same approach can be used successfully in system management tools. Some managers will need the entire suite of management utilities, but for many administrative tasks it may be enough to distribute simple pointed applications that expose only a few features (e.g. add a new user, change a password, add a new point).
Coupled with the distribution of applications is the file system security imposed on those applications and their data files. By using network file servers for applications or data, additional restrictions can be maintained easily. Running applications from a network drive allows tight control over execution but may have a downside in performance. Storing display data on network drives (e.g. shared PI ProcessBook display files) increases the availability of useful information while preventing unauthorized access.