Create User Accounts from a User Pattern

ClearSCADA User accounts can be created automatically as part of an External Authentication process if:

In order to provide the settings for automatically created User accounts, you have to create and configure at least one User Pattern in the database.

If required, you can create and configure multiple User Patterns. For example, you might create one User Pattern for operator-level users, and another User Pattern for engineer-level users. You configure each User Pattern to provide access to the features that are relevant to the type of user to which the User Pattern relates. In order for ClearSCADA to make use of the User Pattern, you have to reference that User Pattern from a User Group (see Provide Settings for Automatic User Creation).

On ClearSCADA systems that use User Patterns, most of the User accounts are maintained externally outside of ClearSCADA (following the initial setup in ClearSCADA). You need only create and configure User accounts (as opposed to User Patterns) directly in ClearSCADA for those users for which the user accounts are not integrated with Windows or LDAP user profiles. For users whose accounts are maintained externally outside of ClearSCADA, the User accounts are added automatically when the user first attempts to log on to ClearSCADA, based on the settings of the relevant User Pattern.

 

To define the requirements of the new User accounts that ClearSCADA might be triggered to create automatically:

  1. You use User Patterns to define the ClearSCADA features to which the new User accounts have access
    (remember that a User Pattern might form the basis of multiple User accounts) (see Configuring User Pattern Settings).
  2. You associate each User Pattern with the relevant User Group (one that is configured to Allow Automatic User Creation and is associated with a Windows domain group or LDAP user group) (see Provide Settings for Automatic User Creation).
  3. You use settings on the User Group Form to specify the location at which ClearSCADA places the new User accounts that it creates automatically based on the User Pattern (see the link above).
  4. You assign the relevant security permissions to the User Group. (These security permissions will also apply to the new User accounts that ClearSCADA creates automatically based on the User Pattern with which the User Group is associated.) For more information, see Allocating Permissions to a User Group or User Account.
    NOTICE

    SECURITY THREAT

    On systems on which ClearSCADA can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.
    Failure to follow these instructions can result in equipment damage.
  5. If the new User accounts are also to be associated with other User Groups, assign the relevant security permissions to those other User Groups. (These security permissions will also apply to the new User accounts that ClearSCADA creates automatically based on the User Pattern. The permissions apply in addition to those inherited from the User Group mentioned in step 4. For more information, see Understanding User Accounts.)

    If more than one User Group is configured to Provide Settings for Automatic User Creation, ClearSCADA uses the settings of the User Group that is assigned the highest Priority for creating the new User accounts. You specify the Priority on the User Group Form (see the previous link).

When a new user attempts to log on to ClearSCADA via ViewX or WebX using user credentials for a user that exists in Windows domain or LDAP, but not in ClearSCADA, a new user account will be added to ClearSCADA automatically. In doing so, ClearSCADA applies settings from the relevant User Group and User Pattern when creating the new User account. These settings determine the ClearSCADA features to which the new user has access, the security permissions to which the user is assigned in ClearSCADA, and so on.

Such a system setup enables network administrators to manage User accounts remotely, outside of ClearSCADA.

(You need only create User accounts manually, directly in ClearSCADA, for those users that are to log on using accounts that are not integrated with Windows or LDAP user profiles.)


Disclaimer

ClearSCADA 2017 R3