Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Manufacturing Execution System 2023 R2

TABLE OF CONTENTS

Understand security modes

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedOct 25, 2024
  • 2 minute read

There are three security modes that determine the basis for MES application user logins. The mode is set by the Security Mode system parameter in the Security group of the General Parameters module.

  • Native

    The user groups and users are created in MES Client. This is the default security mode.

  • OS User

    The user groups are created in MES Client, and existing Windows Active Directory (AD) user accounts are added to the native MES user groups.

  • OS Group

    Existing Windows AD user groups are added to the MES database. This allows any existing Windows AD user accounts within each user group to have access to MES, according to the privileges and entities assigned to the user group.

    In OS Group security mode, a user logging into MES Client must be a member of a Windows user group that has been added to the MES database. Otherwise, the following error message appears: OS User group is not configured. For more information about logging in to MES Client, see Start MES Client.

For the most secure configuration, the security mode should be set to one of the Operating System (OS) options. One of the OS options is also required for using the MES Web Portal. When deciding between OS User and OS Group, consider whether or not individual users need different default language settings. When in OS Group mode, all users will have the default language set by the global system parameter.

Additional Information About OS Group Mode

In OS Group mode, the groups and not the individual users are configured. The MES system does not load all current OS users from the group into the MES database. The MES system also doesn't have any mechanism to periodically synchronize with Active Directory to update the list of users in MES with the users in the OS group. This is by design as some customers have thousands of OS users and only a small percent of those are MES users.

Instead, the MES system adds users to the user_name table in the database during the initial successful login by a user. This initial login requires validation with the OS for user credentials. This can occur when logging in to MES Client, Enterprise Console (when used with MES model-driven application content), MES Operator, or MES .NET controls. Even when configured for automatic login (e.g., MES Client or .NET controls), there will be a one-time requirement to enter user credentials. Once the user_name record has been created, all future connections for the user will automatically log in to MES.

Note that logins to MES Web Portal will not result in the user being added to the user_name table. MES Web Portal logins use AVEVA Identity Manager (AIM) tokens to access MES.

Changing the Security Mode and MES Web Portal

If you change the security mode by changing the Security Mode system parameter, you have to restart the MES middleware. This causes the security mode change to be implemented for MES Web Portal.

In This Topic
TitleResults for “How to create a CRG?”Also Available in