Movicon.NExT Help on Line - Rel. 4.2.358
The User Management has a series of General Settings that are displayed in the Properties Window after selecting the general User and Group resource from the Users Editor.
|
The use of the Movicon.NExT User Management implies that the data exchanged between Client and Server takes place according to the "Sign" security policy using Certificates. Within this context, if the project has distributed Client and Server architecture, the Server and Client will be required to exchange security certificates as indicated in "OPC UA Certificates " |
|
In order to activate the User Management at Runtime, you will need to enable the "Enable Password Management" property. |
|
The default user, who is activated when launching Runtime startup, is an Anonymous user that has access level 0 and no area access in read and write. |
General User Management Properties
Below are described the general properties of the project user management.
This field is used to enter a time in seconds which will be used for logging out the active user automatically. The time in seconds refers to the inactive time. Therefore, a logged in user that is inactive for the time set here will automatically be logged out for security purposes. If the user reassumes activity they will need to login again.
Max. Invalid Password Attempts
This allows you to specify the maximum number of failed access attempts after which the user will be locked and nolonger be able to access the system.
|
Setting the threshold criteria for lock users determines the number of failed login attempts that will cause the system to lock the account of the user trying to login. When a user is locked, they will no longer be able to access the system even when they use the correct credentials. The locked user will be denied access until reinstated with the appropriate commands provided by Movicon.NExT. This feature requires that you set a failed login attempt value as well as specify which users are to be locked using the "User Lock Mode" property. |
User Lock Mode
This property gives you the possibility to specify which users are to be locked after attempting a certain number of failed login attempts.
This property comes with the following options:
None: the user lock mode is disabled (default value)
OnlyEditableUser: Only those users with access levels lower or equal to the one set in the 'Max Runtime Edit Access Level' will be locked when exceeding the number of failed login attempts set in the 'Max. Invalid Password Attempts' property.
All: when the number of failed login attempts is greater than the value set in the 'Max. Invalid Password Attempts' property, all users will be locked despite their different access levels.
|
When needing to reinstate a locked user, use the commands contained in the 'Users' tab of any one of the Movicon.NExT objects. |
|
Domain users are excluded from the lock users management as they are not managed directly by the Movicon.NExT membership provider. |
Enabling this property will activate the user manager during project Runtime. The programmer can then decide when to activate or deactivate the project's entire user management.
Login Control Visible
When the user management is enabled in the project, this property allows you to enable/disable the displaying of the logo for the user Login/Logout at the top right of the startup page. This logo will only appear in the project's startup screen and not in any other screen. Therefore, the logo will show in one of the following screens based on the project's startup mode:
Tile Page
Geo Page
Startup Screen in "Main Screen" mode
Max. Runtime Edit Access Level
This parameter is used to specify which maximum hierarchy level is permissible for a user who is inserted or changed at Runtime.
Min. Password Length
The “MoviconNExT.exe.config” system file can be modified to force the use of numbers and special characters in passwords by adding the “minRequiredNonalphanumericCharacters” variable.
The inserted value, will be the minimum number of non-alphanumeric characters required in the password.
Desktop/System Role
This property is used to associate a "Group" and then the relevant Users with rights for executing system operation commands. The system commands are those commands that are not linked directly to the project but to the operating system's functions which perform those operations, for example, to close the application window, reduce to icons, access desktop access and close the application.
|
The system commands are not managed by the application's objects but by Windows OS. To enable correct user management, it is important that the programmer decides which user has rights to use those operating system commands which are accessible.
|
Attention: In addition, the “CTRL+ALT+CANC” combo keys cannot be blocked using this Movicon feature. In this case, the Windows' Local Group Policy Editor can be used to set these restrictions accordingly to prevent anti-malware from intervening. To startup the editor, digit “gpedit.msc” in Cortana's search bar and press enter:
The safest configuration to use rests on the use of the Movicon Server when started up as service in combination with the Windows settings as indicated above.
When this functionality is enabled, the User Management system will allow authentication of those users registered in the Domain of the Windows OS in which the project is run. In this way, if the user management cannot find a user in the project user list, it will ask the OS for user authentication using the LDAP protocol with the 'domain\user' format.
If the user is recognized, they will be authenticated from the Domain, and then validated for using the project. In this case their access rights will be determined by their group membership.
When enabling this function, the User Management system allows the authentication of users registered in the local PC or the system domain in which the project is running in addition to declared project users.
In this way if the user management cannot find a user in the project's user list, it will ask the operating system for authentication using the LDAP protocol.
To authenticate a local PC user simply insert the user's name and the PW (it must not be preceded by local\ or Hostname\).
To authenticte a domain user, you will need to use the 'domain\user' format.
If Movicon is run by a domain user and a user group is inserted in the project with the same name as the group to which the user in the local operating system or domain belongs, the user will be validated for managing the project by acquiring the access level set in that group.
When this group is not present in the project or the application is run by a local PC user, the user will be acknowledged by the local operating system or by the domain as anonymous, meaning no access level = 0 and no “CurrentRole”, at runtime.
Shared Connection Repository
This is used to generate one table for all the projects containing all the various project users so that they can be shared.
|
The Movicon.NExT installations used for each project need to have memberships in common. It will therefore be necessary to modify the "Moviconnext.exe.config" and Platformnext.exe.config" files so that they use the same "membership". |
To share users between the Desktop Runtime project and WebHMI, you will need to activate the "db_owner" membership role property of the user, who was selected during the "Movicon.NExT WebClient (SVG/HTML5)" service installation using the Service Control Panel, for the chosen Database for sharing users. If no specific user is indicated during the "Movicon.NExT WebClient (SVG/HTML5)" service installation, the service will be installed with the "NT AUTHORITY\SYSTEM" system user credentials.
To set the shared users Database access credentials (e.g. based on the SQL database engine) please proceed as follows:
Open the SQL Management Studio.
Select the "Security" folder and edit the user properties (you must add the "NT AUTHORITY\SYSTEM" user if not present).
Select the "User Mappings" item and activate the flag at the item corresponding to the Database chosen for user sharing.
Activate the "db_owner" property and confirm with "OK".
Notify Password Expires In Days
This property is used to set the number of days with which to warn the user before their password expires. A warning message will display at each login when the password is about to expire requesting the user to change their password. Setting this property with the zero value will disable this feature and no warning will be generated.
In addition to the general property settings, there is a "SMTPSettings" property group that allows you to set the report notification email functions.
Attention, these settings do not concern the Alarm Dispatcher Notifications which need a specific Server configuration.
Server Address
Sets the address of the SMTP server address.
Static from Address
If set, this allows the sender's address to be shown in the notification email to be generated by the system.
Port Number
This parameter allows you to specify the port to use (default value 25).
Depending on the port number used, the SMTP client will use the appropriate security type. The supported protocols are: SSL, TSL and STARTTLS.
Enable Authentication
Enabling this will activate the authentication on the SMTP server (when required).
User Name
This field is used to set the user name to be used when SMTP Server authentication is required.
Password
This is used to set the password to be used for the SMTP Server authentication when required.
