A security layer in an industrial control and automation system includes a user database, a web server, a secure token server (STS), and an application server. The user database is configured to store identities of users with credentials to access controls of the security layer. The web server is configured to identify an operator using a client device. The STS is configured to authenticate the operator for the security layer. The application server is configured to negotiate access for the client device for a target application server in a target security layer.