The IT staff at a particular company use Active Directory to maintain user credentials and other security-related information centrally across the company intranet. They want to integrate Geo SCADA Expert's User accounts with the Windows domain user accounts so that they can continue to maintain the user accounts centrally, without having to access Geo SCADA Expert to maintain the user accounts once the initial setup is complete. Additionally, they would like users to be able to log on to Geo SCADA Expert using their Windows domain user names with which they are already familiar, rather than the less familiar Geo SCADA Expert user names. Finally, they would like Geo SCADA Expert to create a new User account automatically if a valid Windows domain user attempts to log in to Geo SCADA Expert, but no corresponding Geo SCADA Expert User account exists in the database.

An administrator sets up the External Authentication requirements on the server, using the Geo SCADA Expert Server Configuration tool. The settings specify that the company will be using the LogonUser method to authenticate logon credentials against user accounts in the Windows domain 'CompanyDomain'. Also that the user accounts only require Batch logon access to the Geo SCADA Expert server (this is the more secure Logon Type option, which only requires users to have minimal access rights on the server in order to use the External Authentication feature in Geo SCADA Expert). The check box for 'Allow login to Geo SCADA Expert with Windows/LDAP user names' is selected, to enable users to use their more familiar Windows domain user names for logging in to Geo SCADA Expert. The Create users automatically from group membership check box is also selected, to enable Geo SCADA Expert to create User accounts automatically at logon if required.

The administrator then logs on to ViewX to set up the required Geo SCADA Expert User accounts.

The company wants to integrate operator- and engineer-level User accounts with Active Directory. They also want Geo SCADA Expert to create operator- and engineer-level User accounts automatically at logon if required.

As this is a new Geo SCADA Expert installation, rather than create operator- and engineer-level User accounts manually, they opt to allow Geo SCADA Expert to create the User accounts automatically, the first time that each Windows domain user logs on to Geo SCADA Expert.

To enable this, the administrator configures two User Patterns in the database: one to contain the initial user configuration for operator-level users, and another to contain the initial user configuration for engineer-level users. (You can create as many User Patterns as you require in the database, to accommodate the different settings for the various types of users on your system.)

The User Patterns are in effect, 'template' User accounts, on which the administrator specifies the Geo SCADA Expert features to which new users are to be given access. The Use External Authentication property on the User Pattern Forms is enabled by default, but the Windows/LDAP User Name field is unavailable for use. Geo SCADA Expert will populate the field automatically on the configuration Form of each User account that it creates automatically at logon from the User Pattern, so that the User Form displays the details of the Windows domain user with which the new User account is integrated. (Likewise, if Geo SCADA Expert was configured to integrate the User accounts with LDAP users, Geo SCADA Expert would populate the field with the details of the LDAP user with which the new User account was integrated.)

The administrator configures the required number of User Groups in the database and, where required, associates those User Groups with the relevant Windows domain user groups. (One User Group per Windows domain user group with which operator- and/or engineer-level users are to be associated in Geo SCADA Expert.)

With those User Groups that are to control the settings that apply to new User accounts (ones that Geo SCADA Expert might need to create at logon), the administrator configures the required Automatic User Creation settings. The settings include a reference to the User Pattern that Geo SCADA Expert is to use for creating User accounts for the users that are members of that particular User Group, along with the database location where Geo SCADA Expert is to store the User accounts. (If multiple User Groups are configured to Allow Automatic User Creation, the Priority field can be used to indicate which User Group Geo SCADA Expert should use to create a new User account if it determines that a Windows domain/LDAP user is a member of more than one User Group. 255 is the highest priority, 0 is the lowest.)

The administrator uses the Database Bar to access the Security window of the relevant 'object' Groups and/or individual items in the database. They use the Security window to assign the required access and security permissions to those Group or items from the User Groups. Users that are members of those User Groups automatically inherit the same access and security permissions for those Groups and items in the database.

The company has opted not to integrate their administrator-level Geo SCADA Expert User accounts with Windows domain user accounts. To facilitate this, they have separate Geo SCADA Expert User Groups to which they assign administrator-level security permissions, and do not link these User Groups to external Windows domain user groups. This decision was made to help prevent the automatic creation of new user accounts with high-level security permissions, such as those that allow the Geo SCADA Expert server to be shut down. As such, the administrator has to manually create a User account in the database for each administrator-level user; in doing so, they leave the External Authentication properties blank on those User Forms (as they are not integrated with Windows domain user accounts).

The administrator manually populates the User Groups field on those User Forms to indicate the User Group membership of each administrator-level user. As these high-level User accounts are not integrated with external user accounts, the User Groups field will have to be maintained manually if User Group membership changes in future.

Once the configuration of the new system is complete, operator- and engineer-level users are invited to log on to Geo SCADA Expert using their Windows domain user names. When they do so, Geo SCADA Expert checks whether a corresponding User account exists in the database; if it does not, Geo SCADA Expert creates a new User account from the User Pattern that is specified on the User Group Form of the User Group of which the Windows domain user is a member. (If the user is a member of more than one User Group that is configured to Allow Automatic User Creation, Geo SCADA Expert uses the Priority setting to determine which one of those User Groups, and therefore User Patterns, it should use for creating the User account.)

The External Authentication fields on each new operator- or engineer-level User Form is populated automatically, to indicate the Windows domain user with which the individual User account is integrated.

Likewise, the User Groups field on each operator- or engineer-level User Form is populated automatically, to show the User Groups of which the user is a member. The field automatically includes those User Groups that are integrated with Windows domain user groups of which the user is a member (and for which corresponding integrated User Groups exist in the database). Geo SCADA Expert checks the User Group membership each time the user logs on to Geo SCADA Expert, and updates the entries automatically to align with the user's membership of the Windows domain user groups.

When an administrator-level user logs on to the system, they have to do so using their Geo SCADA Expert user name and password, as their User accounts are maintained independently in Geo SCADA Expert. Likewise, their User Group membership is also maintained independently in Geo SCADA Expert.