Security Module (Reference) provides comprehensive authentication, authorization, and access control for FrameworX solutions.
This reference covers the module's configuration interfaces, runtime behavior, and integration with enterprise security systems.
| HTML |
|---|
<style>
.text-span-6 {
background-image: linear-gradient(99deg, rgba(170, 163, 239, .5), rgba(125, 203, 207, .5));
border-radius: 50px;
padding-left: 15px;
padding-right: 15px;
}
#title-text {
display: none;
}
.panelgradient {
background-image: linear-gradient(180deg, #d5def0, whitesmoke);
border-radius: 8px;
flex-direction: column;
justify-content: center;
align-items: center;
padding: 4rem;
display: flex;
position: relative;
}
</style>
<div class ="panelgradient">
<h1 style="text-align: center;">Security <br> (Users and Roles)</h1>
</div> |
Introduction to the Security Module
The Security Module ensures the safety and integrity of your projects.
Some of the key features include:
- Managing user access, roles, and permissions.
- Controls who can access, view, and modify solution components.
- Controls who can manage runtime user interactions with displays and actions.
On this page:
Table of Contents maxLevel
2 minLevel 2 indent 10px exclude Steps style
Key Concepts and Terms
The Security Module defines the Users allowed to use or modify solution, and their Roles, Permission, and Security Policies. The definition of users can be created locally using the platform tools or executed in connection with external definitions such as Active Directory, LDAP servers, or external SQL databases.
Users
Anyone accessing the solution, either in engineering (Designer Tool) or in runtime mode (Displays).
Permissions
Permissions are set levels of access for each user that determine what they can or cannot do within the solution.
Policies
Policies manage requirements on User Identification and Session Control.
RuntimeUsers
These users are created and retrieved from an external encrypted SQL database or other identification servers.
Understanding the Security Module
What the Security Module Enables
User roles management
Managing user roles involves assigning a role to each user that defines their level of access to various components of the solution. Each role has its permissions, which can be customized to meet the security requirements of your organization.
Managing External Users (Runtime Users)
External Users in this context refers to users who are not part of the organization but need access to specific components of the project. This can include contractors, clients, or third-party vendors. These users are typically managed via RuntimeUsers or integration with Active Directory and LDAP.
Securing Solution Configuration
The platform provides several tools to secure the solution configuration itself. By assigning Permissions and Policies, administrators can control which users have access to specific modules, editors and documents. This ensures that only authorized users can make changes on each part the solution configuration.
Securing Runtime Execution
Securing runtime involves managing user sessions in client displays by setting password requirements, session restrictions, and e-signature settings. The platform allows administrators to monitor client connections and manage active sessions.
Users, Permissions and Policies Summary
For a summary of the Security Configuration, go to Security Overview, which presents the basic configuration steps and properties for Users, Permission and Policies.
The next section presents the configuration of those elements in further details.
Configuring the Security Module
Configuration Workflow
Each User is assigned to a set of Permissions and a to a Session Policy.
Security Configuration Interfaces
Action
Where
Edit Users
Security / Users
Define security Permissions
Security / Permissions
Define security Policies
Security / Policies
Manage RuntimeUsers
Security / RuntimeUsers
RuntimeUsers
Runtime Users are either defined in an external database or created dynamically using the CreateUser method. They can log in and use remote operation displays similarly to users specified in the solution configuration.
→ Read more about RuntimeUsers.
AD/LDAP Integrations
Windows AD Integration
The platform can automatically execute user credentials validation and user connection identification using native Windows Active Directory integration, available for users connecting from Windows operating systems.
→ Read more about Windows AD / LDAP Server.
AD/LDAP Server Integration
When Windows AD integration is unavailable, automated identification can still be achieved using a business server-defined LDAP server.
→ Read more about Windows AD / LDAP Server.
none
Configuration Interfaces
| Component | Location | Purpose |
|---|---|---|
| Users | Security → Users | Define local user accounts |
| Permissions | Security → Permissions | Configure role-based access groups |
| Policies | Security → Policies | Set password and session requirements |
| RuntimeUsers | Security → RuntimeUsers | View external/dynamic users |
| Monitor | Security → Monitor | Track active sessions (runtime only) |
Module Components
Users
Local users defined within the solution configuration. Includes three pre-defined accounts:
- Administrator - Full system access (set password immediately)
- Guest - Anonymous/default access
- User - Generic login account
→ [Security Users (Reference)] for detailed configuration
Permissions
Role-based access control groups defining what users can access in Designer and Runtime.
Pre-defined groups: Administrator, Engineering, Supervisor, Operator, Maintenance, Guest
→ [Security Permissions (Reference)] for detailed configuration
Policies
Security requirements for passwords, sessions, and electronic signatures.
Pre-defined policies: Default, Enhanced, Critical
→ [Security Policies (Reference)] for detailed configuration
RuntimeUsers
Dynamic users from external sources:
- External SQL databases
- Active Directory integration
- LDAP server authentication
- Script-created users
→ [Security RuntimeUsers (Reference)] for detailed configuration
Monitor
Real-time view of connected users and active sessions during runtime.
→ [Security Monitor (Reference)] for detailed configuration
External Authentication
Integration with enterprise authentication systems:
- Windows Active Directory
- LDAP servers
- Custom authentication providers
→ [Windows AD / LDAP Server (Reference)] for detailed configuration
Runtime Behavior
Authentication Flow
- Check for local Engineering User
- If not found, check RuntimeUsers database
- If not found, check AD/LDAP (if configured)
- If no valid user, default to Guest
Permission Evaluation
Permissions are evaluated at multiple levels:
- Solution Level - Overall access to the solution
- Module Level - Access to specific modules (Tags, Alarms, etc.)
- Display Level - Access to specific displays
- Object Level - Access to individual controls/elements
Session Management
- Automatic session timeout based on policy
- Concurrent login restrictions
- Session monitoring via Security → Monitor
- Programmatic access via @Server.GetAllConnections()
Security Namespaces
Client Namespace
Runtime information about current user:
@Client.UserName- Current logged user@Client.CurrentUser- User object with all properties@Client.LogOn(username, password)- Login method@Client.LogOff()- Logout method
Security Namespace
Security management methods:
@Security.CreateUser()- Create RuntimeUser dynamically@Security.ValidateUser()- Verify credentials@Security.ChangePassword()- Update user password
Configuration Storage
Solution Database
Local users, permissions, and policies are stored in the solution database (.dbsln file).
RuntimeUsers Database
External users stored in:
- Default: SQLite database (Dataset.DB.RuntimeUsers)
- Optional: SQL Server, PostgreSQL, or other databases
- Encrypted storage for credentials
Security Features
Compliance Support
- FDA 21 CFR Part 11 - Electronic signatures, audit trail, password policies
- NERC CIP - Account monitoring, session management, audit logging
- ISA-99/IEC 62443 - Zone security, role-based access
Advanced Features
- Multi-factor authentication support
- Certificate-based authentication
- Single Sign-On (SSO) via AD
- Encrypted credential storage
- Session replay protection
Best Practices Checklist
Initial Setup
- Change default passwords immediately
- Configure policies before creating users
- Define permission groups based on roles
- Test authentication before deployment
Maintenance
- Review user accounts quarterly
- Monitor failed login attempts
- Update passwords regularly
- Audit permission changes
- Document security model
Troubleshooting
| Issue | Check |
|---|---|
| Cannot login | Credentials, account status, policy restrictions |
| Permission denied | Group membership, module access, display security |
| Session timeout | Policy settings, inactivity timer |
| AD authentication fails | Domain configuration, network connectivity |
In this section...
| Page Tree | ||||
|---|---|---|---|---|
|
Working with the Security Module
Customizing Login Procedures
Modify the login page, fine-tune user validation, and incorporate custom logic into the client startup ScriptTask process for a tailored login experience.
Further User management can also be execute on Scripts.
→ Read more on Scripts, Handling Security
Applying Security to Displays
Regulate user access and interactions within displays, either by protecting the entire display, or specific commands or elements within each display.
Display Edit or Run Security
The configuration table Displays / List, has the columns EditSecurity and RunSecurity that allow to define the PermissionGroups allowed to configure, or open in runtime, each displays.
Security within the Display
When drawing the solution User Interface, there is a Dynamic Property specifically to apply security to any Input the operator may do at the display.
→ Read more on Drawing User Interfaces / Dynamics and UI Elements, the Security Dynamic configuration.
Security Runtime Attributes
The Securitynamespace contains all runtime information regarding the security system. TheClientobject has information about the current user logged at that client station.Examples
Client.UsernameThe property is the name of current logged user.
Client.CurrentUserReferences the data structure with all the information of the currently logged-in user.
→ Read more about Objects and Namespaces.
Best Practices and Recommendations:
- Regularly update your user list and their associated permissions to maintain security.
- Conduct periodic audits of user accounts and permissions, making necessary updates and removing inactive users.
- Enforce strong password policies to enhance security.
- Require complex passwords that include uppercase and lowercase letters, numbers, and special characters. Encourage regular password changes.
- Keep your system up-to-date with patches and updates.
- Regular updates often include security enhancements and fixes. Ensure your system is up-to-date to benefit from these improvements.
Troubleshooting and Common Issues:
- User Cannot Log In: Ensure the user is entering correct login credentials. Check if the user's account is active and not blocked or flagged as deleted. If the problem persists, contact your system administrator.
- Permission Denied Error: Check the user's assigned Permissions. Ensure they have the necessary access rights to perform the desired action. Update their Permissions or assign them to a different user group if necessary.
In this section:
| Page Tree | ||||
|---|---|---|---|---|
|