Security Guide - Associate a Geo SCADA Expert User Group with a Windows Domain Group or LDAP User Group (User Groups)

Associate a Geo SCADA Expert User Group with a Windows Domain Group or LDAP User Group

The topics in this section only apply to systems on which the External Authentication feature is enabled. If this feature is not used on your system, you can ignore this section.

If the External Authentication feature is enabled at the Geo SCADA Expert server, each Geo SCADA Expert user account can be associated with a Windows or LDAP User Profile. Additionally, each Geo SCADA Expert User Group can be associated with a Windows domain group or LDAP user group. This allows network administrators to manage user accounts and the user groups with which they are associated without accessing Geo SCADA Expert (apart from the initial set up).

To facilitate this:

The External Authentication feature has to be enabled and Geo SCADA Expert has to be able to connect with the Windows domain or LDAP server (the domain name or server address has to be correct and the network connections have to be healthy). For more information, see Using External Authentication with Geo SCADA Expert.
In ViewX, each Geo SCADA Expert user account that is to be associated with a Windows domain User or LDAP User Profile has to be configured to have the Use External Authentication feature enabled and be configured appropriately (see Define whether a User is Associated with a Windows or LDAP User Profile).
User Groups have to exist in the Geo SCADA Expert database, have their security permissions suitably set, and be configured so that they are associated with the relevant Windows domain group or LDAP user group (see below).

A user account in Active Directory is associated with 3 user groups in Windows.

The equivalent User account exists in Geo SCADA Expert and has the Use External Authentication feature enabled.

3 User Groups are configured in Geo SCADA Expert to be associated with the 3 domain user groups in Windows. In Geo SCADA Expert, the User Groups are configured with the relevant security permissions to enable users that are members of the User Groups to access the relevant features in Geo SCADA Expert.

A user logs onto Geo SCADA Expert.

As the User account in Geo SCADA Expert is configured to use external authentication, the authentication process checks that the relevant User Profile exists in Windows and logs the user on to Geo SCADA Expert if so. (If the server is configured to Create users automatically from group membership, an equivalent User account would be created in Geo SCADA Expert automatically at this point, if it didn't exist already.)

Part of the external authentication process involves checking which domain user groups the user is associated with in Windows and whether the equivalent User Groups exist in Geo SCADA Expert. For those User Groups that do exist in the Geo SCADA Expert database, Geo SCADA Expert updates the User Groups field (on the General tab of the User Form in Geo SCADA Expert) so that it includes the names of those User Groups. This occurs at login - if any of the User Groups are missing from the User Groups field, Geo SCADA Expert adds them automatically at login. Likewise, if other User Groups (that are associated with other user groups in Windows or LDAP) are listed in the User Groups field, but the external authentication process determines that the User account is not a member of the equivalent user groups in Windows (or LDAP), the entries for those User Groups are automatically removed from the User Groups field at login. This automatic update of the entries in the User Group field only applies to User Groups on which the Windows/LDAP Group Name field is populated.

With this setup, network administrators can move the user account in Windows (or LDAP) to additional or different user groups, or remove the user account from any of those user groups. Provided that:

the equivalent User Groups exist in Geo SCADA Expert and remain associated with the Windows domain (or LDAP) user groups
the User account in Geo SCADA Expert continues to use external authentication

the User account's association with the relevant User Groups will update automatically whenever that user logs in to Geo SCADA Expert. (Geo SCADA Expert will automatically populate the User Groups field on the User Form with the names of the relevant User Groups at login; adding the names of any missing User Groups, and removing the names of User Groups for which the User is no longer a member.)

If the Geo SCADA Expert database also contains User Groups that are not associated with Windows domain groups or LDAP user groups, entries for some of those User Groups might also appear in the User Groups field on the relevant User Forms. Geo SCADA Expert will not add or remove the entries for such User Groups automatically (you have to manage such User Groups manually, directly in Geo SCADA Expert).

To associate a Geo SCADA Expert User Group with a Windows Domain Group or LDAP User Group:

Display the User Group Form in ViewX.
Select the User Group tab.
In the Link to Windows/LDAP Group section of the tab:
1. Select the Enabled check box if the User Group in Geo SCADA Expert is to be associated with a Windows Domain Group or LDAP User Group.
  (Clear the check box if the User Group is not to be associated with a Windows Domain Group or LDAP User Group. The rest of the fields in the Link to Windows/LDAP Group section are 'grayed out' and unavailable for use. You will have to manage the User Group manually, directly in Geo SCADA Expert.)
2. In the Windows/LDAP Group Name field, enter the name of the Windows domain user group, or the full Distinguished Name (DN) of the LDAP user group, with which this Geo SCADA Expert User Group is associated.
  With LDAP, the full Distinguished Name takes the form of a series of CN (Common Name), OU (Organizational Unit), and DC (Domain Component) entries, separated by commas, in the form:
  CN=<Group Name>,CN=<Parent Group Name>,OU=<Organization Name>,DC=<Domain Name>,DC=<Domain Component>
  where the number of CN and DC entries varies, depending on the full path of the LDAP user group within the LDAP directory structure.
  For example: CN=Engineers,CN=Staff,OU=Company,DC=org
  
  Provided that the User Group is In Service and has valid configuration, and the Geo SCADA Expert User accounts with which it is associated are configured to Use External Authentication, network administrators will be able to manage the members of that User Group automatically, outside of Geo SCADA Expert. (Membership of the User Group will be checked against that of the corresponding Windows domain group or LDAP user group whenever a member of that User Group logs on to Geo SCADA Expert.)
The Link to Windows/LDAP Group section of fields is only available on User Group Forms when the External Authentication feature is enabled on the server (see Using External Authentication with Geo SCADA Expert).
If the Geo SCADA Expert server is configured to Create users automatically from group membership, use further fields in the Link to Windows/LDAP Group section to specify whether you want to Provide Settings for Automatic User Creation.
Save the configuration.

NOTICE

SECURITY THREAT

On systems on which Geo SCADA Expert can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.

Failure to follow these instructions can result in equipment damage.

Do not confuse Windows domain groups with Windows groups that only exist on the machine on which the Geo SCADA Expert server is installed (the 'local machine').

If you wish, you can configure Geo SCADA Expert to authenticate an existing Geo SCADA Expert User against a Windows user that only exists on the local machine. However, Geo SCADA Expert will not create a User automatically from a Windows user that only exists on the local machine (it will only do so from a Windows domain user).

Likewise, when performing automatic User Group membership updates Geo SCADA Expert will not consider Windows groups that only exist on the local machine. Any User Groups that are linked to local Windows user groups will be removed from externally authenticated Users during logon.

Further Information

'User Groups' field on User Forms: see Associate a User with a User Group.

Allocating Permissions to a User Group or User Account.

Example Configuration.

Summary of Configuration Settings Relating to External Authentication.