Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Manufacturing Execution System 2023 R2

TABLE OF CONTENTS

Understand user authentication and privileges

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedNov 01, 2024
  • 3 minute read

The following notes include conceptual and configuration information specific to MES Web Portal user authentication and privileges for MES Web Portal functionality. See the related topics for more information about MES Web Portal user authentication and privileges settings.

User authentication

The default Security Mode for MES installations is Native mode. However, MES Web Portal requires the use of your system’s Windows Active Directory (AD) user groups or user accounts for logging in. Therefore, to support MES Web Portal users, the Security Mode must be changed to either OS Group or OS User. Also, AD user groups or users must be added to the MES database using MES Client, depending on the security mode.

OS group vs. OS user security mode

Refer to the following descriptions to help you determine which Security Mode—OS Group or OS User—to use for MES Web Portal user authentication in your system environment:

  • In OS Group mode, the AD groups to which a user belongs are checked and the user’s AD user account is checked to verify their authentication to log in to an MES Web Portal session. If the user belongs to an AD group that has also been configured as an OS group in the MES database, then the user is allowed to open a session. If an MES user account does not already exist for that user, then one is automatically created. For information about adding AD user groups as OS groups in the MES database, see the MES Client User Guide or online help.

  • In OS User mode, the user’s AD user account is checked to verify their authentication to log in to an MES Web Portal session. If the user’s AD user account has also been configured as an OS user in the MES database, then the user is allowed to open a session. For information about adding AD user accounts as OS users in the MES database, see the MES Client User Guide or online help.

    Note: If you change the security mode, you have to restart the MES Web Portal service in Internet Information Services (IIS).

OS group security and multiple active directory domains

If your network is configured with multiple Windows AD domains, and you intend to use OS Group security with MES Web Portal, you must select only Global and Universal domain groups when configuring MES groups. This is because MES Web Portal will not authenticate users in local groups if the system is part of multiple domains.

As an example, say your network has multiple domains and you pick a local domain group to be an MES group. You configure that group to have access to an entity, to run Operator, and to not allow editing of entity settings. A user who belongs to that local domain group (and does not belong to any other groups configured to be an MES group) would be able to log into the entity in MES Operator and perform operations on that entity. However, the same user would not see the entity in MES Web Portal because MES Web Portal will not authenticate the user from that domain local group.

You should only select local domain groups if you are sure that your network has only one domain. Consult your network administrator if you are unsure about whether your network has multiple domains or if you are unsure about whether a domain group is local, global, or universal.

In This Topic
TitleResults for “How to create a CRG?”Also Available in