Security Guide - Integrate ClearSCADA User Accounts with Active Directory or LDAP User Accounts (Setting up System Security)

Integrate ClearSCADA User Accounts with Active Directory or LDAP User Accounts

ClearSCADA supports the ability to manage user accounts and user groups centrally outside of ClearSCADA, by integrating its user accounts and user groups with corresponding Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) user accounts and groups.

Active Directory is included in the Windows® Server operating systems on which ClearSCADA can run. If your company uses Active Directory Domain Services (AD DS) to authenticate and authorize users and computers in a Windows domain network, you can integrate ClearSCADA's user authentication with that of the relevant Windows domain controller.

Likewise, if your company uses LDAP for authorizing users over the company network, you can integrate ClearSCADA's user authentication process with the LDAP authentication method.

With either integration scenario, when a new user attempts to log on to ClearSCADA via ViewX or WebX, ClearSCADA will attempt to locate an Active Directory or LDAP user with the user credentials that have been entered. If such a user exists in Active Directory/LDAP but not in ClearSCADA, a new user account will be added to ClearSCADA automatically, to correspond with the Active Directory/LDAP user account. To facilitate this, a suitable User Group has to exist in ClearSCADA and be named to match an Active Directory/LDAP group of which the user is a member. The User Group also has to reference a suitable User Pattern - a special type of user account that determines the settings that the new user account will be assigned in ClearSCADA. These settings determine the ClearSCADA features to which the new user has access, the security permissions to which the user is assigned in ClearSCADA, and so on.

By integrating ClearSCADA user groups and user accounts with those in Active Directory/LDAP, system administrators can manage ClearSCADA user accounts centrally in Active Directory/LDAP. In addition to adding new users via Active Directory/LDAP, you can:

Remove credentials of users that have left the company—if the user attempts to log on to ClearSCADA via ViewX or WebX, the logon attempt will fail if that user account no longer exists in Active Directory/LDAP.
Move users from one group to another—providing that a corresponding User Group exists in ClearSCADA, the user will automatically move to the other User Group when they next log on to ViewX or WebX. Additionally, the entries in the User Groups field on the User's configuration Form will update automatically at log on, to show those User Groups of which the User is currently a member. (This automatic population of the User Groups field only applies to User Groups that are associated with Windows domain groups or LDAP user groups; you have to update the User Groups field manually for any ClearSCADA User Groups that are not associated with Windows domain groups or LDAP user groups.) For more information, see Associate a User with a User Group.
Do not confuse Windows domain groups with Windows groups that only exist on the machine on which the ClearSCADA server is installed (the 'local machine').
If you wish, you can configure ClearSCADA to authenticate an existing ClearSCADA User against a Windows user that only exists on the local machine. However, ClearSCADA will not create a User automatically from a Windows user that only exists on the local machine (it will only do so from a Windows domain user).
Likewise, when performing automatic User Group membership updates ClearSCADA will not consider Windows groups that only exist on the local machine. Any User Groups that are linked to local Windows user groups will be removed from externally authenticated Users during logon.

ClearSCADA provides the means to cache user passwords. Once a user account exists both in Active Directory/LDAP and ClearSCADA, if the user subsequently logs onto ClearSCADA and the connection to the Active Directory/LDAP server is down, that user will still be able to log on to ClearSCADA. (Providing that the user logs on before the configurable Cached password expiry period is exceeded.)

In order for ClearSCADA to integrate its user accounts and user groups with Active Directory/LDAP, you have to enable both the External Authentication feature and the Create users automatically from group membership option on each ClearSCADA server.

NOTICE

SECURITY THREAT

On systems on which ClearSCADA can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.

Failure to follow these instructions can result in equipment damage.

Further Information

Define whether a User is Associated with a Windows or LDAP User Profile.

Associate a ClearSCADA User Group with a Windows Domain Group or LDAP User Group.

Provide Settings for Automatic User Creation.

Create User Accounts from a User Pattern.

Configuring User Pattern Settings.