Configure Roles and Groups

Before you open the security editor for a Galaxy, make sure:

• No other user is connected to the Galaxy.

• All objects in the Galaxy are checked in.

• Your user profile has configuration permissions to change Framework Configuration/Modify Security Model, if security was previously configured.

If you try to open the security editor before these conditions are met, a warning message appears and you are denied access.

Caution: Do not configure security settings of the IDE while an IDE-managed InTouch application is opened for editing in WindowMaker.

Other users who try to open the Galaxy while you are configuring security are denied access to the Galaxy.

To configure Galaxy security

1. From the ribbon, select Galaxy, then Configure, and then Security. The Security page appears.

   

2. On the Authentication mode tab, select the security type you want: Galaxy, OS User Based, OS Group Based, or Authentication providers (AVEVA Identity Manager. To use the AVEVA Identity Manager, see Configure the AVEVA Identity Manager.

   If you select the OS Group-based authentication mode, you can specify the time-out period for login attempts and role verification. Allowing a longer interval can be helpful if your network connection is slow or intermittent.

   • Login time: The time-out period (measured in milliseconds) during which the system validates the user’s membership against the OS groups selected as System Platform Roles. Minimum value is 0 (zero), maximum is 9,999,999. The default value is 1,000. If the login time is set to 0 (zero), which turns this feature off, the operation does not time out. Specify a value, based on the speed of your network and the number of groups configured in System Platform. The slower the network or the larger the number of groups, the greater the value.

   • Role update: The time between each validation attempt per OS group for the user’s membership when a log on is attempted. The user membership update is done one role per Role update interval to minimize network usage. The minimum allowed value is 0 (zero) and the maximum is 9,999,999. The default value is 0 (zero), which turns off this feature so the operation does not pause between validating user membership and groups. This option operates independently of the Login Time option. Even if Login Time times out, the role update operation continues in the background and eventually updates user-to-role relationships for this user in the local cache.

3. Select the Security Groups tab to add and configure new security groups. Security groups define which objects (templates and instances) the logged-in user can access. To assign objects to a new Security Group, select the objects listed under the Default Group and drag them to the new group. Security Groups are displayed in Roles tab, under "Operational Permissions." See Assign Users to Roles for more information.

   

   • Create a new security group by selecting the Add button. Type a unique name for the new group in the Security Groups Available pane. Security group names can be up to 32 alphanumeric characters, including a period. The name must include at least one letter and cannot start with $.

     Note: Security group names are not case sensitive. Admin is the same as admin.

   • Objects can only be associated with one security group. To move objects from the Default security group to the new security group, select the Default group, then drag objects to the new security group.

4. Select the Roles tab to set the permissions (general and operational) for each Security Role, and to create new roles or delete existing roles.

   

   • Remove any unnecessary general and operational permissions from the Default role (you can also remove operational permissions from the Administrator role). Leave only the permissions that are needed by all users. See About roles for more information.

   • If you selected Galaxy or OS User based authentication mode, you can create new roles by selecting the Add button. Type a name for the new role in the Roles Available pane. Role names can be up to 512 alphanumeric characters, including a period.

   • If you selected the OS Group based authentication mode, the Select Groups dialog is displayed after you select the Add button. This lets you add roles, based on existing OS groups.

     

     • In Enter the OS Group name, type the group name (preceded by the domain name, if not part of the local domain) and select the Add button, or,

     • In Select in, select the domain that has the OS group you want to add as a role. Then, select the group from the "Available OS Groups" dropdown and select the Add button.

   • Select the General and Operational Permissions for the new role. General permissions define Galaxy configuration and management actions that a user is allowed in the IDE and the OCMC. Operation permissions define the actions a user can take at run time, for example, permission to acknowledge alarms or modify attribute values.

     Important: In the General permissions area, clearing the Can Start OCMC check box will still allow a user assigned to this role to start the OCMC, but not to connect to Platform Manager.

     Important: In the General permissions area, clearing the Can Start/Stop the Engine/Platform check box will still allow the user assigned to this role to set the engine or platform On Scan or Off Scan.

     Important: If a role is given "Can Modify Deployed Instances" permission, make sure "Can Create/Modify/Delete..." permissions in the System Configuration, Device Integration Objects, and Application Configuration groups are also selected. This provides the role with check in and undo checkout abilities.

5. Select the Users tab to associate authorized users with their roles, add new users, or delete existing users.

   Note: Bold red text indicates that the User or Role is invalid within the selected Authentication Mode.

   If you selected Galaxy or OS User based authentication, create a new user by selecting the Add button. User names can be up to 255 alphanumeric characters with no spaces. To configure user roles, see Assign Users to Roles.

   Note: You cannot add users if OS Groups based authentication mode is selected.

   

   While viewing Application Server events and alarms in InTouch, the "." appears as the user’s domain if it is a local name. Otherwise, it appears as <domain name>\<username>.

6. When you are done, select OK. You are prompted to log on to the currently open Galaxy.

   Important: To improve security, do not use the default user accounts (Administrator or DefaultUser) when logging in to the IDE or other System Platform components. These are reserved system names. In general, you should avoid using generic or easily-guessed user names such as "Admin," "Administrator," "DefaultUser," or "User." Be sure to change the passwords for these accounts to prevent malicious or accidental access to the Galaxy.