View Source

Security RuntimeUsers (Reference)

extend solution access dynamically during runtime, allowing user management without modifying the solution configuration. RuntimeUsers provide:

Dynamic user creation during runtime
External database integration
Active Directory/LDAP authentication
Temporary or permanent user accounts
Script-based user management

RuntimeUsers combined with SecurityUsers form the complete Solution Users.

In this page:

Security → Tutorial | Concept | How-to Guide | Standards Compliance | Reference

RuntimeUsers vs SecurityUsers

Aspect	SecurityUsers	RuntimeUsers
Creation	Design-time only	Runtime only
Storage	Solution file	External database
Engineering Access	Yes	No
Modify Solution	Yes	No
Runtime Access	Yes	Yes
Source	Internal	External/Scripts

<ac:structured-macro ac:name="note"> ac:rich-text-body RuntimeUsers cannot access Engineering mode or modify solution configuration. They are application users only. </ac:rich-text-body> </ac:structured-macro>

Configuration Sources

1. Script Creation

csharp

// Create user programmatically
@Security.CreateUser(
    "john.doe",
    "password123",
    "Operator,Maintenance",
    "Enhanced"
);

2. External SQL Database

Configure at Datasets → DBs → RuntimeUsers

Default: SQLite database
Supports: SQL Server, MySQL, PostgreSQL
Auto-created table structure

3. AD/LDAP Integration

Users validated against directory
Created in memory only
No database storage
See [Windows AD/LDAP Server]

RuntimeUsers Table Properties

Access read-only view at Security → RuntimeUsers:

Property	Description	Modifiable
Name	Unique username	Via script/DB
Password	Encrypted credential	Via script/DB
Permissions	Group assignments	Via script/DB
Policy	Security policy	Via script/DB
Blocked	Access denied flag	Via script/DB
Deleted	Soft delete marker	Via script/DB
InvalidAttempts	Failed login count	Auto-updated
ChangePasswordRequired	Force password change	Via script/DB
LastChangePasswordUTC_Ticks	Password change timestamp	Auto-updated
LastBlockedUserUTC_Ticks	Block timestamp	Auto-updated
Level	Hierarchical access	Via script/DB
Category	User classification	Via script/DB
ContactInfo	Email/phone	Via script/DB
Company	Organization	Via script/DB
UserGroup	Department	Via script/DB

Database Configuration

Default SQLite Structure

Location: <SolutionPath>.dbRuntimeUsers

Table automatically created with:

User authentication fields
Permission assignments
Policy enforcement
Audit tracking

Custom Database

Configure Datasets → DBs → RuntimeUsers
Set connection string
System creates table if missing
Maintain schema compatibility

Script Management

Creating Users

csharp

public void CreateOperator(string username, string password)
{
    bool success = @Security.CreateUser(
        username,
        password,
        "Operator",  // Permissions
        "Default"    // Policy
    );
    
    if (success)
    {
        @Info.Trace($"User {username} created");
    }
}

Modifying Users

csharp

// Change password
@Security.ChangePassword("john.doe", "newPassword");

// Update permissions
@Security.SetUserPermissions("john.doe", "Operator,Supervisor");

// Block user
@Security.BlockUser("john.doe");

Deleting Users

csharp

// Soft delete (mark as deleted)
@Security.DeleteUser("john.doe", softDelete: true);

// Hard delete (remove from database)
@Security.DeleteUser("john.doe", softDelete: false);

AD/LDAP Users

Characteristics

No database storage
Memory-only during runtime
Permissions from AD groups
Automatic authentication
Session-based existence

Configuration

csharp

// Enable AD authentication
@Security.AuthenticationMode = "WindowsAD";
@Security.ADDomain = "company.local";

// Map AD groups to permissions
@Security.ADGroupMapping["Domain Users"] = "Operator";
@Security.ADGroupMapping["Domain Admins"] = "Administrator";

Runtime Behavior

User Validation Order

Check SecurityUsers (internal)
Query RuntimeUsers database
Validate against AD/LDAP
Apply Guest if no match

Session Management

csharp

// Get all active users
var users = @Security.GetActiveUsers();

// Check if RuntimeUser
bool isRuntimeUser = @Security.IsRuntimeUser(username);

// Get user source
string source = @Security.GetUserSource(username); 
// Returns: "Internal", "Database", "AD"

Best Practices

Use appropriate source - AD for enterprise, DB for standalone
Set permissions carefully - RuntimeUsers can't be admins
Implement audit trail - Track user creation/modification
Regular cleanup - Remove inactive RuntimeUsers
Secure database - Protect RuntimeUsers table
Document user sources - Clear origin tracking
Test authentication - Verify all paths work

Troubleshooting

User not found:

Check database connection
Verify table exists
Review AD connectivity
Confirm username format

Cannot create user:

Verify CreateUsers permission
Check database write access
Review policy restrictions
Confirm unique username

AD users not working:

Test domain connectivity
Verify group mappings
Check authentication mode
Review domain credentials

Database errors:

Verify connection string
Check table schema
Review permissions
Test database access

In this page:

RuntimeUsers vs SecurityUsers

Configuration Sources

1. Script Creation

2. External SQL Database

3. AD/LDAP Integration

RuntimeUsers Table Properties

Database Configuration

Default SQLite Structure

Custom Database

Script Management

Creating Users

Modifying Users

Deleting Users

AD/LDAP Users

Characteristics

Configuration

Runtime Behavior

User Validation Order

Session Management

Best Practices

Troubleshooting

In this section...