Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ System Platform

TABLE OF CONTENTS

OS group based security mode notes

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedAug 12, 2024
  • 2 minute read

The OS Group Based security mode enables user authorization based on OS Groups; in other words, this mode leverages the operating systems' user authentication system on a Group basis. This means that the user is a member of a particular group and has certain permissions within the context of that group.

Two settings are available in this mode: Login Time, and Role Update. The default value for the Login Time setting is 1,000 ms. The user will experience a 1 second delay while the system validates the login permissions. The default setting for Role Update setting is 0 ms., which means the system does not pause between validating user membership and groups. This setting is independent of the Login Time.

System Considerations

The first time a user logs on to a system, and the OS Group security mode is set, the login is validated at a domain controller. After the login is validated, a cache is created on the local machine and propagated to other nodes in the system. The user then has specific permissions to interact with the system (operator, administrator, etc.) on any node.

This scenario has several implications:

  • The first time a user logs on to the system, they may experience delays while the system validates their permissions and creates the cache. This is especially relevant if the system includes a large number of OS groups and/or network nodes. This delay may be exacerbated by widely-distributed networks (see the last bullet).

  • Subsequent logins in the system use the (local) cache created at the previous login. This means that if login permissions are modified, the user can still log on, but uses the "old" cache until the update occurs. This update operation takes place "under the hood" and does not prevent the user from logging in with the old permissions.

  • If the Login Time is set to 0, the system validates permissions and creates a new cache at each login. When the security mode has a large number of groups, and the system is widely-distributed (SCADA) with slow or intermittent network components, lengthy login delays may occur.

To mitigate login time delays

  • Provide additional Domain Controllers on "this" side of potential network bottlenecks.

  • Ensure the Login Time and Role Update settings are set correctly for the local environment. For example, setting the Login Time to 10,000 ms means that the user cannot interact with the system for 10 seconds, regardless of the use of the validation cache. In this case, 1,000 ms (default) is usually acceptable.

In This Topic
TitleResults for “How to create a CRG?”Also Available in