Integrate ClearSCADA User Accounts with Active Directory or LDAP User Accounts

ClearSCADA supports the ability to manage user accounts and user groups centrally outside of ClearSCADA, by integrating its user accounts and user groups with corresponding Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) user accounts and groups.

Active Directory is included in the Windows® Server operating systems on which ClearSCADA can run. If your company uses Active Directory Domain Services (AD DS) to authenticate and authorize users and computers in a Windows domain network, you can integrate ClearSCADA's user authentication with that of the relevant Windows domain controller.

Likewise, if your company uses LDAP for authorizing users over the company network, you can integrate ClearSCADA's user authentication process with the LDAP authentication method.

With either integration scenario, when a new user attempts to log on to ClearSCADA via ViewX or WebX, ClearSCADA will attempt to locate an Active Directory or LDAP user with the user credentials that have been entered. If such a user exists in Active Directory/LDAP but not in ClearSCADA, a new user account will be added to ClearSCADA automatically, to correspond with the Active Directory/LDAP user account. To facilitate this, a suitable User Group has to exist in ClearSCADA and be named to match an Active Directory/LDAP group of which the user is a member. The User Group also has to reference a suitable User Pattern - a special type of user account that determines the settings that the new user account will be assigned in ClearSCADA. These settings determine the ClearSCADA features to which the new user has access, the security permissions to which the user is assigned in ClearSCADA, and so on.

By integrating ClearSCADA user groups and user accounts with those in Active Directory/LDAP, system administrators can manage ClearSCADA user accounts centrally in Active Directory/LDAP. In addition to adding new users via Active Directory/LDAP, you can:

ClearSCADA provides the means to cache user passwords. Once a user account exists both in Active Directory/LDAP and ClearSCADA, if the user subsequently logs onto ClearSCADA and the connection to the Active Directory/LDAP server is down, that user will still be able to log on to ClearSCADA. (Providing that the user logs on before the configurable Cached password expiry period is exceeded.)

In order for ClearSCADA to integrate its user accounts and user groups with Active Directory/LDAP, you have to enable both the External Authentication feature and the Create users automatically from group membership option on each ClearSCADA server.

NOTICE

SECURITY THREAT

On systems on which ClearSCADA can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.
Failure to follow these instructions can result in equipment damage.

Disclaimer

ClearSCADA 2017 R3