Security Guide - Understanding User Groups (Welcome to the Security Guide)

Understanding User Groups

User Groups are database items that represent a collection of user accounts. They are designed to make it easier to allocate security permissions to multiple user accounts.

Typically, you create a User Group to represent a group of users. By granting security permissions to the User Group, you can reduce the need to configure security permissions for individual user accounts.

You can manage User Groups directly in Geo SCADA Expert, or you can manage them remotely by associating them with Microsoft Windows or LDAP (Lightweight Directory Access Protocol) user groups. Either way, you need to create the User Groups you require directly in Geo SCADA Expert.

When you first install Geo SCADA Expert, the only User Group that exists is the built-in ‘Everyone’ User Group, which by default is inactive and does not have any permissions.

When you associate a User account with a User Group, that user becomes a 'member' of the User Group. A user can be a member of more than one User Group. This can aid management of security permissions as you can configure different User Groups to provide access to different collections of security permissions. By adding or removing a user's membership of different User Groups, you can allocate or remove that user's access to the collections of security permissions to which those particular User Groups provide access.

When a user logs on via a user account that is a 'member' of a User Group, that user is granted:

The permissions of the ‘Everyone’ User Group
The permissions of the user account
The permissions of the User Group(s) of which the user account is a member
'Responsibility' for any geographical regions that are assigned to the user account
'Responsibility' for any geographical regions that are assigned to the User Group(s) of which the user account is a member
Access to any Operator Document Stores that are associated with the user account
Access to any Operator Document Stores that are associated with the User Group(s) of which the user account is a member.

NOTICE

Security threat

On systems on which the 'Everyone' User Group is enabled, all User Accounts on the system automatically inherit the security permissions that are assigned to the 'Everyone' User Group, including the Guest user (which does not require a logon). Each user's security permissions comprise: Everyone permissions + User Group permissions + User Account permissions. To help avoid providing all users with unintended access to features and functionality that should be restricted, use configured User Groups rather than the 'Everyone' User Group. If the 'Everyone' User Group has to be used, it MUST be assigned the minimum permissions required, with access restricted where possible to just the relevant parts of the database. (On new installations, the built-in 'Everyone' User Group is inactive and is not assigned any security permissions by default.)

Failure to follow these instructions can result in equipment damage and a breach in system security.

User Groups are automatically listed in the Add Permission window in addition to Built-In User Accounts and Built-In User Groups. (The Add Permission window is available from the Security window when you provide user access to a Group of database items in Geo SCADA Expert.)

Example:

You have a team of users that includes 4 engineers, 4 general operators, 4 operators for zone A, 4 operators for zone B and 4 System Administrators. Each group of users all need the same permissions for different parts of the database. Rather than configure the permissions for each of the 20 user accounts individually, you could create User Groups for each user type.

You could then associate each group of users with their User Group, and apply the permissions to the User Group rather than the individual user accounts.

Working this way, you could allocate the permissions in a single action - by allocating the permissions to the User Group. This is achieved without having to allocate the permissions to each individual user account (the 20 user accounts have their own permissions plus the permissions of their User Groups).

So, by creating a User Group and allocating permissions to it, you can make the permissions available to every user account that is associated with that User Group.

(You can enable the External Authentication feature in Geo SCADA Expert. With this feature enabled, you can configure User Groups in Geo SCADA Expert so that they are associated with Windows domain groups or LDAP user groups. As part of the external authentication process, the User Groups of which a user account is a member are updated whenever that user logs on to Geo SCADA Expert, to align the user group membership with that of the corresponding Windows or LDAP user account. This enables membership of User Groups to be managed externally, outside of Geo SCADA Expert.)

Further Information

Organize your Users and User Groups.

Allocating Permissions to a User Group or User Account.

Using External Authentication with Geo SCADA Expert.

Integrate Geo SCADA Expert User Accounts with Active Directory or LDAP User Accounts.

Associate a Geo SCADA Expert User Group with a Windows Domain Group or LDAP User Group.