IEC 62351-8
Role-based access control vocabulary for power-systems management. Defines a standard set of roles (VIEWER, OPERATOR, ENGINEER, INSTALLER, SECADM, RBACMNT, AUDITOR) so that authorisation is portable across vendors.
Also: 62351-8, RBAC for power systems, IEC RBAC
IEC 62351-8 is the part of the IEC 62351 family that defines the role vocabulary for access control in power-systems management. It does not invent RBAC; it standardises the set of roles a power-systems device should recognise so that an authenticated principal carries the same authorisation across vendors.
The standard roles
| Role | What it can do |
|---|---|
| VIEWER | Read-only access to data and status. |
| OPERATOR | Read access plus runtime control actions (open/close, change setpoint within bounds). |
| ENGINEER | Configure non-protection settings, retrieve diagnostic data, perform commissioning. |
| INSTALLER | Initial commissioning and physical-replacement actions. |
| SECADM | Security administration — manage user accounts, roles, certificates. |
| RBACMNT | Manage role definitions and bindings (a meta-role above SECADM in some profiles). |
| AUDITOR | Read access to audit logs and security events; cannot modify them. |
The standard also allows extension roles (vendor-defined) but the seven above are mandatory in any 62351-8-compliant implementation.
Why a standard role set matters
Without 62351-8, every vendor invents their own role nomenclature. The same engineering laptop with the same human operator gets a different effective authorisation on every IED brand. An identity-and-access-management system can’t enforce a coherent policy against that. The 62443 audit question “who can do what, where?” becomes per-device guesswork.
With 62351-8, the IDM system maps an enterprise identity to a standard role, and every conforming IED enforces the same boundary. Closing the FR2 (Use Control) gap on a multi-vendor substation is what -8 is for.
How -8 binds to the rest of the family
- The identity comes from the X.509 certificate via 62351-3 TLS or the application-layer auth in 62351-4.
- The role is carried in an X.509 attribute extension — the certificate says “this principal is an OPERATOR”, or the role is asserted in a separate attribute certificate.
- The enforcement happens in the device firmware: the MMS or DNP3 server checks “is this role allowed to issue this command?” before executing.
The certificate-extension mechanism leans on 62351-9 for issuance and lifecycle.
Deployment status
-8 is one of the lower-adoption parts of the family in GB transmission and distribution. The dominant pattern is still per-device local accounts with vendor-specific role names, glued together by procedural controls in the operator’s permit-to-work system. Migrating to centralised RBAC needs a working PKI, conforming firmware on enough of the fleet to be worth the integration, and an IDM team prepared to take ownership of OT identities — three preconditions that don’t usually align.
When -8 does deploy, it tends to land first in the engineering-workstation-to-station-bus conduit, where the audit pressure is highest and the device count is lowest.