Introduction to Security module
The Security module ensures the safety and integrity of your projects by managing user access, roles, and permissions. It allows administrators to control who can access, view, and modify project components and manage runtime user interactions with displays and actions.
This module also supports integration with external user authentication systems, such as Active Directory (AD) and LDAP, to streamline user management across your organization, and implements the technical requirements for for critical infrastructures and regulated process automation, including FDA 21 CFR Part 11.
In this chapter, we will explore the key concepts and terminologies related to the Security module, its configuration process, and the application of security measures in your projects.
On this page:
Purpose and Key Concepts
The Security module's purpose is to ensure secure data exchange between the platform and external databases. The concepts of Users, Permissions, Policies, and Runtime Users ease the Security module's understanding.
Users
Anyone accessing the project, either on the engineering or runtime mode, is a User.
Permissions
The Permissions concept ensures that users access only the necessary functionalities and data for their job, reducing the risk of security breaches and unauthorized activities. The group-based Permissions allow configuring which functions users can access while editing or during the project runtime.
Policies
The Policies enable the management of the requirements on User Identification and Session control. For instance, you can setup a Policy for minimum of 8 letters passwords (Identification Policy) and an automated LogOff after 8 hours of usage (Session Policy). Then, you setup which Users will be required to follow that Policy.
RuntimeUsers
It is a very common Project requirement to dynamic add and remove Users. Instead of modifying the Project every time, the platform allows the concept of Runtime Users which are dynamically created and retried from an external encrypted SQL database, but other Identification server can be integrated.
Understanding the Security module
User roles management
Managing user roles in FactoryStudio involves assigning a role to each user that defines their level of access to various components of the project. Each role has its permissions, which can be customized to meet the security requirements of your organization.
External Users Definitions
External Users in FactoryStudio refers to users who are not part of the organization but need access to specific components of the project. This can include contractors, clients, or third-party vendors. These users are typically managed via RuntimeUsers or integration with Active Directory and LDAP.
Securing Project Settings
FactoryStudio provides several tools to secure project settings. By assigning Permissions and Policies, administrators can control which users have access to specific project settings and features. This ensures that only authorized users can make changes to critical project settings.
Securing Runtime
Securing runtime involves managing user sessions in client displays by setting password requirements, session restrictions, and e-signature settings. FactoryStudio also allows administrators to monitor client connections and manage active sessions.
Configuring the Security module
Configuration Workflow
Each user is assigned to a security group defined in Permissions and a session policy configured in the Policies.
Permissions define the level of access users have for project configuration and client displays.
Policies, on the other hand, focus on managing user sessions in client displays, either WPF or HTML5, by setting password requirements, session restrictions, and e-signature settings.
Security module configuration workflow | |
|---|---|
Action | Where |
Edit Users | Security → Users |
Define security Permissions | Security → Permissions |
Define security Policies | Security → Policies |
Manage RuntimeUsers | Security → RuntimeUsers |
RuntimeUsers
RuntimeUsers are a separate group of users who are either defined in an external database or created dynamically using the CreateUser method, and they can log in and similarly utilize remote operation displays to the users specified in the Project configuration. See RuntimeUsers properties to explore the properties in detail.
AD/LDAP Integrations
Windows AD Integration
Instead of validating the Users again, the credentials in the Project configuration and the identification of the User connection can be automatically executed using our native Windows Active Directory integration. This functionality in only available for the Users connecting from Windows operating systems. For more information, see Windows AD / LDAP Server.
AD/LDAP Server Integration
When the integration with Windows AD is not available, it is still possible for an automated identification using the business server to define an LDAP server to be used by the project. For more information, Windows AD / LDAP Server.
Working with the Security module
Runtime Execution
For in-depth security runtime understanding, please explore the Security Runtime Execution.
Monitoring Clients Connections
The Monitoring Client Connections empowers you to track and manage active connections. This functionality enables efficient troubleshooting and resource allocation for your project's needs. Please refer to the Monitoring Client Connections for a comprehensive client connections understanding.
Customizing Login Procedures
The Custom Login Procedures enables you to modify the login page, fine-tune user validation, and incorporate custom logic into the client startup process. This allows for a tailored login experience that suits your project's specific requirements. For a deeper understanding of how to customize login procedures and to examine detailed examples, please consult the Customizing Login Procedures.
Managing Users on Displays and Scripts
The User Management on Displays and Scripts enables you to regulate user access and interactions within displays and scripts, promoting a secure and efficient work environment. To acquire an in-depth understanding of user management on displays and scripts, please consult the Managing Users on Displays and Scripts.
Troubleshooting and Best Practices
Troubleshooting and Common #Issues
The Security module may encounter some issues in its operation. Here are some common issues and their solutions:
User cannot log in
- Solution: Ensure that the user is entering the correct login credentials. Check if the user's account is active and not blocked or flagged as deleted. If the problem persists, contact your system administrator.
Permission denied error
- Solution: Check the user's assigned Permissions. Ensure that they have the necessary access rights to perform the desired action. If necessary, update their Permissions or assign them to a different user group.
Best Practices and #Recommendations
To ensure the smooth operation of the Security module, follow these best practices:
Regularly update your user list and their associated permissions. This helps maintain security by ensuring that only authorized individuals have access to your system.
- Recommendation: Conduct a periodic audit of user accounts and permissions. Make necessary updates and remove inactive users.
Enforce strong password policies to enhance security.
- Recommendation: Require users to use complex passwords that include uppercase and lowercase letters, numbers, and special characters. Additionally, encourage them to change their passwords regularly.
Keep your system up-to-date with patches and updates.
- Recommendation: Regular updates and patches often include security enhancements and fixes. Ensure that your system is up-to-date to take advantage of these improvements.
Security Runtime Attributes
The Security namespace has all the runtime information regarding the security system.
For general information on namespace and object concepts, go to the section Objects and Namespaces.
The Client object has information about the current user logged at that client station:
| Examples | |
|---|---|
Client.Username | The property is the name of current logged user. |
Client.CurrentUser | Reference to a data structure with all the information of the currently logged-in user. |
See Namespaces Reference for the complete list of properties and available methods.
In this section: