×

Have You Seen Workflow Lately? Click here to check out all the new features in the latest version.

Supercharge your GE solution! Download a free trial of Proficy Operations Hub, CSense analytics, and more. Learn more about the Proficy 2024 releases, by signing up for one of our upcoming events.

Home
Security
Domain-Based Security
Windows Domain-Based Security
You can use Windows domain user accounts to manage access to and within Workflow. You can also configure domain user accounts for automatic login on either a global basis or for individual computers.
Windows Domain Users Logging into Workflow
If you are using Windows user names and passwords within Workflow security, be aware that Windows user accounts must have the policy Access this computer from the network applied under the local security policy. By default, this policy is assigned to the groups Users and Everyone on the local machine.

Workflow Products Documentation

Security
- Security Overview
- Users and Groups
- Domain-Based Security
  - Windows Domain-Based Security
    You can use Windows domain user accounts to manage access to and within Workflow. You can also configure domain user accounts for automatic login on either a global basis or for individual computers.
    - Windows Domain Users Logging into Workflow
      If you are using Windows user names and passwords within Workflow security, be aware that Windows user accounts must have the policy Access this computer from the network applied under the local security policy. By default, this policy is assigned to the groups Users and Everyone on the local machine.
    - Authenticate Windows Domain Users for Vision Calls
      Vision uses a token to make a secure call. For Windows authentication, the Proficy STS service needs to query the domain controller to retrieve groups that the user belongs to. This group information is used to validate the Windows user.
    - Password Expiration Considerations
      When Workflow security is synchronized with Windows security, passwords can expire.
    - Configuring Domain-Based Access Control to Workflow Functionality
      You can use active directory universal or global groups to control access to Workflow functionality.
    - Key Sets
      Key sets are groups of permissions, based on areas of operation within your facility, that define the operations a group of users can perform.
    - Login and Logout Capabilities
      Workflow access can be configured in multiple ways. You can configure automatic login and logout on individual computers, on all computers in your system, or on a subset of computers in your system. You can also retain manual login and logout on a global basis or on specific computers.
    - Workflow User Password Security
      Administrator users have the ability to make changes to the security settings in Workflow, including configuring lockout thresholds, re-enabling locked out user accounts, configuring password complexity, and determining whether or not users can change their passwords.

Windows Domain Users Logging into Workflow

If you are using Windows user names and passwords within Workflow security, be aware that Windows user accounts must have the policy Access this computer from the network applied under the local security policy. By default, this policy is assigned to the groups Users and Everyone on the local machine.

If the domain policy overrides the local policy settings by removing these groups, then the Windows user names and passwords will fail with insufficient rights when trying to log in to Workflow. If domain administrators want to restrict this right, then they must do one of the following tasks in order to continue to use Windows user names and passwords within Workflow:

Create a Domain Group that contains all the Domain Users that will be used within Workflow security, add this group to the domain policy Access this computer from the network, and deploy this policy to all machines running Workflow.
Add the Domain Users group to the domain policy Access this computer from the network, and then deploy this policy to all machines running Workflow.
Add Authenticated Users to the domain policy Access this computer from the network, and then deploy this policy to all machines running Workflow. Be aware that this group requires each user to log on to the domain at least once to be considered an authenticated user.
Leave at least the Users group in the domain policy Access this computer from the network. If you choose this option, be aware that the Anonymous user and the Guest user are not part of the Users group.

Updating Existing Windows Domain Users in Workflow

If you have existing Windows domain users that were created in a previous version of Workflow, and those user accounts are now associated with one or more active directory universal or global groups, the first time those users log in, whether manually or automatically, the system will update the domain information for each user and automatically remove those users from the pre-existing Windows Users group in Workflow.