Tips on Administrating User Accounts

How Logins Work

To access applications on a Webspace Server, clients must sign in to the server machine. When a user starts a Webspace client, a prompt appears for a user name and password. This information is optionally encrypted (by default) and passed to the Webspace Application Publishing Service running on the Webspace Server. The Proficy Webspace Application Publishing Service then performs the logon operation on the Webspace Server using standard multi-user features of Windows. Next, the iFIX Security Login dialog box appears for the iFIX login. The user names and passwords should be the same for Windows and iFIX Security. (Optionally, you can configure password caching on the client for subsequent logins. For more information, refer to the Client-Side Password Caching section.)

When a user signs in to a Webspace Server and a domain is not specified, the Webspace Server first attempts to authenticate the account on the local machine, followed by the machine's domain, and lastly the trusted domains. Users can override this default behavior and specify a domain by typing the domain name followed by a backslash (\) and their network user name in the User name box of the Sign In dialog box (for example, NORTH\johng).

When a local user name on the Webspace Server is the same user name as a domain account, each with a different password, Webspace treats them as two separate accounts. Consider, for example, the following scenario:

  • A local account on the Webspace Server, johng, with a password of local.
  • A domain account, johng, with a password of domain.

When typing the user name johng with the password local in the Sign In dialog, the account will authenticate on the local Webspace Server. When typing johng with the password domain in the Sign In dialog, Webspace does not attempt to authenticate on the domain, but fails with an invalid user name or password. You must specify the domain name in the User name field in the Sign In dialog box (for example, NORTH\johng).

After a user is signed in, the Webspace relies on the server's operating system to provide the security necessary to run applications safely in a multi-user environment. Applications run in the security context of the client user; this ensures private sessions. Access to all machines and network resources is governed by the operating system and the rights that have been granted to individual user's sessions.

Users must be able to log on interactively (locally) on the Webspace Server. Assign local logon rights to users in Local Security Policy, Domain Security Policy, and Domain Controller Security Policy.

User Account Guidelines

  • The same user name and password combination must be added to your user accounts in Windows and in iFIX to become a valid Webspace user.
  • When adding user accounts in Windows, you can add them to the Workgroup or a Domain. However, it is preferable to use a Domain. Otherwise, you will need to map network drives, and use logon scripts.
  • iFIX Windows Security must be enabled for each user you add on your Webspace Server in the iFIX Security Configuration program.
  • When adding users through the Security Configuration application in iFIX, be sure to select the Windows Security option for the user.
  • If you want to use Webspace with FIX Desktop, be aware that because iFIX security is enabled, logged in users must be authorized with the "FIX32 - Run a Task From View" rights in the iFIX Security Configuration application.
  • When assigning security privileges in iFIX, use care when allowing application features that could allow write access, such as the "Database Save/Reload" and "Runtime Visual Basic Editor" features, as well as creating pictures with Datalinks, or any other means to write values into tags. Use Security Areas and Security Groups to further restrict access. Also, use care when creating and sharing schedules in iFIX, so that unintended VBA code is not activated inadvertently by web sessions. For more information on iFIX Security, refer to the Configuring Security Features e-book.
  • The Webspace Server and the SCADA Server should reside on the same network.
  • The Webspace Relay Server and dependent application servers with the Webspace installed, should all reside on the same network.