User accounts overview
Before using PcVue, a user must log in using a user account. The configuration of the user account determines what product and project features are available, for example the mimics a user can open, the commands he can send, whether he can access configuration or not. The user account configuration comprises the definition of the initial mimic that will open upon log in, or the selection of a SCADA Basic script that will run.
Each user account consists of a user and a profile:
- The configuration of the user provides the name and password used for logging in.
- The configuration of the profile provides the permissions granted to the user (user rights).
In a networked application, different profiles can apply depending on the station where the user logs in.
A user account is required on several interfaces to authenticate a connecting third-party application or its user - Think OPC clients connecting to the OPC server when OPC security is activated, or a custom web app opening a session with the Web Services Toolkit. Not only it ensures authentication, but it also provides control over authorizations granted to the third-party application by applying the permissions as defined in the profile.
User accounts are managed using the Application Explorer or directly from the User accounts administration dialog, which can be displayed using function key F3.
This sub-book contain information about:
- Managing User accounts in the Application Explorer
- User accounts settings
- Configuring user accounts
- Understanding permissions
- Using the advanced security strategy
- Using Windows Domain user groups
- User account system variables
The User accounts administration dialog can be accessed using function key F3 even if no one is logged in or if the logged in user has no user management rights. To prevent this, you must disable this action using the Function Key configuration.
User log in and log out
In the PcVue desktop application, a user logs in and out using the function key F2 and entering a name and password. Depending on the project design, the login dialog may also be accessible via other means in the mimic user interface, a custom login button for example.
In WebVue and the WebScheduler, a user logs in from the Welcome page, and logs out by clicking the Logout button in the system toolbar. See Starting, logging in and logging out of WebVue and Login page for more information.
If activated in the profile, a user is automatically logged out after a period of inactivity.
Profile levels and the advanced security strategy
With the advanced security strategy, user management provides greater security and traceability. In particular, the advanced security strategy enforces a profile level hierarchy that protects against privilege escalation by preventing users from changing their own account and accounts associated to an upper level profile.
In particular, the profile level hierarchy makes it possible to control privileged accounts such as:
- Super administrator users granted permissions to manage administrator user accounts (and all other user accounts)
- Administrator user accounts granted permissions to manage other lower level user accounts, but not other administrator accounts
- Users granted permissions to change configuration, but not authorized to manage user accounts
Using profile levels and the advanced security strategy is highly recommended to protect the system from the risks of user privilege escalation or privilege abuse.
It also provides better control over user accounts and better traceability:
- Password lifespan
- Password robustness
- User account locking
- Failed login attempt management
- User activities logging and tracking
Default user account
When a project is first created, a default user account, known as DEFUSER, together with the profile DEFPROFILE, are created in the built-in directory to provide configuration for the residual permissions when no user is logged in the PcVue desktop application. These residual permissions apply at start-up until a user logs in, and as soon as a user is logged out. The user DEFUSER and the profile DEFPROFILE cannot be deleted.
The DEFPROFILE is automatically created with all access rights.
See Configuring user accounts for more information about the steps required to create your first administrator accounts and minimize the permissions granted to the DEFPROFILE.
Using Windows domain user groups
If the host computer on which your application is running is on a Windows domain with access to an Active Directory Federation Services server (AD-DS), you can use Windows users and Windows user groups as an alternative or in addition to the built-in user directory.