Security Guide - Integrate Geo SCADA Expert User Accounts with Active Directory or LDAP User Accounts (Setting up System Security)

Integrate Geo SCADA Expert User Accounts with Active Directory or LDAP User Accounts

Geo SCADA Expert supports the ability to manage user accounts and user groups centrally outside of Geo SCADA Expert, by integrating its user accounts and user groups with corresponding Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) user accounts and groups.

Active Directory is included in the Windows® Server operating systems on which Geo SCADA Expert can run. If your company uses Active Directory Domain Services (AD DS) to authenticate and authorize users and computers in a Windows domain network, you can integrate Geo SCADA Expert's user authentication with that of the relevant Windows domain controller.

Likewise, if your company uses LDAP for authorizing users over the company network, you can integrate Geo SCADA Expert's user authentication process with the LDAP authentication method.

With either integration scenario, when a new user attempts to log on to Geo SCADA Expert via ViewX or Virtual ViewX, Geo SCADA Expert will attempt to locate an Active Directory or LDAP user with the user credentials that have been entered. If such a user exists in Active Directory/LDAP but not in Geo SCADA Expert, a new user account will be added to Geo SCADA Expert automatically, to correspond with the Active Directory/LDAP user account. To facilitate this, a suitable User Group has to exist in Geo SCADA Expert and be named to match an Active Directory/LDAP group of which the user is a member. The User Group also has to reference a suitable User Pattern - a special type of user account that determines the settings that the new user account will be assigned in Geo SCADA Expert. These settings determine the Geo SCADA Expert features to which the new user has access, the security permissions to which the user is assigned in Geo SCADA Expert, and so on.

By integrating Geo SCADA Expert user groups and user accounts with those in Active Directory/LDAP, system administrators can manage Geo SCADA Expert user accounts centrally in Active Directory/LDAP. In addition to adding new users via Active Directory/LDAP, you can:

Remove credentials of users that have left the company—if the user attempts to log on to Geo SCADA Expert via ViewX or Virtual ViewX, the logon attempt will fail if that user account no longer exists in Active Directory/LDAP.
Move users from one group to another—providing that a corresponding User Group exists in Geo SCADA Expert, the user will automatically move to the other User Group when they next log on to ViewX or Virtual ViewX. Additionally, the entries in the User Groups field on the User's configuration Form will update automatically at log on, to show those User Groups of which the User is currently a member. (This automatic population of the User Groups field only applies to User Groups that are associated with Windows domain groups or LDAP user groups; you have to update the User Groups field manually for any Geo SCADA Expert User Groups that are not associated with Windows domain groups or LDAP user groups.) For more information, see Associate a User with a User Group.
Do not confuse Windows domain groups with Windows groups that only exist on the machine on which the Geo SCADA Expert server is installed (the 'local machine').
If you wish, you can configure Geo SCADA Expert to authenticate an existing Geo SCADA Expert User against a Windows user that only exists on the local machine. However, Geo SCADA Expert will not create a User automatically from a Windows user that only exists on the local machine (it will only do so from a Windows domain user).
Likewise, when performing automatic User Group membership updates Geo SCADA Expert will not consider Windows groups that only exist on the local machine. Any User Groups that are linked to local Windows user groups will be removed from externally authenticated Users during logon.

Geo SCADA Expert provides the means to cache user passwords. Once a user account exists both in Active Directory/LDAP and Geo SCADA Expert, if the user subsequently logs onto Geo SCADA Expert and the connection to the Active Directory/LDAP server is down, that user will still be able to log on to Geo SCADA Expert. (Providing that the user logs on before the configurable Cached password expiry period is exceeded.)

In order for Geo SCADA Expert to integrate its user accounts and user groups with Active Directory/LDAP, you have to enable both the External Authentication feature and the Create users automatically from group membership option on each Geo SCADA Expert server.

NOTICE

SECURITY THREAT

On systems on which Geo SCADA Expert can Create users automatically from group membership, the incorrect assignment of security permissions on User Patterns and User Groups can compromise the security of the system. Always restrict the security permissions that are allocated to User Patterns, and to User Groups that are integrated with Windows domain groups or LDAP user groups. Only assign those permissions that are actually required, to help prevent the automatic creation of new user accounts that allow Windows or LDAP users to perform high-level tasks, such as shutting down the server.

Failure to follow these instructions can result in equipment damage.

Further Information

Define whether a User is Associated with a Windows or LDAP User Profile.

Associate a Geo SCADA Expert User Group with a Windows Domain Group or LDAP User Group.

Provide Settings for Automatic User Creation.

Create User Accounts from a User Pattern.

Configuring User Pattern Settings.