View Source

This guide walks you through configuring the Security module for user authentication, authorization, and access control. You'll create users, define permission groups, set security policies, and integrate with enterprise authentication systems.

Prerequisites:

Administrator access to the solution
Understanding of security requirements
Active Directory/LDAP details (if integrating)

Configuration Workflow

Define Permission Groups - Set access levels for different roles
Configure Policies - Establish password and session rules
Create Users - Add local user accounts
Setup External Auth (Optional) - Connect AD/LDAP
Configure RuntimeUsers (Optional) - Enable dynamic users
Security Monitor (Optional) - View active sessions and connections:

Step 1: Define Permission Groups

Permission groups control what users can access in both Designer and Runtime.

Using Pre-defined Groups

Group	Designer Access	Runtime Access	Typical Use
Administrator	Full	Full	System management
Engineering	Modules, no Security	Full	Solution development
Supervisor	View only	Full operations	Shift supervisors
Operator	None	Operations, no tools	Control room operators
Guest	None	View only	Anonymous access

Creating Custom Groups

Navigate to Security → Permissions
Click first row to add new group
Configure permissions:

Edit Permissions (Designer access):

Unrestricted: Full Designer access
Modules: Select specific modules (Tags, Alarms, Historian, etc.)
CreateTags: Allow tag creation
Publish: Allow solution deployment

Run Permissions (Runtime access):

Unrestricted: Full runtime control
Startup/Shutdown: Control solution execution
StartTools: Access diagnostic tools
CreateUsers: Manage runtime users
WebAccess: Allow web client access

Step 2: Configure Security Policies

Policies define password requirements and session behavior.

Policy Settings

Go to Security → Policies
Select or create policy
Configure three main areas:

Identification (Password rules):

Setting	Enhanced	Critical
Password Min Length	8	12
Invalid Attempts	5	3
Password History	3	5
Max Password Age (hours)	2160 (90 days)	720 (30 days)

E-Signature (Action confirmation):

Enabled: Require password for critical actions
TimeoutMinutes: How long e-signature remains valid

Session (Auto-logoff):

Inactivity: Logoff after idle time
Duration: Maximum session length
Both: Apply both restrictions

FDA 21 CFR Part 11 Settings

For compliance, use these minimum settings:

Identification:
  PasswordMinLength: 8
  BlockOnInvalidAttempts: 5
  PasswordHistory: 5
  MaxPasswordAge: 2160 (90 days)

ESign:
  Enabled: True
  TimeoutMinutes: 10

Session:
  AutoLogOff: Both
  InactivityMinutes: 20
  DurationHours: 12

Step 3: Create Users

Default Users

User	Purpose	Action Required
Administrator	System management	Set password immediately
Guest	Anonymous access	Configure permissions
User	Generic login	Set password if using

Adding New Users

Navigate to Security → Users
Click first row to add user
Configure:
- Name: Unique username
- Password: Meeting policy requirements
- Permissions: Select group
- Policy: Select security policy
- ContactInfo: Email, phone, full name

Bulk User Import

For multiple users, prepare CSV:

csv

Name,Permissions,Policy,ContactInfo
jsmith,Operator,Enhanced,"John Smith,jsmith@company.com"
mjones,Supervisor,Critical,"Mary Jones,mjones@company.com"

Import via Security → Users → Import

Step 4: External Authentication (Optional)

Windows Active Directory

Go to Security → RuntimeUsers
Enable Windows AD Integration
Configure:
- Domain: COMPANY
- Auto-create users: Yes
- Default group: Operator

LDAP Server

Navigate to Security → RuntimeUsers
Select LDAP Provider
Configure:
- Server: ldap.company.com
- Port: 389 (or 636 for SSL)
- Base DN: dc=company,dc=com
- User attribute: sAMAccountName

Step 5: RuntimeUsers Configuration

RuntimeUsers are created dynamically and stored in external databases.

Setup Database

Go to Security → RuntimeUsers
Configure storage:
- Database: RuntimeUsers (SQLite default)
- Encryption: Enabled
- Auto-create: Yes

Enable Dynamic Creation

In scripts, create users programmatically:

csharp

@Security.CreateUser(
    "newuser",
    "password123",
    "Operator",
    "Enhanced"
);

Step 6: Security Monitor

View active sessions and connections:

Go to Security → Monitor during runtime
Review connected users and session times
Use @Server.GetAllConnections() in scripts for custom monitoring

Applying Security

Display Security

Entire Display:

In Displays → List
Set EditSecurity and RunSecurity columns

Individual Elements:

Select display element
Add Security dynamic
Configure:
- Permission: Required group
- ESign: Require confirmation
- Disable: Block interaction

Tag Security

Protect tag writes:

In UNS → Tags
Set WritePermission property
Only authorized users can modify

Script Security

Control script execution:

csharp

if (@Client.UserName == "Administrator")
{
    // Admin-only operations
}

Runtime Operations

User Login

Manual Login:

csharp

@Client.LogOn("username", "password");

Check Current User:

csharp

string user = @Client.UserName;
string group = @Client.CurrentUser.Permissions;

Logout:

csharp

@Client.LogOff();  // Returns to Guest

Session Management

Monitor active sessions:

csharp

// Check session time
TimeSpan sessionTime = @Client.SessionTime;

// Force logout if needed
if (sessionTime.TotalHours > 8)
{
    @Client.LogOff();
}

Common Issues

User Cannot Login

Verify credentials correct
Check account not blocked
Confirm user not deleted
Review invalid attempt count

Permission Denied

Check user's permission group
Verify specific module access
Review display/element security
Confirm runtime permissions

Password Issues

Ensure meets policy requirements
Check password age
Verify password history
Review complexity rules

Session Timeout

Check inactivity settings
Review duration limits
Verify policy assignment
Monitor session properties

Best Practices

? Set Administrator password - Never leave default blank ? Use groups not individuals - Easier management ? Regular password changes - Enforce via policies ? Audit user accounts - Remove inactive users ? Test permissions - Verify access levels ? Document security model - Maintain access matrix ? Use external auth - Leverage enterprise systems

Compliance Features

FDA 21 CFR Part 11

Electronic signatures
Audit trail (via Alarms module)
User authentication
Password policies
Session controls

NERC CIP

Role-based access
Password complexity
Account monitoring
Session management
Audit logging

Security Monitoring

Track security events:

csharp

// Log security events to audit trail
@Alarm.AuditTrail.AddCustomMessage(
    "User Login: " + @Client.UserName
);

// Monitor failed attempts
if (@Client.LoginAttempts > 3)
{
    @Alarm.AuditTrail.AddCustomMessage(
        "Multiple failed login attempts"
    );
}

Next Steps

[Windows AD Integration →] Enterprise authentication
[Audit Trail Configuration →] Compliance logging
[Display Security →] Protecting UI element

Configuration Workflow

Step 1: Define Permission Groups

Using Pre-defined Groups

Creating Custom Groups

Step 2: Configure Security Policies

Policy Settings

FDA 21 CFR Part 11 Settings

Step 3: Create Users

Default Users

Adding New Users

Bulk User Import

Step 4: External Authentication (Optional)

Windows Active Directory

LDAP Server

Step 5: RuntimeUsers Configuration

Setup Database

Enable Dynamic Creation

Step 6: Security Monitor

Applying Security

Display Security

Tag Security

Script Security

Runtime Operations

User Login

Session Management

Common Issues

Best Practices

Compliance Features

FDA 21 CFR Part 11

NERC CIP

Security Monitoring

Next Steps

In this section...