Provide Settings for Automatic User Creation

If:

you can specify whether to enable automatic user creation on each ClearSCADA User Group that is associated with a Windows domain group or LDAP user group. With automatic user creation, when a new user attempts to log on to ClearSCADA via ViewX or WebX, ClearSCADA will attempt to locate a Windows domain (Active Directory) user or LDAP user with the user credentials that have been entered. If such a user exists in Windows/LDAP but not in ClearSCADA, a new user account will be added to ClearSCADA automatically, to correspond with the Windows/LDAP user account. As part of this process, ClearSCADA applies various settings that are provided by the relevant User Group and its associated User Pattern for creating the new User account. Should the user be a member of more than one User Group, ClearSCADA will use each User Group's Priority to determine which User Group settings it is to use for the new User account. Additionally, it will automatically populate the new User account's Windows/LDAP User Name field with the name of the Windows or LDAP user that was used to log on to ClearSCADA and so resulted in the creation of that new User account.

To facilitate this:

Do not confuse Windows domain groups with Windows groups that only exist on the machine on which the ClearSCADA server is installed (the 'local machine').

If you wish, you can configure ClearSCADA to authenticate an existing ClearSCADA User against a Windows user that only exists on the local machine. However, ClearSCADA will not create a User automatically from a Windows user that only exists on the local machine (it will only do so from a Windows domain user).

Likewise, when performing automatic User Group membership updates ClearSCADA will not consider Windows groups that only exist on the local machine. Any User Groups that are linked to local Windows user groups will be removed from externally authenticated Users during logon.

 

This topic explains the properties on the User Group Form that you have to configure to enable automatic user creation. To configure these properties:

  1. Display the User Group Form in ViewX.
  2. Select the User Group tab.
  3. In the Link to Windows/LDAP Group section of the tab:

    1. Select the Allow Automatic User Creation check box if this User Group is to provide settings for automatic User creation. If, as part of the external authentication process, ClearSCADA determines that it needs to create a new User account automatically, it will identify the User Groups of which the new User is a member, including which of those User Groups are configured to provide settings for automatic User creation. If the user belongs to more than one such User Group, ClearSCADA will use the settings that apply to the User Group that has the highest Priority (see below). It will then use the settings that apply to that User Group and its specified User Pattern for creating the new User account.

      The check box is only available for use if:

      (Clear the check box if this User Group is not to provide settings for automatic User creation. The rest of the fields associated with automatic User creation in the Link to Windows/LDAP Group section are 'grayed out' and unavailable for use.

    2. Use the User Pattern field to specify the full name (including the path) of the User Pattern that determines the settings that the new user account will be assigned in ClearSCADA. Use the browse button next to the field to display a Reference browse window. The window displays a list of User Patterns that exist in the database. Use the window to locate and select the required User Pattern.
    3. Use the Create Users in Group field to specify the name of the Group or Group Instance within which ClearSCADA should create the new User account. Use the browse button next to the field to display a Reference browse window. Locate and select the required entry from the window.
    4. Users can belong to multiple User Groups. Use the Priority field to specify which set of User Group settings ClearSCADA should use to create a new User account if it determines that the new User belongs to more than one User Group. The priority determines which User Pattern ClearSCADA uses for defining the User account settings, and the security permissions it assigns to that new User.

      Enter the required value in the range 0 to 255 inclusive, with 255 being the highest priority.

      We recommend that you configure the priorities to avoid ambiguity, by assigning a different priority to every User Group that is associated with a Windows Domain Group or LDAP User Group. If ClearSCADA finds that the User belongs to more than one User Group with the same priority, it will determine which User Group settings it should use for creating that new User account.

    The Link to Windows/LDAP Group section of fields is only available on User Group Forms when the External Authentication feature is enabled on the server (see Using External Authentication with ClearSCADA).

  4. Save the configuration.

NOTICE

SECURITY THREAT

On systems on which ClearSCADA can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.
Failure to follow these instructions can result in equipment damage.

Disclaimer

ClearSCADA 2017 R3