Associate a ClearSCADA User Group with a Windows Domain Group or LDAP User Group
The topics in this section only apply to systems on which the External Authentication feature is enabled. If this feature is not used on your system, you can ignore this section.
If the External Authentication feature is enabled at the ClearSCADA server, each ClearSCADA user account can be associated with a Windows or LDAP User Profile. Additionally, each ClearSCADA User Group can be associated with a Windows domain group or LDAP user group. This allows network administrators to manage user accounts and the user groups with which they are associated without accessing ClearSCADA (apart from the initial set up).
To facilitate this:
- The External Authentication feature has to be enabled and ClearSCADA has to be able to connect with the Windows domain or LDAP server (the domain name or server address has to be correct and the network connections have to be healthy). For more information, see Using External Authentication with ClearSCADA.
- In ViewX, each ClearSCADA user account that is to be associated with a Windows domain User or LDAP User Profile has to be configured to have the Use External Authentication feature enabled and be configured appropriately (see Define whether a User is Associated with a Windows or LDAP User Profile).
- User Groups have to exist in the ClearSCADA database, have their security permissions suitably set, and be configured so that they are associated with the relevant Windows domain group or LDAP user group (see below).
A user account in Active Directory is associated with 3 user groups in Windows.
The equivalent User account exists in ClearSCADA and has the Use External Authentication feature enabled.
3 User Groups are configured in ClearSCADA to be associated with the 3 domain user groups in Windows. In ClearSCADA, the User Groups are configured with the relevant security permissions to enable users that are members of the User Groups to access the relevant features in ClearSCADA.
A user logs onto ClearSCADA.
As the User account in ClearSCADA is configured to use external authentication, the authentication process checks that the relevant User Profile exists in Windows and logs the user on to ClearSCADA if so. (If the server is configured to Create users automatically from group membership, an equivalent User account would be created in ClearSCADA automatically at this point, if it didn't exist already.)
Part of the external authentication process involves checking which domain user groups the user is associated with in Windows and whether the equivalent User Groups exist in ClearSCADA. For those User Groups that do exist in the ClearSCADA database, ClearSCADA updates the User Groups field (on the General tab of the User Form in ClearSCADA) so that it includes the names of those User Groups. This occurs at login - if any of the User Groups are missing from the User Groups field, ClearSCADA adds them automatically at login. Likewise, if other User Groups (that are associated with other user groups in Windows or LDAP) are listed in the User Groups field, but the external authentication process determines that the User account is not a member of the equivalent user groups in Windows (or LDAP), the entries for those User Groups are automatically removed from the User Groups field at login. This automatic update of the entries in the User Group field only applies to User Groups on which the Windows/LDAP Group Name field is populated.
With this setup, network administrators can move the user account in Windows (or LDAP) to additional or different user groups, or remove the user account from any of those user groups. Provided that:
- the equivalent User Groups exist in ClearSCADA and remain associated with the Windows domain (or LDAP) user groups
- the User account in ClearSCADA continues to use external authentication
the User account's association with the relevant User Groups will update automatically whenever that user logs in to ClearSCADA. (ClearSCADA will automatically populate the User Groups field on the User Form with the names of the relevant User Groups at login; adding the names of any missing User Groups, and removing the names of User Groups for which the User is no longer a member.)
If the ClearSCADA database also contains User Groups that are not associated with Windows domain groups or LDAP user groups, entries for some of those User Groups might also appear in the User Groups field on the relevant User Forms. ClearSCADA will not add or remove the entries for such User Groups automatically (you have to manage such User Groups manually, directly in ClearSCADA).
To associate a ClearSCADA User Group with a Windows Domain Group or LDAP User Group:
- Display the User Group Form in ViewX.
- Select the User Group tab.
- In the Link to Windows/LDAP Group section of the tab:
- Select the Enabled check box if the User Group in ClearSCADA is to be associated with a Windows Domain Group or LDAP User Group.
(Clear the check box if the User Group is not to be associated with a Windows Domain Group or LDAP User Group. The rest of the fields in the Link to Windows/LDAP Group section are 'grayed out' and unavailable for use. You will have to manage the User Group manually, directly in ClearSCADA.)
- In the Windows/LDAP Group Name field, enter the name of the Windows domain user group, or the full Distinguished Name (DN) of the LDAP user group, with which this ClearSCADA User Group is associated.
With LDAP, the full Distinguished Name takes the form of a series of CN (Common Name), OU (Organizational Unit), and DC (Domain Component) entries, separated by commas, in the form:
CN=<Group Name>,CN=<Parent Group Name>,OU=<Organization Name>,DC=<Domain Name>,DC=<Domain Component>
where the number of CN and DC entries varies, depending on the full path of the LDAP user group within the LDAP directory structure.
For example:
CN=Engineers,CN=Staff,OU=Company,DC=org
Provided that the User Group is In Service and has valid configuration, and the ClearSCADA User accounts with which it is associated are configured to Use External Authentication, network administrators will be able to manage the members of that User Group automatically, outside of ClearSCADA. (Membership of the User Group will be checked against that of the corresponding Windows domain group or LDAP user group whenever a member of that User Group logs on to ClearSCADA.)
The Link to Windows/LDAP Group section of fields is only available on User Group Forms when the External Authentication feature is enabled on the server (see Using External Authentication with ClearSCADA).
- Select the Enabled check box if the User Group in ClearSCADA is to be associated with a Windows Domain Group or LDAP User Group.
- If the ClearSCADA server is configured to Create users automatically from group membership, use further fields in the Link to Windows/LDAP Group section to specify whether you want to Provide Settings for Automatic User Creation.
SECURITY THREAT
Do not confuse Windows domain groups with Windows groups that only exist on the machine on which the ClearSCADA server is installed (the 'local machine').
If you wish, you can configure ClearSCADA to authenticate an existing ClearSCADA User against a Windows user that only exists on the local machine. However, ClearSCADA will not create a User automatically from a Windows user that only exists on the local machine (it will only do so from a Windows domain user).
Likewise, when performing automatic User Group membership updates ClearSCADA will not consider Windows groups that only exist on the local machine. Any User Groups that are linked to local Windows user groups will be removed from externally authenticated Users during logon.
Further Information
'User Groups' field on User Forms: see Associate a User with a User Group.
Allocating Permissions to a User Group or User Account.
Summary of Configuration Settings Relating to External Authentication.