Securely store credentials and secrets.
Reference → Modules → Security → UI → RuntimeUsers | Users | Permissions | Policies | Secrets | Monitor
Security Secrets (Reference): Securely store and manage sensitive credentials such as passwords, API keys, and connection strings without exposing plain-text values in your configuration.
Security Secrets provide:
- Centralized credential storage
- Encrypted value protection
- Integration with Datasets (DB connections)
- Integration with Devices/TagProviders (MQTT, OPC UA, etc.)
- Administrative control over sensitive values
Configuration Properties
Access at: Security → Secrets
| Property | Description | Required | Access Control |
|---|---|---|---|
| Name | Unique identifier for the secret | Yes | All users |
| SecretType | Type of credential (Password, APIKey, Token) | Yes | All users |
| SecretValue | Encrypted credential value | Yes | Administrators only |
| Description | Documentation of usage/purpose | No | All users |
Important: Only administrators can view or edit SecretValue. Standard users can reference secrets in configurations but cannot see the actual values.
Secret Types
| Type | Use Case | Example |
|---|---|---|
| Password | Database connections, user authentication | SQL Server password |
Usage in Configurations
Datasets Integration
When configuring database connections:
- Navigate to Datasets → DBs
- In connection settings, select Use Secret
- Choose from dropdown list of configured secrets
- Connection uses encrypted value at runtime
Example:
Database: RuntimeUsers
Authentication: SQL Server Auth
Username: dbuser
Password: [Secret: DBRuntimePass]Device/TagProvider Integration
For MQTT, OPC UA, and other protocols:
- Navigate to Devices → Channels or TagProviders
- In authentication fields, use secret reference syntax
- Format:
/secret-<SecretName>
Example:
MQTT Broker Authentication:
Username: mqttuser
Password: /secret-MQTTBrokerPassScript Access
For security reasons, there is no access to secrets via script, only through the configuration UI in each scenario where secrets can be applied.
Configuration Examples
Basic Secret Setup
| Name | SecretType | SecretValue | Description |
|---|---|---|---|
| DBProductionPass | Password | ******** | Production SQL Server |
| MQTTBrokerPass | Password | ******** | MQTT cloud broker |
Runtime Users Database Example
- Create secret:
- Name:
RuntimeUsersDBPass - Type:
Password - Value:
[encrypted] - Description:
RuntimeUsers SQL authentication
- Name:
- Use in Dataset:
- Go to Datasets → DBs → RuntimeUsers
- Set Password field to:
[Secret: RuntimeUsersDBPass]
Security Considerations
Access Control Matrix
| Action | Administrator | Engineer | Guest |
|---|---|---|---|
| Create Secret | Yes | Yes | Yes |
| Edit SecretValue | Yes | No | No |
| View SecretValue | No | No | No |
| Reference in Config | Yes | Yes | Yes |
| View Secret List | Yes | Yes | Yes |
Encryption Details
- Values encrypted using AES-256
- Stored encrypted in solution file
- Decrypted only at runtime when needed
- Never logged in plain text
- Not included in solution exports
Best Practices
Naming Conventions
| Pattern | Example | Use For |
|---|---|---|
DB<System>Pass | DBHistorianPass | Database passwords |
Implementation Guidelines
- Create secrets before configuration
- Define all secrets in Security module first
- Then reference in other modules
- Use descriptive names
- Good:
ProductionSQLPass - Bad:
Secret1
- Good:
- Document usage
- Always fill Description field
- Include where secret is used
- Note rotation schedule if applicable
- Regular rotation
- Change production secrets periodically
- Update all references after rotation
- Test thoroughly after changes
- Environment separation
- Use different secrets for Dev/Test/Production
- Name accordingly:
DevDBPass,ProdDBPass
Migration and Portability
Exporting Solutions
When exporting solutions:
- Secret names and types are exported
- Secret values are NOT exported
- Target system must recreate values
Import Process
- Import solution to new system
- Navigate to Security → Secrets
- For each secret, enter appropriate value
- Test all connections
Troubleshooting
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| "Secret not found" | Typo in reference | Check exact secret name |
| "Access denied" | Insufficient permissions | Use administrator account |
| Connection fails | Wrong secret value | Verify and re-enter value |
| Secret list empty | Filter applied | Check module filter settings |
Validation
Test secret configuration:
- Create test secret
- Reference in test connection
- Verify connection succeeds
- Check runtime logs for errors
Audit Trail
Secret operations are logged:
- Creation/modification timestamp
- User who made changes
- NOT the actual values
See Also
- Security Module (Reference) - Complete security documentation
- Datasets Configuration (How-to) - Using secrets in databases
- Device Connections (How-to) - Using secrets in devices
- Security Best Practices (Guide) - Security guidelines
In this section...
Overview
Content Tools
Tasks