Security Runtime Users Reference

Control runtime user accounts.

Security RuntimeUsers (Reference): Dynamic user management during runtime, allowing user creation and authentication without modifying solution configuration.

RuntimeUsers provide:

Dynamic user creation during runtime
External database integration
Active Directory/LDAP authentication
Temporary or permanent user accounts
Script-based user management

RuntimeUsers combined with SecurityUsers form the complete Solution Users.

RuntimeUsers vs SecurityUsers

Aspect	SecurityUsers	RuntimeUsers
Creation	Design-time only	Runtime only
Storage	Solution file	External database
Engineering Access	Yes	No
Modify Solution	Yes	No
Runtime Access	Yes	Yes
Source	Internal	External/Scripts

Note: RuntimeUsers cannot access Engineering mode or modify solution configuration. They are application users only.

Configuration Sources

1. Script Creation

csharp

// Create user programmatically
@Security.CreateUser(
    "john.doe",
    "password123",
    "Operator,Maintenance",
    "Enhanced"
);

2. External SQL Database

Configuration: Datasets → DBs → RuntimeUsers

Default: SQLite database
Supports: SQL Server, MySQL, PostgreSQL
Auto-created table structure

3. AD/LDAP Integration

Users validated against directory
Created in memory only
No database storage

RuntimeUsers Table Properties

Access: Security → RuntimeUsers (read-only view)

Property	Description	Modifiable
Name	Unique username	Via script/DB
Password	Encrypted credential	Via script/DB
Permissions	Group assignments	Via script/DB
Policy	Security policy	Via script/DB
Blocked	Access denied flag	Via script/DB
Deleted	Soft delete marker	Via script/DB
InvalidAttempts	Failed login count	Auto-updated
ChangePasswordRequired	Force password change	Via script/DB
LastChangePasswordUTC_Ticks	Password change timestamp	Auto-updated
LastBlockedUserUTC_Ticks	Block timestamp	Auto-updated
Level	Hierarchical access	Via script/DB
Category	User classification	Via script/DB
ContactInfo	Email/phone	Via script/DB

Database Configuration

Default SQLite Structure

Location: <SolutionPath>.dbRuntimeUsers

Table automatically created with:

User authentication fields
Permission assignments
Policy enforcement
Audit tracking

Custom Database

Configure Datasets → DBs → RuntimeUsers
Set connection string
System creates table if missing
Maintain schema compatibility

Script Management

Creating Users

csharp

public void CreateOperator(string username, string password)
{
    bool success = @Security.CreateUser(
        username,
        password,
        "Operator",  // Permissions
        "Default"    // Policy
    );
    
    if (success)
    {
        @Info.Trace($"User {username} created");
    }
}

Modifying Users

csharp

// Change password
@Security.ChangePassword("john.doe", "newPassword");

// Update permissions
@Security.SetUserPermissions("john.doe", "Operator,Supervisor");

// Block user
@Security.BlockUser("john.doe");

Deleting Users

csharp

// Soft delete (mark as deleted)
@Security.DeleteUser("john.doe", softDelete: true);

// Hard delete (remove from database)
@Security.DeleteUser("john.doe", softDelete: false);

Windows AD / LDAP Integration

Windows AD Authentication

Automatic Availability when:

Solution runs on Windows
Domain connectivity exists
Port 3102 (default) accessible

Configuration:

Navigate to Runtime → Startup
Enable Use WA checkbox
Set PortWA: 3102 (or custom)
Configure redundancy ports if needed

Connection Methods:

Rich Client:

Server: ServerName
Port: 3102 (AD port)
Windows Authentication: Enabled

Web Client URL:

http://server/fs-2024/TSmartClient.application?port1=3102&wa=true

LDAP Server Configuration

Setup:

Navigate to Security → RuntimeUsers
Enter LDAP server in AD/LDAP Server field:

ldap://company.local:389
ldaps://secure.company.local:636

Connection String Examples:

Standard LDAP:

ldap://dc1.company.local:389

Secure LDAP:

ldaps://dc1.company.local:636

With Base DN:

ldap://dc1.company.local:389/DC=company,DC=local

Permission Mapping

User Resolution Order:

Check for exact username match in Security → Users
Map Windows groups to permission groups
Apply Guest permissions if no match

Group Mapping Example:

Windows Group: Domain\Engineers
Permission Group: Engineering
Result: User gets Engineering permissions

LDAP Attributes Mapping:

LDAP Attribute	Solution Property
sAMAccountName	UserName
memberOf	Permissions (via groups)
displayName	Display name
mail	ContactInfo
department	UserGroup

Runtime Behavior

User Validation Order

Check SecurityUsers (internal)
Query RuntimeUsers database
Validate against AD/LDAP
Apply Guest if no match

Authentication Flow

Client.LogOn(username, password)
    ↓
1. Check Engineering Users (SecurityUsers)
2. Check Runtime Users (Database)
3. Check LDAP Server (if configured)
4. First valid match logs in

Session Management

csharp

// Get all active users
var users = @Security.GetActiveUsers();

// Check if RuntimeUser
bool isRuntimeUser = @Security.IsRuntimeUser(username);

// Get user source
string source = @Security.GetUserSource(username); 
// Returns: "Internal", "Database", "AD"

Security Configuration

Forcing AD-Only Access

Enable Use WA in Runtime → Startup
Disable standard authentication port
Configure AD-only port

csharp

// Check if using Windows Authentication
if (@Client.IsWindowsAuthenticated)
{
    string domain = @Client.WindowsDomain;
    string user = @Client.WindowsUserName;
    @Info.Trace($"AD User: {domain}\\{user}");
}

Service Account Configuration

csharp

// Configure service account for LDAP queries
@Security.LDAPServiceAccount = "svc_scada";
@Security.LDAPServicePassword = GetSecurePassword();
@Security.LDAPSearchBase = "OU=Users,DC=company,DC=local";

Best Practices Checklist

Use appropriate source - AD for enterprise, DB for standalone
Set permissions carefully - RuntimeUsers can't be admins
Use secure LDAP - LDAPS on port 636 when possible
Implement audit trail - Track user creation/modification
Regular cleanup - Remove inactive RuntimeUsers
Secure database - Protect RuntimeUsers table
Document user sources - Clear origin tracking
Test authentication paths - Verify all methods work

Common Configurations

Manufacturing Domain

AD Server: mfg.company.local
Port: 3102
Groups:
  - MFG\Operators → Operator
  - MFG\Engineers → Engineering
  - MFG\Managers → Supervisor

Enterprise LDAP

LDAP: ldaps://enterprise.local:636
Base DN: DC=enterprise,DC=local
Groups:
  - CN=SCADA_Users → User
  - CN=SCADA_Admin → Administrator

Troubleshooting

User not found:

Check database connection
Verify table exists
Review AD connectivity
Confirm username format

Cannot create user:

Verify CreateUsers permission
Check database write access
Review policy restrictions
Confirm unique username

AD/LDAP users not working:

Test domain connectivity
Verify group mappings
Check authentication mode
Review domain credentials

Wrong permissions:

Check group name spelling (exact match required)
Review permission mapping
Test with known group

Slow authentication:

Check domain controller load
Review network latency
Optimize LDAP queries
Consider caching

Page tree

RuntimeUsers vs SecurityUsers

Configuration Sources

1. Script Creation

2. External SQL Database

3. AD/LDAP Integration

RuntimeUsers Table Properties

Database Configuration

Default SQLite Structure

Custom Database

Script Management

Creating Users

Modifying Users

Deleting Users

Windows AD / LDAP Integration

Windows AD Authentication

LDAP Server Configuration

Permission Mapping

Runtime Behavior

User Validation Order

Authentication Flow

Session Management

Security Configuration

Forcing AD-Only Access

Service Account Configuration

Best Practices Checklist

Common Configurations

Manufacturing Domain

Enterprise LDAP

Troubleshooting

See Also

In this section...