Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


HTML
<style>
.text-span-6 {
    background-image: linear-gradient(99deg, rgba(170, 163, 239, .5), rgba(125, 203, 207, .5));
    border-radius: 50px;
    padding-left: 15px;
    padding-right: 15px;
}

#title-text {
display: none;
}

.panelgradient {
    background-image: linear-gradient(180deg, #d5def0, whitesmoke);
    border-radius: 8px;
    flex-direction: column;
    justify-content: center;
    align-items: center;
    padding: 4rem;
    display: flex;
    position: relative;
}

</style>


<div class ="panelgradient">

<h1 style="text-align: center;">Security <br> (Users and Roles)</h1>

</div>



Introduction to the Security Module

Image Added

The Security Module ensures the safety and integrity of your projects.

Some of the key features include:

  • Managing user access, roles, and permissions. 
  • Controls who can access, view, and modify solution components. 
  • Controls who can manage runtime user interactions with displays and actions.

Image Added

About the Security module

The Security module is crucial for any control system or industrial application. It provides robust security measures to prevent unauthorized access, data breaches, system downtime, and other security-related issues. The module offers tools such as user authentication and access control features that allow system administrators to manage user accounts, assign specific rules and permissions based on their responsibilities and job functions, and restrict access to sensitive data and critical actions on the system.

The Security module provides high granularity access control during the product configuration phase, allowing multiple users to work on the same project safely and coordinate teamwork. It also manages user authorization and access control when the project runs, ensuring only authorized accesses can modify the configuration.

Additionally, the Security module ensures that only identified logger client users can open Displays, execute allowed commands, read or write specific Tags, and perform predefined behaviors. This creates a secure and controlled environment, giving users peace of mind knowing their system is protected from security threats.

The Security module was created to implement technical requirements for critical infrastructures and regulated process automation, including FDA 21 CFR Part 11.

InfoFor more information, refer to FDA 21 CFR 11 Compliance.

On this page:

Table of Contents
maxLevel3
minLevel2
styleNone


Key Concepts

and Terminology

and Terms

The Security Module defines the Users allowed to use or modify solution, and their Roles, Permission, and Security Policies. The definition of users can be created locally using the platform tools or executed in connection with external definitions such as Active Directory, LDAP servers, or external SQL databases.

Users

Anyone accessing the projectsolution, either on the engineering or runtime mode, is a User.

Note
titleGuess access
If the User did not execute any Log On or Identification procedure, it will be recognized as the pre-defined Guest User, which is equivalent to an anonymous access.

Permissions

The Permissions concept ensures that users access only the necessary functionalities and data for their job, reducing the risk of security breaches and unauthorized activities. The group-based Permissions allow configuring which functions users can access while editing or during the project runtime.

Policies

The Policies enable the management of the requirements on User Identification and Session control. For instance, you can setup a Policy for minimum of 8 letters passwords (Identification Policy) and an automated LogOff after 8 hours of usage (Session Policy). Then, you setup which Users will be required to follow that Policy.

Runtime Users

in engineering (Designer Tool) or in runtime mode (Displays).

Permissions

Permissions are set levels of access for each user that determine what they can or cannot do within the solution.

Policies

Policies manage requirements on User Identification and Session Control.

RuntimeUsers

These users are created and retrieved It is a very common Project requirement to dynamic add and remove Users. Instead of modifying the Project every time, the platform allows the concept of Runtime Users which are dynamically created and retried from an external encrypted SQL database , but other Identification server can be integrated. 

The combination of the Runtime Users and the ones defined at the SecurityUsers table are called Project Users.

Note

The main difference between the two is that engineering users can access the software's engineering mode, allowing them to design and configure the project. In contrast, runtime users only can use the application, they cannot change the project configuration or design since they don't have access to the engineering mode.

How the Security module works

Security features highlights

Protecting access to Project Configuration

Allowing role security for Operators Interfaces

Security integrations

Windows AD Integration

Instead of validating the Users again, the credentials in the Project configuration and the identification of the User connection can be automatically executed using our native Windows Active Directory integration. This functionality in only available for the Users connecting from Windows operating systems.

Info
For more information, see Windows AD / LDAP Server.

AD/LDAP Server Integration

When the integration with Windows AD is not available, it is still possible for an automated identification using the business server to define an LDAP server to be used by the project.

Info
For more information, Windows AD / LDAP Server.

Configuring the Security module

Configuration Workflow

Creating and managing users

Pre-defined users

Runtime users

Defining Permissions and Policies

Applying Security on Project Configuration

Applying Security on Displays and User Interface

Working with the Security module

Runtime Execution

Customizing Login Procedures

Security module integrations

Security in-depth

Managing users with scripts

Advanced features and options

Troubleshooting and best practices

Common issues and solutions

Best practices and recommendations

Security module runtime attributes

NEW ORGANIZATION

About the Security Module

Key Concepts and Terminology

* Users* Permissions
* Policies* Runtime Users

How the Security Module Works

Features Highlights Protecting Access to Project Configuraion  Allowing Role Security for Operators Interfaces Integrateswith Active Directly, LDAP or other systems FDA 21 CFR 11 Compliance

 Configuring the Security Module

        * Configuration Workflow

        * Creating and Managing Users

** Pre-defined Users** Runtime Users * Defining Permissions and Policies* Applying Security on Project Configuration* Applying Security on Displays and User Interface

Working with the Report Module

* Runtime Execution* Customizing Login Procedures

        * Integration with Other Modules

Managing Users with Scripts       * Advanced Features and Options

Troubleshooting and Best Practices

* Common Issues and Solutions* Best Practices and Recommendations* Security Module Runtime Attributes

This page provides information about the Security module. Here you can learn about user authentication and access control features, including managing user accounts and assigning specific permissions to different users based on their responsibilities and job functions. Check how to ensure the protection and privacy of your system, prevent unauthorized access and data breaches, and maintain the highest security levels in your project. Consider this page an essential resource to help you extract the full potential of the Security module.

or other identification servers.


Understanding the Security Module

What the Security Module Enables

User roles management

Managing user roles involves assigning a role to each user that defines their level of access to various components of the solution. Each role has its permissions, which can be customized to meet the security requirements of your organization.

Managing External Users (Runtime Users)

External Users in this context refers to users who are not part of the organization but need access to specific components of the project. This can include contractors, clients, or third-party vendors. These users are typically managed via RuntimeUsers or integration with Active Directory and LDAP.

Securing Solution Configuration

The platform provides several tools to secure the solution configuration itself.  By assigning Permissions and Policies, administrators can control which users have access to specific modules, editors and documents. This ensures that only authorized users can make changes on each part the solution configuration.

Securing Runtime Execution

Securing runtime involves managing user sessions in client displays by setting password requirements, session restrictions, and e-signature settings. The platform allows administrators to monitor client connections and manage active sessions.

Users, Permissions and Policies Summary

For a summary of the Security Configuration, go to Security Overview, which presents the basic configuration steps and properties for Users, Permission and Policies. 

The next section presents the configuration of those elements in further details.


Configuring the Security Module

Configuration Workflow

Each User is assigned to a set of Permissions and a to a Session Policy.

Security Configuration Interfaces

Action

Where 

Edit Users

Security / Users

Define security Permissions

Security / Permissions

Define security Policies 

Security / Policies

Manage RuntimeUsers

Security / RuntimeUsers

RuntimeUsers

Runtime Users are either defined in an external database or created dynamically using the CreateUser method. They can log in and use remote operation displays similarly to users specified in the solution configuration.

→ Read more about RuntimeUsers.

AD/LDAP Integrations

Windows AD Integration

The platform can automatically execute user credentials validation and user connection identification using native Windows Active Directory integration, available for users connecting from Windows operating systems.

→ Read more about Windows AD / LDAP Server.

AD/LDAP Server Integration

When Windows AD integration is unavailable, automated identification can still be achieved using a business server-defined LDAP server.

→ Read more about Windows AD / LDAP Server.


Working with the Security Module

Customizing Login Procedures

Modify the login page, fine-tune user validation, and incorporate custom logic into the client startup ScriptTask process for a tailored login experience.

Further User management can also be execute on Scripts.

→ Read more on Scripts, Handling Security

Applying Security to Displays

Regulate user access and interactions within displays, either by protecting the entire display, or specific commands or elements within each display.

Display Edit or Run Security

The configuration table Displays / List, has the columns EditSecurity and RunSecurity that allow to define the PermissionGroups allowed to configure, or open in runtime, each displays. 

Security within the Display

When drawing the solution User Interface, there is a Dynamic Property specifically to apply security to any Input the operator may do at the display.

→ Read more on Drawing User Interfaces / Dynamics and UI Elements, the Security Dynamic configuration. 


Security Runtime Attributes

The Securitynamespace contains all runtime information regarding the security system.

User Settings

The Named Users with authorization to access the Project are defined in the SecurityUsers table on Security → Users.

Tip
titleTo add or edit users
  • Go to Security → Users.
  • Enter or select information, as needed.

Pre-defined Users

The following user names are configured by default:

Pre-built Users

Administrator

Built-in user that controls the Security System. No password is configured by default. You should set a password for this user.GuestUsed by default to access and when you log off as another user. No password is configured by default.UserUsed as a generic login user. No password is configured by default.
Warning

You can not delete the Guest user, neither add a password to it. The Guest user must be available as the default user when you log off as another user. You may want to change the Guest user permissions, so that Guest users do not have access to any resource. 

Warning
Do not create other Users with those names nor change the row ID of those users, as they are built-in platform objects.
Note
The Administrator is the only user who can delete or block users and the only user who can define passwords for Database DB interfaces.
Info

Guest User is used for anonymous login and does not have password assigned to it.

Users Properties

Security Users properties

Field/Column

Description

Name

Enter a user name. The system allows you to know if the name is not valid.

Permissions

Select the permission group to be used by this user. See Configuring Permissions.

Password

Enter a password for the user. The system allows you to know if the password is not valid. You can configure password requirements. See Configuring Policies.

PasswordHint

Enter information that can help you remember the user’s password.

Policy

Select the policy settings to use for this user. See Configuring Policies.

Blocked

Select to block the user’s access. You may want to use this for users who are no longer in your company.

Deleted

Select to block the user’s access and flag the user as deleted, without deleting the user. You may want to use this for users who are no longer in your company.

Profile

Enter the user’s email address, phone number, and full name.

RemovingUsers

You have three ways to disable users:

  • Blocking: Use to block the user’s access. You may want to use this for users who are no longer in your company.
  • Flagging as deleted: Use to block the user’s access and flag the user as deleted, without deleting the user. You may want to use this for users who are no longer in your company.
  • Deleting: Removes the user completely from the system.

The method used varies according to the Security requirements on managing users for your application.

Permissions Settings

The project permissions are defined in the SecurityUsers table on Security → Permissions.

Tip
titleTo configure Permissions
  • Go to Security → Permission
  • Edit the fields in the table

Security Permissions properties

Column

Description

Name

Enter a name for the group. 

Edit

Select the modules users in the group can access when editing a project.

Image Removed

Run

Select the modules users in the group can access when using the runtime.

Image Removed

Description

Enter a description for the Permission group.

Edit permissions

Image Removed

Edit Permissions properties

Property

Description

Unrestricted

Select to allow all Edit Permissions

EditTags

Select to allow tag editing.

Historian

Allow edition in Historian module.

Security

Select to allow for the Security module access.

Alarms

Select to allow for the Alarms module access.

Scripts

Select to allow for the Script module access.

Datasets

Select to allow for the Datasets module access.

Displays

Select to allow for the Displays module access.

Reports

Select to allow for the Reports module access.

Startup

Select to allow Startup.

Publish

Select to allow Publish.

Settings

Select to allow for the Settings access.

Notes

Select to allow for the Notes access.

CreateTags

Select to allow tag creating.

Run permissions

Image Removed

Run Permissions properties

Property

Description

Unrestricted

The user gets permission to do everything.

Test

Once selected, the user can run a Test.

Startup

Once selected, the user can run a Startup with all the modules. If not, the modules script, datasets, devices, and reports will not start.

Shutdown

Once selected, the user is able to shutdown the application

ClientStart

Once selected, the user is able to run all the modules in a startup. If not, the modules displays and devices will not start.

ClientShutdown

Once selected, the user is able to shutdown the application as a client.

StartTools

Once selected, the user can run the diagnostics tool, such as: property watch, trace window and module information. If it is not selected, the user is unable to start these tools.

ToolsSetValues

Once selected, the user gets the read-only permission in the diagnostics tool, such as: property watch, trace window and module information.

CreateUsers

Once selected, the user is able to create new user for the project.

SwitchApplication

If it is not selected, the user can not switch application, the taskbar disappears.

WebAccess

When the user has this permission, he can access the Web Client through the URL found in the Info → Redundancy → Web Client URL. If this option is not selected, the user cannot use the Web Client.

Pre-defined Security groups

The platform comes with a few predefined Permission groups that you can use, or you can create your own.

Security groups

UserThe User group has access to the system and can view specific information, such as displays or tags, without the ability to make changes.GuestThe Guest group has limited access to the system and can only view specific information, such as displays or tags, without the ability to make changes.EngineeringThis Security Group has high-level access to system configuration settings, such as tag configuration and project settings. They may also have permission to perform system modifications and create new projects.AdministratorThe Administrator group has full access to all functionalities and settings within the system, including creating and modifying users, security policies, and other system settings.SupervisorThe Supervisor group has access to a broader range of system functionalities, such as the ability to create and modify displays, tags, and alarms. They may also have access to reports and other system settings required for their job function.MaintenanceThe Maintenance group can access maintenance functionalities, such as creating, modifying, and deleting tags, alarms, and trends. They may also have access to specific displays or other system settings required for their job function.OperatorThe Operator group can access specific functionalities like opening displays, executing commands, and viewing data. They may also have limited access to modify detailed settings required for their job function.

Connecting Users with Permission Groups

At the Security → Users table, the column Permissions can be updated to include all Permission Groups authorized to each user. Select multiple rows, right-click to edit the combined rows, when applying same settings to more than one user.

Disabling Windows Applications Switch

When Task Switch is disabled, the following actions/keys will be inhibited for that User:

  • Access to the Start button and the Task Toolbar
  • Windows Logo button
  • Ctrl + Alt + Del
  • Ctrl + ESC
  • Alt + Tab
  • Alt + F4
  • Windows Logo + L
Info
titleSetup to use Application Switching disable feature

This configuration applies to RichClients and SmartClients. The file DisableTaskSwitchProtection.bat must be run from the installation directory in order to install the keyboard driver necessary to implement this feature. 

Policies Settings

You can configure settings that you can apply to users.

The platform comes with a few predefined policies that you can use, or you can create your own.

Tip
titleTo configure Policies
  • Go to Security → Policies.
  • Edit the fields in the table.

Security Policies properties

Column

Description

Name

Enter a name for the policy. The system allows you to know if the name is not valid.

Identification

Select the password rules for both editing a project and accessing the runtime.

Image Removed

Esign

For runtime only. Select to enable a timeout for the runtime login. Enter the timeout period in minutes.

Image Removed

Session

For runtime only. Use to enable a timeout for the runtime session. Select what will cause an automatic logoff, then enter the appropriate values for InactivityMinutes and DurationHours. This setting only logs the user off. The application continues to run.

Image Removed

Description

Enter a description for the policy.

Identification properties

Image Removed

Security Identification properties

Property

Description

AllowPasswordChange

Allows password changes.

PasswordMinLength

Sets the minimum password length.

BlockOnInvalidAttempts

Defines the maximum number of invalid attempts before blocking.

AllowShareUser

UserNameMinLength

Sets the minimum length of the user name.

PasswordHistory

MinPasswordAge

MaxPasswordAge

BlockAging

Esign properties

Image Removed

Security Esign properties

Property

Description

Enableed

TimeoutMinutes

Session properties

Image Removed

Security Session properties

Property

Description

AutoLogOff

InactivityMinutes

DurationHours

Applying Policies to Users

The policies you create are available to be used on SecurityUsers tables, at the column Policy

Runtime Users Security Management

When running the application, the Login procedure will accept all users defined in the Project Configuration, but additional users defined dynamicaly during the runtime execution can be included.

The Runtime Users are stored in the default database, defined on Datasets → Dos → RuntimeUsers. You can customize the databased used to that storage at the Module Datasets. You can populate that database directly before starting the runtime, or after the project is running, you can create or modify the users with the methods in the Security Namespace

To create a Runtime Display to mange the Users, there is platform Plugin with a template application.

Go to Project → Plugins and import the Plugin named UserManagement.It will create the names SecurityAccounts and ChangePass to assist in the User management.

Adding Runtime Users 

Below you can find more details regarding the available RuntimeUser methods in the Security namespace.

Code Block
languagec#
titleAdding Runtime Users
@Security.NewRuntimeUser(string name, out int errorCode)
// Creates a new RuntimeUser
//  name:  User  Name
// errorCode: Error code (output)
// Returns: String containing the error message (if error) or empty (if not error)

@Security.AddRuntimeUser(string name, string permissionsStr, string password, string passwordHint, string policyStr, string profilePhone, string profileCompleteName, bool oneTimePassword)
// Add Runtime User
// name:  User  Name
// permissions Str: Permissions
// password: Password
// passwordHint: Password hint
// policyStr: Policy
// profileEmail: Profile email
// profilePhone: Profile phone
// profileCompleteName: Profile complete name
// oneTimePassword: flag (true or false) to set a One Time Password setting. If true, a password change is required after first login
// Returns: String containing error message (if error) or empty (if not error)

Customizing Login Procedures

The Login page is editable. You just need to select the display with name LogOn to edit its layout. As you can see in the code behind of that display, it calls the method Security.Logon()to do the validation of the user. If you want to perform any other user validation, you just need to modify that logic calling your own validation system, and then calling the LogOn method, according to the results of your validation.Another way to customize the logon is to put your own custom logic on the ClientStartup script task. The script is executed on any computer that is connected to the server application. You can perform verifications based on computer IP, computer name, Windows Active-Directory Logged user, or any other criteria to specify if the user is allowed to start the application and which should be their credentials. After that, you can either call client.Shutdown to terminate the application if it was an unauthorized access or Security.Logon()with a user that matches the selected security profile.

By default, when starting the application on a client computer, instead of requesting a login, we start the system with the user GUEST. The user Guest is equivalent to an anonymous login. If you do not want that on your application, just replace the startup page with a page requesting the Logon information.

The Security Namespace

The namespace Security has all the runtime information regarding the security system.

Info
For general information on namespace and object concepts, go to the section Objects and Attributes.

The Clientobject has information about the current user logged at that client station

:

.

Examples

Client.Username

The property is the name of current logged user.

Client.CurrentUser
Reference to a

References the data structure with all the information of the currently logged-in user.

Tip
titleProgramming reference on runtime objects

See Namespaces Reference for the complete list of properties and available methods.

In this section...


Read more about Objects and Namespaces.


Anchor
BestPractices
BestPractices
Best Practices and Troubleshooting

Best Practices and Recommendations:

  • Regularly update your user list and their associated permissions to maintain security.
  • Conduct periodic audits of user accounts and permissions, making necessary updates and removing inactive users.
  • Enforce strong password policies to enhance security.
  • Require complex passwords that include uppercase and lowercase letters, numbers, and special characters. Encourage regular password changes.
  • Keep your system up-to-date with patches and updates.
  • Regular updates often include security enhancements and fixes. Ensure your system is up-to-date to benefit from these improvements.

Troubleshooting and Common Issues:

  • User Cannot Log In: Ensure the user is entering correct login credentials. Check if the user's account is active and not blocked or flagged as deleted. If the problem persists, contact your system administrator.
  • Permission Denied Error: Check the user's assigned Permissions. Ensure they have the necessary access rights to perform the desired action. Update their Permissions or assign them to a different user group if necessary.

In this section:

Page Tree
root@self
spacesV10

...