Windows and Security

Running iFIX

As a built-in Windows administrator, you have the rights you need to operate an iFIX SCADA node (start and stop iFIX).

To allow a non-administrator (standard user) to operate an iFIX SCADA node in non-secure mode, you need to add the "Create Global Objects" policy to the individual user or group to provide access.

If you are in secure mode, you need to make sure that the non-administrator user is part of the iFIX secure group (the secure group was specified during install or with the ConfigureWizard.exe).

Running iFIX as a Service

If iFIX was installed in secure mode, to run iFIX as a service, make sure the user is part of the secure group specified during install (by default, this is the IFIXUSERS group). If you are not sure what this group is, run the ConfigureWizard.exe tool which is found in the iFIX install folder (by default: C:\Program Files (x86)\GE\iFIX) to identify it.

In non-secure mode, to allow a user to run iFIX as a service, you need to run the GrantUserFixServiceRights utility from the command line to grant access to the service for this user. You also need to add the "Create Global Objects" policy to the individual user or group. These requirements do not apply to the built-in Administrator account.

NOTE: If a member of the Administrators group runs iFIX as a service from the desktop, and you are upgrading from iFIX 6.1 or earlier, a UAC prompt appears for that user when iFIX starts if the user doesn't have the privileges mentioned in the previous paragraph (this does not apply to the built-in Administrator account). This procedure differs from v6.1 and earlier, where Administrators could just run the service from the desktop with no prompt.

To add the Create Global Objects policy to a user:

  1. Log in as an Administrator.
  2. Click the Start button, and in the Search box, type secpol.msc and press Enter. The Local Security Policy window appears.
  3. In the tree, double-click Security Settings, and then Local Policies, to view the contents of the Local Policies folder.
  4. Click the User Rights Assignment item to view the policies.
  5. Double-click the Create Global Objects policy. The Create Global Object Properties dialog box appears.
  6. Click Add User or Group. The Select Users or Groups dialog box appears.
  7. Enter an individual user name, or group name, such as "iFIXUsers."
  8. Click OK to add the user.

To run the GrantUserFixServiceRights command for a user or group:

  1. Log in as an Administrator.
  2. Click the Start button, and in the Search box, type Command Prompt and press Enter. If the Command Prompt does not appear immediately, double-click the Command Prompt from the list of results.
  3. In the Command Prompt window, type:

    4. GrantUserFixServiceRights GRANT FIX USERNAME

    where FIX is the name of the service (iFIX) that you want to grant rights to, and USERNAME is the name of the user or group that you want to grant rights to.

To provide privileges to a Windows user with the ConfigureWizard.exe when secure mode is enabled:

  1. Log in as an iFIX Administrator.

  2. Locate and run configure wizard (ConfigureWizard.exe) in the iFIX install folder. By default this path is: C:\Program Files (x86)\GE\iFIX\ConfigureWizard.exe. The Install Mode wizard appears.

  1. Select the "Assign a Windows User Account to iFIX services" option.

  2. Enter a user name. If on a domain, enter the fully qualified domain name along with the user account. For example, the previous illustration specified W2019-KMM\USER1 as the user account.-

  3. Enter the password for this account.

  4. Click OK.

  5. Restart your computer.

  6. Start iFIX

  7. Configure the service option in the SCU, if you have not already done so. (From the SCU and select Configure > Local Startup and the select Set iFIX as a Service option, and (if applicable) the Set Service Type to Automatic option. See the topic for details.)

Running iFIX as a Service with Other Services

If you plan to run iFIX as a service along with other services such as the iFIX scheduler, the OPC A&E Server, and the OPC DA Server, make sure that your user has the rights to start/stop/pause all of those services. A user who is a member of the Administrators group usually has all these privileges. (This can be verified by opening the Windows service control panel and checking if the Start/Stop setting is enabled.) To grant a user who is a standard user rights to start/stop/pause these services, log in to Windows as an Administrator and run the following commands:

GrantUserFixServiceRights GRANT IFIXSCHEDULER username

GrantUserFixServiceRights GRANT IFIXOPCAESRV username

GrantUserFixServiceRights GRANT IFIXOPCDA username

Examples: Using GrantUserFixServiceRights

If you want to allow a user named QA1 to run iFIX as a service, type:

GrantUserFixServiceRights GRANT FIX QA1

If you want to allow all members of the group “iFIXUsers” to run iFIX as a service, type:

GrantUserFixServiceRights GRANT FIX "iFIXUsers"

If you later need to revoke the right to run iFIX as a service, use the following command:

GrantUserFixServiceRights REVOKE FIX USERNAME

where FIX is the name of the service that you want to revoke rights from, and USERNAME is the name of the user or group that you want to revoke rights from.