Configure User Accounts Appropriately

ClearSCADA's security feature can act as an effective security tool, helping to protect your system from being accessed by unauthorized users. But its effectiveness is dependent on the appropriate configuration of user accounts.

To access your system via a user account, a user needs to know the user name and password allocated to that user account. But the protection offered by user accounts does not end there - a user account can be denied access to items and features by its own configuration and the security settings of each database item (in addition to the system-wide security settings made at the server).

For more effective security, you should configure the settings for each user account so that they only provide the required access. Ideally, you should configure a user account so that it only allows the user of that account to access the features and items they need to perform their expected duties. For security purposes, the settings you should pay particular attention to are:

Access Type

Allows you to define whether the user can access ClearSCADA via ViewX, WebX and Pager/SMS (Phone). For more information, see Define whether a User can Access the System via ViewX, WebX, Original WebX or Phone.

User Group

Allows you to associate a user account with one or more User Groups. The user account will have its own permissions plus those that are allocated to the User Group(s).

With user accounts that are integrated with Windows or LDAP user accounts, a user's User Group membership is updated automatically at log in (for those ClearSCADA User Groups that are integrated with Windows domain groups or LDAP user groups). For more information, see Associate a ClearSCADA User Group with a Windows Domain Group or LDAP User Group.

Operational

The Operational settings on the ViewX tab—You can use the check boxes to control which operator level features are available to the user.

Configuration

The Configuration settings on the ViewX tab—You can use the check boxes to control which configuration features are available to the user.

Alarm Banner/List

The Alarm Banner/List settings on the ViewX tab—You can use the check boxes to control which alarm features are available to the user.

Explorer Bars

The Explorer Bars settings on the ViewX tab—You can use the check boxes to control which Explorer Bars (navigation hierarchies, such as the Database Bar) are available to the user.

The user-specific security settings that are on the Security tab (only available if the Allow per User option is enabled at the server, and the user accounts are managed directly in ClearSCADA, rather than via the External Authentication feature). You can use the Security settings to define the password length, password strength, password expiry, and so on, for the user account.

External Authentication

On systems on which the External Authentication feature is used, each ClearSCADA user account that is to be managed remotely using Active Directory or LDAP requires a corresponding Windows domain or LDAP user account. When Active Directory is used to manage the user accounts remotely, we recommend that the Windows domain user accounts are given minimal access rights on the ClearSCADA server (see Using External Authentication with ClearSCADA).

By configuring each user account so that it only has access to the features and items that are relevant to the user of that account, you help to protect your system from:

Remember that on systems on which ClearSCADA is configured to Create users automatically from group membership, you configure the initial settings on the User Pattern Form, rather than the User Form.

Related Topics Link IconFurther Information


Disclaimer

ClearSCADA 2017 R3