×

It's time to move from Web HMI to Proficy Operations Hub! Visit the Operations Hub web page, download a free trial or check out the datasheet.

Home
Set Up User Security
Configure Active Directory Authentication
Application Assembler (ThingWorx) provides the ActiveDirectory template for you to duplicate to create a directory service for each one of your AD domain servers.
Define the AD Schema Mappings
Use the Schema Mappings section in the DirectoryServices page to manage the mappings of the user and group objects used in the Active Directory authentication.

Web HMI Products Documentation

Set Up User Security
- User Account Overview
  Users consist of both operators and GE administrators. In Application Assembler (ThingWorx), a GE administrator creates and maintains user and group accounts for access to Web HMI environments.
- Access the Application Assembler
  Set up security for Web HMI users and groups in the Application Assembler.
- Create User Accounts
  You create user accounts by duplicating the default user templates, GEAdmin and GEUser. All settings are inherited from these default user templates except for the password and group membership.
- Assign Users to a Group
  As a GE administrator, you assign users duplicated from the GEUser or GEAdmin user template to the appropriate group.
- Change User Passwords
  GE administrators can change existing user passwords when needed.
- Define LDAP Settings
  Use the LDAP Directory Services in Application Assembler (ThingWorx) to manually edit Web HMI users to exactly match the user names in Active Directory, and then assign them to groups.
- Configure Active Directory Authentication
  Application Assembler (ThingWorx) provides the ActiveDirectory template for you to duplicate to create a directory service for each one of your AD domain servers.
  - Set Up the AD Server Connection
    Use the Connection Settings section in the DirectoryServices page to define how to communicate with the AD server.
  - Define the AD Schema Mappings
    Use the Schema Mappings section in the DirectoryServices page to manage the mappings of the user and group objects used in the Active Directory authentication.
  - Map AD Groups with ThingWorx Groups
    Use the Group Mappings section in the DirectoryServices page to associate Active Directory groups with ThingWorx groups. Permissions are set by the ThingWorx groups and are used at Web HMI runtime.
  - Enable User Provisioning
    Use the User Provisioning section in the DirectoryServices page to enable the AD domain server to dynamically create, modify, and delete users in Web HMI. For example, by enabling user creation, the Active Directory automatically creates new users on first login to Web HMI.
  - Set User Defaults
    Use the User Defaults section in the DirectoryServices page to define settings to help you manage and identify provisioned users.
  - Exclude Users from Provisioning
    Use the User Provisioning Exclusion List section in the DirectoryServices page to specify which Web HMI users to exclude from all the user provisioning features.

Define the AD Schema Mappings

Use the Schema Mappings section in the DirectoryServices page to manage the mappings of the user and group objects used in the Active Directory authentication.

Define the following schema mappings settings:

Option	Description
User ID Attribute Name	The attribute name containing the user name to match against the Web HMI login user name. The default is cn. Example: sAMAccountName
User Base Distinguished Name	The distinguished name of the top-level directory that is used to validate user credentials. The default is ou=people. Example: CN=Users,DC=ge,DC=local
Group Object Class Name	The value of the object class attribute indicating the object is a group. The group objects are queried and presented for the Active Directory and ThingWorx group mapping in the Group Mappings section in the DirectoryServices page. The default is group.
Group LDAP Filter to filter domain groups	Enables the filtering of a large number of domain groups. Note: Do not leave this field blank when there are a substantial number of domain groups because performance may be significantly impacted.
Group Membership Attribute Name	The attribute name that indicates a user or group is a member of another group. For each memberOf entry within a user in the Active Directory, that user is added as a member to the ThingWorx group mapped with the Active Directory group named in the memberOf entry. The default is memberOf.
Group Attribute Name	The attribute name that retrieves the group display name from the ThingWorx UI, specifically in the Group Mappings section in the DirectoryServices page. The default is cn.
User Flags Attribute Name	The default is userAccountControl. For information about this setting, see https://msdn.microsoft.com/en-us/library/cc223145.aspx.
User Control Attribute's Disabled Bit	The default is 2. For information about this setting, see https://msdn.microsoft.com/en-us/library/cc223145.aspx.
User Control Attribute's Lockout Bit	The default is 16. For information about this setting, see https://msdn.microsoft.com/en-us/library/cc223145.aspx.

Select Save.