Applying Role-based Security to the Application Folder

Applying role-based security to application folder ensures that only the authorized users can access the resources within the application folder and edit the application. The application with the role-based security is hereafter, referred to as the Secure Application. The application without the role-based security is referred to as the insecure application. You can secure the application folder even when you import or modify an existing application.

By default, the InTouch application inherits permissions from its parent folder from where it was created, and no additional permissions are applied. To restrict access to the applications folder for Standalone applications, enable Limit access to Standalone InTouch Application to users in InTouchDevelopers and InTouchOperators groups option inside the Application Manager under Tools > Node properties > Security. When the security feature is enabled on a node, strict read and write permissions are applied to the InTouch View Application.

Defining Security User Roles

With the installation of InTouch HMI, the following InTouch user groups are automatically added as local users groups:

• InTouch Developers - Users belonging to this group have full control on the InTouch application root folder. They can edit and manage the application, with Read/Write permissions to the entire application.

• InTouch Operators - Users belonging to this group have limited control on the InTouch application root folder. They can run the application. They have Read-Only access to most file and will need Read/Write permissions to a few files.

You can limit access to InTouch application to users in 'InTouchDevelopers' and 'InTouchOperators' groups only.

Assigning Domain Groups

You can assign a domain group to the 'InTouchDevelopers' or 'InTouchOperators' group. The users belonging to the domain group will have the Developer or Operator level access.

Assigning a local group to the 'InTouchDevelopers' or 'InTouchOperators' group is not supported. It is recommended to add the users to the "InTouchDevelopers" or "InTouchOperators" group.

To enable security for the InTouch application folder

1. Launch the Application Manager as an Administrator.

2. In the Tools menu, on the Tools tab, click Security.

   The Security screen appears.

3. Select Limit access to Standalone InTouch applications to users in InTouchDevelopers and InTouchOperators groups to enable security to all the application folders or select Limit access to specific standalone InTouch applications to users in InTouchDevelopers and InTouchOperators groups to enable security to only selected application folders.

   

4. Select Ok.

Additional information

• When you select Ok in this node properties dialog, Access Control Lists (ACL) to application folder are applied if they selected to secure per machine or per application.

  • For per machine, the ACLs of every application which has its folders will be updated.

  • For per application, it will only update the apps which the user selected.

• Any applications which are on Universal Naming Convention (UNC) path or mapped network drive are excluded.

• When you perform ‘find application’ or 'import application', and if you have enabled application folder security at machine level, then the security is applied to the newly added application folder.

• The setting for this configuration can be found in the file following path with the entry ‘SecureApplicationFolder’.

  C:\ProgramData\wonderware\InTouch\CONFIGURATION.ini