Associate a User with a User Group

The properties described in this topic apply both to User Forms and User Pattern Forms. (User Patterns only apply to systems on which Geo SCADA Expert can create new User accounts automatically as part of an External Authentication process. For more information, see Create User Accounts from a User Pattern.)

You can use User Groups to allocate security permissions to multiple users—rather than allocate the same permissions to each of those users individually, you can allocate the permissions to a User Group and then associate the relevant Users with that User Group. This results in the same security permissions being applied to every member of that User Group.

When a user logs on via a user account that is a 'member' of a User Group, that user is granted:

NOTICE

Security threat

On systems on which the 'Everyone' User Group is enabled, all User Accounts on the system automatically inherit the security permissions that are assigned to the 'Everyone' User Group, including the Guest user (which does not require a logon). Each user's security permissions comprise: Everyone permissions + User Group permissions + User Account permissions. To help avoid providing all users with unintended access to features and functionality that should be restricted, use configured User Groups rather than the 'Everyone' User Group. If the 'Everyone' User Group has to be used, it MUST be assigned the minimum permissions required, with access restricted where possible to just the relevant parts of the database. (On new installations, the built-in 'Everyone' User Group is inactive and is not assigned any security permissions by default.)
Failure to follow these instructions can result in equipment damage and a breach in system security.

The User Groups have to exist in Geo SCADA Expert before you can associate them with User accounts or User Patterns (see User Groups).

If the User accounts on your system are managed directly in Geo SCADA Expert (rather than remotely using External Authentication), you can choose whether to use User Groups—if you prefer, you can configure each User's security permissions individually. However, we recommend that you use User Groups to reduce the time taken to manage security permissions (for example, due to staff turnover or a change in security requirements).

 

Your system's configuration affects whether the User Groups field on a User Form is populated automatically each time the user logs on, or whether you need to enter the required User Groups manually.

The User Groups field on a User Form is populated automatically when the following criteria apply:

When the above criteria apply, Geo SCADA Expert will populate the User Groups field automatically each time the user logs on, so that the field lists those User Groups that correspond to the Windows or LDAP user groups of which the User is a member.

If your database contains a mixture of User Groups that are, and are not, associated with Windows domain groups or LDAP user groups, you have to manage the latter manually in Geo SCADA Expert. This means that you have to add or remove the latter User Groups from the relevant Users' configuration Forms whenever membership of those User Groups changes. Geo SCADA Expert only populates the User Groups field on User Forms automatically with those User Groups that are associated with Windows domain groups or LDAP user groups.

On systems on which Geo SCADA Expertcan create new User accounts automatically (when triggered to do so at log on), you define the User Groups to which the new User accounts will initially be a member using the User Groups field on the User Pattern Form. You only need to define membership of User Groups that are not associated with a Windows/LDAP group. If you add membership to a User Group that is associated with a Windows/LDAP group (see Associate a Geo SCADA Expert User Group with a Windows Domain Group or LDAP User Group), then the membership will be removed during logon if the user is not actually a member of that Windows/LDAP group.

Once the User accounts exist in Geo SCADA Expert, whenever the users log back on, Geo SCADA Expert will automatically update the entries in User Groups field on the relevant User Forms to align with any change in User Group membership. (This automatic update of the entries in the User Group field only applies to User Groups on which the Windows/LDAP Group Name field is populated (see Associate a Geo SCADA Expert User Group with a Windows Domain Group or LDAP User Group).) As such, the users' security permissions update automatically in relation to the User Groups of which those users are a member when they log on to Geo SCADA Expert.

You have to populate the User Groups field on User Forms manually:

To manually associate or disassociate a user account with a User Group:

  1. Either:

  2. Select the General tab.
  3. Use the User Groups field to associate or disassociate the user account with one or more User Groups as required.

    • Select the Add button to add a User Group.
      A Reference browse window is displayed. Use the window to locate and select the required User Group.

      When you add a User Group, it is shown in the User Groups field. You can add further User Groups by using the Add button again.

    • If required, use the Move Up or Move Down buttons to adjust the order of the entries in the User Groups field. To do this, select the required entry in the field and then select the relevant button. Repeat for any other entries that you want to reorder.

      (The order in which the entries appear in the User Groups field is irrelevant to Geo SCADA Expert; the buttons are provided in case you wish to rearrange the entries to suit your own preferences.)

      On User Forms, with those Geo SCADA Expert User Groups that are associated with Windows domain groups or LDAP user groups, the entries will appear at the end of the list in the User Groups field. This is regardless of any manual rearrangement of the entries in the field, and will occur whenever the user logs on to Geo SCADA Expert. (This automatic reordering occurs as part of the Windows/LDAP integration process, although the actual order of the entries in the field is irrelevant to Geo SCADA Expert.)

    • If you want to end the User’s membership of a User Group, select the User Group in the User Groups field, and then select the Remove button. The User Group is removed from the User Groups list and is no longer associated with the User.

    The User Groups field is an array field, so you can also use other techniques to add and remove User Groups (see Array Field in the Geo SCADA Expert Guide to Core Configuration).

    Do not confuse Windows domain groups with Windows groups that only exist on the machine on which the Geo SCADA Expert server is installed (the 'local machine').

    If you wish, you can configure Geo SCADA Expert to authenticate an existing Geo SCADA Expert User against a Windows user that only exists on the local machine. However, Geo SCADA Expert will not create a User automatically from a Windows user that only exists on the local machine (it will only do so from a Windows domain user).

    Likewise, when performing automatic User Group membership updates Geo SCADA Expert will not consider Windows groups that only exist on the local machine. Any User Groups that are linked to local Windows user groups will be removed from externally authenticated Users during logon.

    Although we do not recommend it, you can configure a User so that it is a ‘stand-alone’ User without membership to any User Group (providing that the User account is maintained directly in Geo SCADA Expert, rather than remotely via External Authentication). To do this, you should make sure that the User Groups field on the User Form is empty. (You can disassociate a User from a User Group by using the Remove button). For information on allocating security permissions to a ‘stand alone’ User, see Allocating Permissions to a User Group or User Account.


Disclaimer

Geo SCADA Expert 2019