Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


HTML
<style>
.text-span-6 {
    background-image: linear-gradient(99deg, rgba(170, 163, 239, .5), rgba(125, 203, 207, .5));
    border-radius: 50px;
    padding-left: 15px;
    padding-right: 15px;
}

#title-text {
display: none;
}

.panelgradient {
    background-image: linear-gradient(180deg, #d5def0, whitesmoke);
    border-radius: 8px;
    flex-direction: column;
    justify-content: center;
    align-items: center;
    padding: 4rem;
    display: flex;
    position: relative;
}

</style>


<div class ="panelgradient">

<h1 style="text-align: center;">Security <br> (Users and Roles)</h1>

</div>



Introduction to the Security Module

Image Added

The Security Module ensures

Security module introduction

The Security module plays a crucial role in ensuring

the safety and integrity of your projects

by managing

.

Some of the key features include:

  • Managing user access, roles, and permissions.
It allows administrators to control
  •  
  • Controls who can access, view, and modify
project components, as well as
  • solution components. 
  • Controls who can manage runtime user interactions with displays and actions.

Image Added This module also supports integration with external user authentication systems, such as Active Directory (AD) and LDAP, to streamline user management across your organization, and implements the technical requirements for for critical infrastructures and regulated process automation, including FDA 21 CFR Part 11.In this chapter, we will explore the key concepts and terminologies related to the Security Module, its configuration process, and the application of security measures in your projects. By the end of this chapter, you will have a solid understanding of how to effectively manage users, roles, and permissions, and ensure a secure environment for your FactoryStudio projects.

On this page:

Table of Contents
maxLevel3
minLevel2
styleNone


Purpose and

Key Concepts and Terms

The Security module ensures robust protection and precise control over access to crucial system features and resources for proper management and operation. By implementing and managing security policies, permissions, and user information, organizations can safeguard their industrial automation environment, maintain confidentiality, and ensure compliance with security standards. Understanding the Security module is facilitated through key concepts such as Users, Permissions, Policies and Runtime UsersModule defines the Users allowed to use or modify solution, and their Roles, Permission, and Security Policies. The definition of users can be created locally using the platform tools or executed in connection with external definitions such as Active Directory, LDAP servers, or external SQL databases.

Users

Anyone accessing the projectsolution, either on the engineering or runtime mode, is a User.

Note
titleGuess access
If the User did not execute any Log On or Identification procedure, it will be recognized as the pre-defined Guest User, which is equivalent to an anonymous access.

Permissions

The Permissions concept ensures that users access only the necessary functionalities and data for their job, reducing the risk of security breaches and unauthorized activities. The group-based Permissions allow configuring which functions users can access while editing or during the project runtime.

Policies

The Policies enable the management of the requirements on User Identification and Session control. For instance, you can setup a Policy for minimum of 8 letters passwords (Identification Policy) and an automated LogOff after 8 hours of usage (Session Policy). Then, you setup which Users will be required to follow that Policy.

RuntimeUsers

in engineering (Designer Tool) or in runtime mode (Displays).

Permissions

Permissions are set levels of access for each user that determine what they can or cannot do within the solution.

Policies

Policies manage requirements on User Identification and Session Control.

RuntimeUsers

These users are created and retrieved It is a very common Project requirement to dynamic add and remove Users. Instead of modifying the Project every time, the platform allows the concept of Runtime Users which are dynamically created and retried from an external encrypted SQL database , but other Identification server can be integrated. 

The combination of the Runtime Users and the ones defined at the SecurityUsers table are called Project Users.

Note

The main difference between the two is that engineering users can access the software's engineering mode, allowing them to design and configure the project. In contrast, runtime users only can use the application, they cannot change the project configuration or design since they don't have access to the engineering mode.

Understanding the Security module

Features highlights

Content

User roles management

Content

External Users Definitions

Content

Project Configuration protection

Content

Runtime protection

Content

or other identification servers.


Understanding the Security Module

What the Security Module Enables

User roles management

Managing user roles involves assigning a role to each user that defines their level of access to various components of the solution. Each role has its permissions, which can be customized to meet the security requirements of your organization.

Managing External Users (Runtime Users)

External Users in this context refers to users who are not part of the organization but need access to specific components of the project. This can include contractors, clients, or third-party vendors. These users are typically managed via RuntimeUsers or integration with Active Directory and LDAP.

Securing Solution Configuration

The platform provides several tools to secure the solution configuration itself.  By assigning Permissions and Policies, administrators can control which users have access to specific modules, editors and documents. This ensures that only authorized users can make changes on each part the solution configuration.

Securing Runtime Execution

Securing runtime involves managing user sessions in client displays by setting password requirements, session restrictions, and e-signature settings. The platform allows administrators to monitor client connections and manage active sessions.

Users, Permissions and Policies Summary

For a summary of the Security Configuration, go to Security Overview, which presents the basic configuration steps and properties for Users, Permission and Policies. 

The next section presents the configuration of those elements in further details.


Configuring the Security Module

Configuration Workflow

Each User is assigned to a set of Permissions and a to a Session Policy.

Security Configuration Interfaces

Action

Where 

Edit Users

Security → Users

Define security Permissions

Security → Permissions

Define security Policies 

Security → Policies

Manage RuntimeUsers

Security → RuntimeUsers

RuntimeUsers

Runtime Users are either defined in an external database or created dynamically using the CreateUser method. They can log in and use remote operation displays similarly to users specified in the solution configuration.

Read more about RuntimeUsers.

Configuring the Security module

Configuration Workflow

Security module configuration workflowActionWhere CommentsEdit UsersSecurity → UsersSet users permissionsSecurity → PermissionsDefine security Policies Security → PoliciesManage RuntimeUsersSecurity → RuntimeUsers

Users, Permissions and Policies

Creating, editing and managing users

The Named Users with authorization to access the Project are defined in the SecurityUsers table on Security → Users.

Pre-defined users

The following user names are configured by default:

Pre-built Users

Administrator

Built-in user that controls the Security System. No password is configured by default. You should set a password for this user.GuestUsed by default to access and when you log off as another user. No password is configured by default.UserUsed as a generic login user. No password is configured by default.

The Guest user is the default user for anonymous logins and does not have a password assigned. It cannot be deleted or have a password added. When you log off as another user, the Guest user must be available. To restrict access to resources, you may modify the permissions for the Guest user.

Avoid creating other users with the same names or altering the row IDs of these built-in platform objects. The Administrator is the sole user capable of deleting, blocking users, and defining passwords for database interfaces.

RemovingUsers

You have three ways to disable users:

Blocking: Use to block the user’s access. You may want to use this for users who are no longer in your company.

Flagging as deleted: Use to block the user’s access and flag the user as deleted, without deleting the user. You may want to use this for users who are no longer in your company.

Deleting: Removes the user completely from the system.

The method used varies according to the Security requirements on managing users for your application.

Defining Permissions

The project Permissions are defined in the SecurityUsers table on Security → Permissions.

Pre-defined Security groups

The platform comes with a few predefined Permission groups that you can use, or you can create your own.

Security groups

UserThe User group has access to the system and can view specific information, such as displays or tags, without the ability to make changes.GuestThe Guest group has limited access to the system and can only view specific information, such as displays or tags, without the ability to make changes.EngineeringThis Security Group has high-level access to system configuration settings, such as tag configuration and project settings. They may also have permission to perform system modifications and create new projects.AdministratorThe Administrator group has full access to all functionalities and settings within the system, including creating and modifying users, security policies, and other system settings.SupervisorThe Supervisor group has access to a broader range of system functionalities, such as the ability to create and modify displays, tags, and alarms. They may also have access to reports and other system settings required for their job function.MaintenanceThe Maintenance group can access maintenance functionalities, such as creating, modifying, and deleting tags, alarms, and trends. They may also have access to specific displays or other system settings required for their job function.OperatorThe Operator group can access specific functionalities like opening displays, executing commands, and viewing data. They may also have limited access to modify detailed settings required for their job function.

Using Policies and e-sign

Defining Policies

The project Permissions are defined in the SecurityUsers table on Security → Policies.

Pre-defined Policies

The platform comes with a few predefined policies that you can use, or you can create your own.

Policies

DefaultEnhancedCritical

Connecting Users with Permission Groups

At the Security → Users table, the column Permissions can be updated to include all Permission Groups authorized to each user. Select multiple rows, right-click to edit the combined rows, when applying same settings to more than one user.

RuntimeUsers 

Content

AD/LDAP Integrations

Windows AD Integration

Instead of validating the Users again, the credentials in the Project configuration and the identification of the User connection can be automatically executed using our The platform can automatically execute user credentials validation and user connection identification using native Windows Active Directory integration. This functionality in only , available for the Users users connecting from Windows operating systems.

For more information, see Read more about Windows AD / LDAP Server.

AD/LDAP Server Integration

When the integration with Windows AD integration is not available, it is still possible for an unavailable, automated identification can still be achieved using the a business server to define an -defined LDAP server to be used by the project.

For Read more information, about Windows AD / LDAP Server.


Working with the Security

module

Runtime Execution

For in-depth security runtime understanding, please explore the Security Runtime Execution.

Monitoring Clients Connections

The Monitoring Client Connections empowers you to track and manage active connections. This functionality enables efficient troubleshooting and resource allocation for your project's needs. Please refer to the Monitoring Client Connections for a comprehensive client connections understanding.

Module

Customizing Login Procedures

The Custom Login Procedures enables you to modify Modify the login page, fine-tune user validation, and incorporate custom logic into the client startup ScriptTask process . This allows for a tailored login experience that suits your project's specific requirements. For a deeper understanding of how to customize login procedures and to examine detailed examples, please consult the Customizing Login Procedures.

Managing Users on Displays and Scripts

Further User management can also be execute on Scripts.

Read more on Scripts, Handling Security

Applying Security to Displays

Regulate The User Management on Displays and Scripts enables you to regulate user access and interactions within displays and scripts, promoting a secure and efficient work environment. To acquire an in-depth understanding of user management on displays and scripts, please consult the Managing Users on Displays and Scripts.

Security module Attributes

, either by protecting the entire display, or specific commands or elements within each display.

Display Edit or Run Security

The configuration table Displays → List, has the columns EditSecurity and RunSecurity that allow to define the PermissionGroups allowed to configure, or open in runtime, each displays. 

Security within the Display

When drawing the solution User Interface, there is a Dynamic Property specifically to apply security to any Input the operator may do at the display.

→ Read more on Drawing User Interfaces / Dynamics and UI Elements, the Security Dynamic configuration. 


Security Runtime Attributes

The Securitynamespace contains all

The namespace Security has all the

runtime information regarding the security system.

For general information on namespace and object concepts, go to the section Objects and Attributes.

The Clientobject has information about the current user logged at that client station

:

.

Examples

Client.Username

The property is the name of current logged user.

Client.CurrentUser
Reference to a

References the data structure with all the information of the currently logged-in user.

See Namespaces Reference for the complete list of properties and available methods.

Troubleshooting and best practices

By exploring the following sections, you will gain a deeper understanding of the Security module's capabilities and learn how to leverage its full potential to improve your industrial processes, increase efficiency, and drive sustainable growth.

Common issues and solutions

You'll be able to familiarize yourself with common problems that may arise when using the Security module and learn effective troubleshooting techniques to resolve these problems quickly and efficiently.

Diagnostics information about the Security module execution is located in the Security troubleshooting page.

Best practices and recommendations

Benefit from the knowledge of experts and experienced users by following our curated list of best practices and recommendations. These guidelines will help you ensure the successful implementation of the Security module and maximize its impact on your industrial operations.

Please take a look at Security's best practices and recommendations.

In this section...

Page Tree
root@self
spacesV10

CONTEÚDO PARA USAR COMO BASE PARA A NOVA ORGANIZAÇÃO

This page provides information about the Security module. Here you can learn about user authentication and access control features, including managing user accounts and assigning specific permissions to different users based on their responsibilities and job functions. Check how to ensure the protection and privacy of your system, prevent unauthorized access and data breaches, and maintain the highest security levels in your project. Consider this page an essential resource to help you extract the full potential of the Security module.


Anchor
BestPractices
BestPractices
Best Practices and Troubleshooting

Best Practices and Recommendations:

  • Regularly update your user list and their associated permissions to maintain security.
  • Conduct periodic audits of user accounts and permissions, making necessary updates and removing inactive users.
  • Enforce strong password policies to enhance security.
  • Require complex passwords that include uppercase and lowercase letters, numbers, and special characters. Encourage regular password changes.
  • Keep your system up-to-date with patches and updates.
  • Regular updates often include security enhancements and fixes. Ensure your system is up-to-date to benefit from these improvements.

Troubleshooting and Common Issues:

  • User Cannot Log In: Ensure the user is entering correct login credentials. Check if the user's account is active and not blocked or flagged as deleted. If the problem persists, contact your system administrator.
  • Permission Denied Error: Check the user's assigned Permissions. Ensure they have the necessary access rights to perform the desired action. Update their Permissions or assign them to a different user group if necessary.

In this section:

Page Tree
root@self
spacesV10

Permissions Settings

The project permissions are defined in the SecurityUsers table on Security → Permissions.

Pre-defined Security groups

The platform comes with a few predefined Permission groups that you can use, or you can create your own.

Connecting Users with Permission Groups

At the Security → Users table, the column Permissions can be updated to include all Permission Groups authorized to each user. Select multiple rows, right-click to edit the combined rows, when applying same settings to more than one user.

Disabling Windows Applications Switch

When Task Switch is disabled, the following actions/keys will be inhibited for that User:

  • Access to the Start button and the Task Toolbar
  • Windows Logo button
  • Ctrl + Alt + Del
  • Ctrl + ESC
  • Alt + Tab
  • Alt + F4
  • Windows Logo + L

This configuration applies to RichClients and SmartClients. The file DisableTaskSwitchProtection.bat must be run from the installation directory in order to install the keyboard driver necessary to implement this feature. 

Policies Settings

You can configure settings that you can apply to users.

The platform comes with a few predefined policies that you can use, or you can create your own.

Applying Policies to Users

The policies you create are available to be used on SecurityUsers tables, at the column Policy