The IT staff at a particular company use Active Directory to maintain user credentials and other security-related information centrally across the company intranet. They want to integrate ClearSCADA's User accounts with the Windows domain user accounts so that they can continue to maintain the user accounts centrally, without having to access ClearSCADA to maintain the user accounts once the initial setup is complete. Additionally, they would like users to be able to log on to ClearSCADA using their Windows domain user names with which they are already familiar, rather than the less familiar ClearSCADA user names. Finally, they would like ClearSCADA to create a new User account automatically if a valid Windows domain user attempts to log in to ClearSCADA, but no corresponding ClearSCADA User account exists in the database.

An administrator sets up the External Authentication requirements on the server, using the ClearSCADA Server Configuration tool. The settings specify that the company will be using the LogonUser method to authenticate logon credentials against user accounts in the Windows domain 'CompanyDomain'. Also that the user accounts only require Batch logon access to the ClearSCADA server (this is the more secure Logon Type option, which only requires users to have minimal access rights on the server in order to use the External Authentication feature in ClearSCADA). The check box for 'Allow login to ClearSCADA with Windows/LDAP user names' is selected, to enable users to use their more familiar Windows domain user names for logging in to ClearSCADA. The Create users automatically from group membership check box is also selected, to enable ClearSCADA to create User accounts automatically at logon if required.

The administrator then logs on to ViewX to set up the required ClearSCADA User accounts.

The company wants to integrate operator- and engineer-level User accounts with Active Directory. They also want ClearSCADA to create operator- and engineer-level User accounts automatically at logon if required.

As this is a new ClearSCADA installation, rather than create operator- and engineer-level User accounts manually, they opt to allow ClearSCADA to create the User accounts automatically, the first time that each Windows domain user logs on to ClearSCADA.

To enable this, the administrator configures two User Patterns in the database: one to contain the initial user configuration for operator-level users, and another to contain the initial user configuration for engineer-level users. (You can create as many User Patterns as you require in the database, to accommodate the different settings for the various types of users on your system.)

The User Patterns are in effect, 'template' User accounts, on which the administrator specifies the ClearSCADA features to which new users are to be given access. The Use External Authentication property on the User Pattern Forms is enabled by default, but the Windows/LDAP User Name field is unavailable for use. ClearSCADA will populate the field automatically on the configuration Form of each User account that it creates automatically at logon from the User Pattern, so that the User Form displays the details of the Windows domain user with which the new User account is integrated. (Likewise, if ClearSCADA was configured to integrate the User accounts with LDAP users, ClearSCADA would populate the field with the details of the LDAP user with which the new User account was integrated.)

The administrator configures the required number of User Groups in the database and, where required, associates those User Groups with the relevant Windows domain user groups. (One User Group per Windows domain user group with which operator- and/or engineer-level users are to be associated in ClearSCADA.)

With those User Groups that are to control the settings that apply to new User accounts (ones that ClearSCADA might need to create at logon), the administrator configures the required Automatic User Creation settings. The settings include a reference to the User Pattern that ClearSCADA is to use for creating User accounts for the users that are members of that particular User Group, along with the database location where ClearSCADA is to store the User accounts. (If multiple User Groups are configured to Allow Automatic User Creation, the Priority field can be used to indicate which User Group ClearSCADA should use to create a new User account if it determines that a Windows domain/LDAP user is a member of more than one User Group. 255 is the highest priority, 0 is the lowest.)

The administrator uses the Database Bar to access the Security window of the relevant 'object' Groups and/or individual items in the database. They use the Security window to assign the required access and security permissions to those Group or items from the User Groups. Users that are members of those User Groups automatically inherit the same access and security permissions for those Groups and items in the database.

The company has opted not to integrate their administrator-level ClearSCADA User accounts with Windows domain user accounts. To facilitate this, they have separate ClearSCADA User Groups to which they assign administrator-level security permissions, and do not link these User Groups to external Windows domain user groups. This decision was made to help prevent the automatic creation of new user accounts with high-level security permissions, such as those that allow the ClearSCADA server to be shut down. As such, the administrator has to manually create a User account in the database for each administrator-level user; in doing so, they leave the External Authentication properties blank on those User Forms (as they are not integrated with Windows domain user accounts).

The administrator manually populates the User Groups field on those User Forms to indicate the User Group membership of each administrator-level user. As these high-level User accounts are not integrated with external user accounts, the User Groups field will have to be maintained manually if User Group membership changes in future.

Once the configuration of the new system is complete, operator- and engineer-level users are invited to log on to ClearSCADA using their Windows domain user names. When they do so, ClearSCADA checks whether a corresponding User account exists in the database; if it does not, ClearSCADA creates a new User account from the User Pattern that is specified on the User Group Form of the User Group of which the Windows domain user is a member. (If the user is a member of more than one User Group that is configured to Allow Automatic User Creation, ClearSCADA uses the Priority setting to determine which one of those User Groups, and therefore User Patterns, it should use for creating the User account.)

The External Authentication fields on each new operator- or engineer-level User Form is populated automatically, to indicate the Windows domain user with which the individual User account is integrated.

Likewise, the User Groups field on each operator- or engineer-level User Form is populated automatically, to show the User Groups of which the user is a member. The field automatically includes those User Groups that are integrated with Windows domain user groups of which the user is a member (and for which corresponding integrated User Groups exist in the database). ClearSCADA checks the User Group membership each time the user logs on to ClearSCADA, and updates the entries automatically to align with the user's membership of the Windows domain user groups.

When an administrator-level user logs on to the system, they have to do so using their ClearSCADA user name and password, as their User accounts are maintained independently in ClearSCADA. Likewise, their User Group membership is also maintained independently in ClearSCADA.