About the Security Module
The Security Module in Tatsoft FactoryStudio module plays a crucial role in ensuring the safety and integrity of your projects by managing user access, roles, and permissions. It allows administrators to control who can access, view, and modify project components, as well as manage runtime user interactions with displays and actions. This module also supports integration with external user authentication systems, such as Active Directory (AD) and LDAP, to streamline user management across your organization, and implements the technical requirements for for critical infrastructures and regulated process automation, including FDA 21 CFR Part 11.
In this chapter, we will explore the key concepts and terminologies related to the Security Module, its configuration process, and the application of security measures in your projects. By the end of this chapter, you will have a solid understanding of how to effectively manage users, roles, and permissions, and ensure a secure environment for your FactoryStudio projects.
On this page:
| Table of Contents | ||
|---|---|---|
|
Purpose and Key Concepts
Users
Anyone accessing the project, either on the engineering or runtime mode, is a User.
| Note | ||
|---|---|---|
| ||
| If the User did not execute any Log On or Identification procedure, it will be recognized as the pre-defined Guest User, which is equivalent to an anonymous access. |
Permissions
The Permissions concept ensures that users access only the necessary functionalities and data for their job, reducing the risk of security breaches and unauthorized activities. The group-based Permissions allow configuring which functions users can access while editing or during the project runtime.
Policies
The Policies enable the management of the requirements on User Identification and Session control. For instance, you can setup a Policy for minimum of 8 letters passwords (Identification Policy) and an automated LogOff after 8 hours of usage (Session Policy). Then, you setup which Users will be required to follow that Policy.
Runtime Users
It is a very common Project requirement to dynamic add and remove Users. Instead of modifying the Project every time, the platform allows the concept of Runtime Users which are dynamically created and retried from an external encrypted SQL database, but other Identification server can be integrated.
The combination of the Runtime Users and the ones defined at the SecurityUsers table are called Project Users.
| Note |
|---|
The main difference between the two is that engineering users can access the software's engineering mode, allowing them to design and configure the project. In contrast, runtime users only can use the application, they cannot change the project configuration or design since they don't have access to the engineering mode. |
Understanding the Security module
OperatesContentProtecting access to Project Configuration
Content
Allowing role security for Operators Interfaces
Content
Configuring the Security module
Configuration Workflow
| Security module configuration workflow | ||
|---|---|---|
| Action | Where | Comments |
| Edit Users | Security → Users | |
| Set users permissions | Security → Permissions | |
| Define security Policies | Security → Policies | |
| Manage RuntimeUsers | Security → RuntimeUsers | |
Creating, editing and managing users
Go toThe Named Users with authorization to access the Project are defined in the SecurityUsers table on Security → Users.
| title | To add or edit users |
|---|
Security → Users
.Enter or select information, as needed.
Pre-defined users
The following user names are configured by default:
Pre-built Users | |
|---|---|
Administrator | Built-in user that controls the Security System. No password is configured by default. You should set a password for this user. |
| Guest | Used by default to access and when you log off as another user. No password is configured by default. |
| User | Used as a generic login user. No password is configured by default. |
You can not delete the Guest user, neither add a password to it. The Guest user must be available as the default user when you log off as another user. You may want to change the Guest user permissions, so that Guest users do not have access to any resource.
warningDo not create other Users with those names nor change the row ID of those users, as they are built-in platform objects.
noteThe Administrator is the only user who can delete or block users and the only user who can define passwords for Database DB interfaces.
infoGuest User is used for anonymous login and does not have password assigned to it.
RemovingUsers
You have three ways to disable users:
Blocking: Use to block the user’s access. You may want to use this for users who are no longer in your company.
Flagging as deleted: Use to block the user’s access and flag the user as deleted, without deleting the user. You may want to use this for users who are no longer in your company.
Deleting: Removes the user completely from the system.
The method used varies according to the Security requirements on managing users for your application.
Defining Permissions and Policies
The project Permissions are defined in the SecurityUsers table on Security → Permissions.
tip| title | To configure Permissions |
|---|
- Go to Security → Permission
- Edit the fields in the table
The project Policies are defined in the SecurityUsers table on Security → Policies.
- Go to Security → Policies
- Edit the fields in the table
Connecting Users with Permission Groups
At the Security → Users table, the column Permissions can be updated to include all Permission Groups authorized to each user. Select multiple rows, right-click to edit the combined rows, when applying same settings to more than one user.
Runtime Users
Content
Integration with AD/LDAP
Windows AD Integration
Instead of validating the Users again, the credentials in the Project configuration and the identification of the User connection can be automatically executed using our native Windows Active Directory integration. This functionality in only available for the Users connecting from Windows operating systems.
infoFor more information, see Windows AD / LDAP Server.
AD/LDAP Server Integration
When the integration with Windows AD is not available, it is still possible for an automated identification using the business server to define an LDAP server to be used by the project.
For more information, Windows AD / LDAP Server.
Applying Security on Project Configuration
Content
Applying Security on Runtime Displays
Content
Working with the Security module
Runtime Execution
Content
Customizing Login Procedures
Content
Security module integrations
Content
Managing users with scripts
Content
Using Policies and e-sign
Content
Troubleshooting and best practices
By exploring the following sections, you will gain a deeper understanding of the Security module's capabilities and learn how to leverage its full potential to improve your industrial processes, increase efficiency, and drive sustainable growth.
Common issues and solutions
You'll be able to familiarize yourself with common problems that may arise when using the Security module and learn effective troubleshooting techniques to resolve these problems quickly and efficiently.
| Tip |
|---|
Diagnostics information about the Security module execution is located in the Security troubleshooting page. |
Best practices and recommendations
Benefit from the knowledge of experts and experienced users by following our curated list of best practices and recommendations. These guidelines will help you ensure the successful implementation of the Security module and maximize its impact on your industrial operations.
| Tip |
|---|
Please take a look at Security's best practices and recommendations. |
Security module runtime attributes
Content
Security
Modulemodule Attributes
The namespace Security has all the runtime information regarding the security system.
| Info |
|---|
| For general information on namespace and object concepts, go to the section Objects and Attributes. |
The Client object has information about the current user logged at that client station:
| Examples | |
|---|---|
Client.Username | The property is the name of current logged user. |
Client.CurrentUser | Reference to a data structure with all the information of the currently logged-in user. |
| Tip | ||
|---|---|---|
| ||
See Namespaces Reference for the complete list of properties and available methods. |
In this section...
| Page Tree | ||||
|---|---|---|---|---|
|
CONTEÚDO PARA USAR COMO BASE PARA A NOVA ORGANIZAÇÃO
NEW ORGANIZATION
About the Security Module
Key Concepts and Terminology
* Users
* Permissions
* Policies
* Runtime Users
How the Security Module Works
Features Highlights
Protecting Access to Project Configuration
Allowing Role Security for Operators Interfaces
Integrates with Active Directly, LDAP or other systems
FDA 21 CFR 11 Compliance
Configuring the Security Module
* Configuration Workflow
* Creating and Managing Users
** Pre-defined Users
** Runtime Users
* Defining Permissions and Policies
* Applying Security on Project Configuration
* Applying Security on Displays and User Interface
Working with the Report Module
* Runtime Execution
* Customizing Login Procedures
* Integration with Other Modules
Managing Users with Scripts
* Advanced Features and Options
Troubleshooting and Best Practices
* Common Issues and Solutions
* Best Practices and Recommendations
* Security Module Runtime Attributes
This page provides information about the Security module. Here you can learn about user authentication and access control features, including managing user accounts and assigning specific permissions to different users based on their responsibilities and job functions. Check how to ensure the protection and privacy of your system, prevent unauthorized access and data breaches, and maintain the highest security levels in your project. Consider this page an essential resource to help you extract the full potential of the Security module.
User Settings
The Named Users with authorization to access the Project are defined in the SecurityUsers table on Security → Users.
| Tip | ||
|---|---|---|
| ||
|
Pre-defined Users
The following user names are configured by default:
Pre-built Users | |
|---|---|
Administrator | Built-in user that controls the Security System. No password is configured by default. You should set a password for this user. |
| Guest | Used by default to access and when you log off as another user. No password is configured by default. |
| User | Used as a generic login user. No password is configured by default. |
| Warning |
|---|
You can not delete the Guest user, neither add a password to it. The Guest user must be available as the default user when you log off as another user. You may want to change the Guest user permissions, so that Guest users do not have access to any resource. |
| Warning |
|---|
| Do not create other Users with those names nor change the row ID of those users, as they are built-in platform objects. |
| Note |
|---|
| The Administrator is the only user who can delete or block users and the only user who can define passwords for Database DB interfaces. |
| Info |
|---|
Guest User is used for anonymous login and does not have password assigned to it. |
Permissions Settings
The project permissions are defined in the SecurityUsers table on Security → Permissions.
| Tip | ||
|---|---|---|
| ||
|
Pre-defined Security groups
The platform comes with a few predefined Permission groups that you can use, or you can create your own.
Security groups | |
|---|---|
| User | The User group has access to the system and can view specific information, such as displays or tags, without the ability to make changes. |
| Guest | The Guest group has limited access to the system and can only view specific information, such as displays or tags, without the ability to make changes. |
| Engineering | This Security Group has high-level access to system configuration settings, such as tag configuration and project settings. They may also have permission to perform system modifications and create new projects. |
| Administrator | The Administrator group has full access to all functionalities and settings within the system, including creating and modifying users, security policies, and other system settings. |
| Supervisor | The Supervisor group has access to a broader range of system functionalities, such as the ability to create and modify displays, tags, and alarms. They may also have access to reports and other system settings required for their job function. |
| Maintenance | The Maintenance group can access maintenance functionalities, such as creating, modifying, and deleting tags, alarms, and trends. They may also have access to specific displays or other system settings required for their job function. |
| Operator | The Operator group can access specific functionalities like opening displays, executing commands, and viewing data. They may also have limited access to modify detailed settings required for their job function. |
Connecting Users with Permission Groups
At the Security → Users table, the column Permissions can be updated to include all Permission Groups authorized to each user. Select multiple rows, right-click to edit the combined rows, when applying same settings to more than one user.
Disabling Windows Applications Switch
When Task Switch is disabled, the following actions/keys will be inhibited for that User:
- Access to the Start button and the Task Toolbar
- Windows Logo button
- Ctrl + Alt + Del
- Ctrl + ESC
- Alt + Tab
- Alt + F4
- Windows Logo + L
| Info | ||
|---|---|---|
| ||
This configuration applies to RichClients and SmartClients. The file DisableTaskSwitchProtection.bat must be run from the installation directory in order to install the keyboard driver necessary to implement this feature. |
Policies Settings
You can configure settings that you can apply to users.
The platform comes with a few predefined policies that you can use, or you can create your own.
| Tip | ||
|---|---|---|
| ||
|
Applying Policies to Users
The policies you create are available to be used on SecurityUsers tables, at the column Policy
...