FT Security Sys Config
FT Security Sys Config
Chapter 1
Chapter 2
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Add and remove action Add and remove action groups ........................................................................................ 63
Add an action group .................................................................................................. 63
groups
Delete an action group .............................................................................................. 64
Add an action to an action group ............................................................................ 65
Remove an action from an action group ................................................................ 66
Chapter 9
Set system policies Authorize an application to access the FactoryTalk Directory ................................. 68
FactoryTalk Service Application Authorization.................................................. 69
FactoryTalk Service Application Authorization settings ................................... 69
Publisher Certificate Information .......................................................................... 71
Digitally signed FactoryTalk products ................................................................... 72
Assign user rights to make system policy changes ........................................................ 72
User rights assignment policies ................................................................................ 73
User Rights Assignment Policy Properties ............................................................ 74
Configure Securable Action ..................................................................................... 75
Select a user or group ................................................................................................. 76
Change the default communications protocol............................................................. 77
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Appendix A
About this publication This Quick Start Guide provides you with information on using FactoryTalk
Services Platform with FactoryTalk Security.
Before using this guide, review the FactoryTalk Services Platform Release Notes
for information about required software, hardware, and anomalies.
After using this guide, you will be more familiar with how FactoryTalk Services
Platform uses:
Additional resources For more information on the products and components discussed in this guide,
the following manuals and Help files are available with the software:
• FactoryTalk Help – From the Windows Start menu, select All Programs >
Rockwell Software > FactoryTalk Tools > FactoryTalk Help
• FactoryTalk View Installation Guide or FactoryTalk View Help – From the
Windows Start menu, select All Programs > Rockwell Software >
FactoryTalk View > User Documentation and the select the appropriate
Help or User Guide.
• FactoryTalk® Linx™ Help – From the Windows Start menu, select Start >
All Programs > Rockwell Software > FactoryTalk Linx > FactoryTalk
Linx Online Reference.
• RSLinx Classic Help – From the Windows Start menu, select Start > All
Programs > Rockwell Software > RSLinx > RSLinx Classic Online
Reference.
• Logix Designer application Help – In Logix Designer, select Help >
Contents
• FactoryTalk Batch Administrator’s Guide – From the Windows Start
menu, select Start > All Programs > Rockwell Software > FactoryTalk
Batch Suite > FactoryTalk Batch > Online Books > FactoryTalk Batch >
Batch Administrator's Guide
The Rockwell Automation Literature Library also has related Getting Results
Guides that can be viewed online or downloaded:
A FactoryTalk system may be much more complex, with software products and
hardware devices participating in multiple network applications distributed across
a network, all sharing the same network directory.
A single computer can host both a local directory and a network directory. The
two directories are completely separate and do not share any information. If you
use both directories, then that single computer participates in two separate
FactoryTalk systems.
In the network directory example above, the directory hosts two network
applications: one named Waste Water and the other named Water Distribution.
All of the areas, data servers, HMI servers, device servers, and alarm and event
servers organized within each application are specific to that application. None of
the application-specific information is shared with any other application in the
directory. However, all of the information and settings organized within the
System folder, such as security settings, system policies, product policies, user
accounts, and so on, apply to all applications held in the directory.
See also
FactoryTalk Directory types The FactoryTalk Directory is the centerpiece of the FactoryTalk Services
Platform. FactoryTalk Directory provides a central lookup service for all products
participating in an application. Rather than a traditional system design with
multiple, duplicated databases or a central, replicated database, FactoryTalk
Directory references tags and other system elements from multiple data
sources—and makes the information available to clients through a lookup service.
Tags are stored in their original environments, such as logic controllers, and
graphic displays are stored in the HMI servers where they are created. Yet all of
this information is available, without duplication, to any FactoryTalk product
participating in an application.
With RSLogix 5000® controllers, tags reside within the hardware itself. With
Allen-Bradley® PLC-5® and SLC™ 500 devices, and with third-party controllers,
tags reside within data servers, such as RSLinx Classic and FactoryTalk® Linx™.
Tags are not held within a common database, nor are they duplicated in multiple
databases. Instead, the FactoryTalk Directory references tags from their source
locations and passes the information on to the software products that need it, such
as FactoryTalk View SE and FactoryTalk Transaction Manager.
The FactoryTalk Services Platform installs and configures two completely separate
and independent directories: a local directory and a network directory. Each
directory can hold multiple applications.
• In a local directory, all project information and security settings are located
on a single computer, and the FactoryTalk system cannot be shared across a
network or from the network directory on the same computer. Products
such as FactoryTalk View SE (Local) and FactoryTalk View Machine
Edition use the local directory.
• A network directory organizes project information and security settings
from multiple FactoryTalk products across multiple computers on a
network. Products such as FactoryTalk View SE and FactoryTalk
Transaction Manager use the network directory.
Which directory you need depends upon which software products you plan to use
and whether you plan to work in a stand-alone or a networked environment.
See also
Accounts and groups Creating accounts for users, computers, and groups of users and computers allows
you to define who can perform actions, and from where. When viewing lists of
users, computers, and groups, an icon indicates the status of each account.
Security settings for accounts are stored in FactoryTalk Directory, and are separate
for FactoryTalk network and local directories. As much as possible, create group
accounts rather than individual accounts. This simplifies administration, and
allows you to secure resources in your system by defining security permissions for
the group accounts before all the individual user and computer accounts have been
created. You can then add user and computer accounts to the groups at any time,
and all of the individual accounts in the groups will have the security settings of
those groups.
You can set up accounts for users and user groups that are linked to accounts in a
Windows domain or workgroup, or you can set up accounts that are separate from
those in Windows.
If the security needs of your FactoryTalk system are the same as your Windows
security needs, Windows-linked user or group accounts provide a convenient
way to add large numbers of existing Windows user or group accounts to your
FactoryTalk system. You can then administer those users or groups in Windows.
Account properties — for example, whether users can change passwords — are
inherited directly from the Windows accounts, and are updated automatically if
they are changed in Windows.
FactoryTalk user accounts or user group accounts provide secure access to your
FactoryTalk system independently of the level of access users have in Windows. If
the security needs of your FactoryTalk system are different from those of your
Windows network, FactoryTalk Directory user accounts provide the benefits and
convenience of centralized administration, without the need for a Windows
domain. FactoryTalk user group accounts also retain their security settings when
you move your FactoryTalk Directory to a new domain.
Computer accounts and computer group accounts are not linked to Windows.
However, the name of a computer account must match the Windows computer
name for the security settings associated with the computer to take effect. You can
create accounts for computers that do not yet exist in Windows. Because a
FactoryTalk local directory runs on a single computer, you can add computer
accounts only to a FactoryTalk local directory.
Account status
By default, user accounts and group accounts are active, which means that the user
or members of a group can access the account. The status of accounts can also be:
See also
• Create Windows-linked user groups that determine access for all of the
Windows accounts in the group. If you want to specify different
permissions for some users in the Windows-linked group, add
Windows-linked user accounts for those users.
You can also use both Windows-linked accounts and FactoryTalk accounts in a
FactoryTalk Directory. For example, you might have a FactoryTalk administrator
account that is not linked to an account in Windows, even if you normally use
Windows-linked accounts.
• When the security needs of your Windows network are the same as the
security needs of your control system. For example:
If you expect the need to move Windows accounts from one domain to another,
use Windows-linked user group accounts. Windows-linked user group accounts,
and the user accounts they contain, can be moved from one domain to another
while keeping security permissions for the group accounts intact. Individual
Windows-linked user accounts must be deleted and then re-created in the new
domain, causing all security permissions for the user accounts to be lost.
You should always have at least one Windows-linked user account that is a
member of the FactoryTalk Administrators group. This prevents you from being
inadvertently locked out of the FactoryTalk system. If the Windows-linked
administrator account is locked out, for example because the user exceeds the
maximum number of logon tries, the Windows domain administrator can reset
the account. Alternatively, the user can wait until Windows automatically resets
and frees the locked-out account. When this happens depends on the account
lockout duration policy in Windows. For details, see Windows Help.
See also
Applications and areas In a FactoryTalk Directory, elements such as data servers, alarm and event servers,
HMI servers, and project information are organized into applications. A
FactoryTalk Directory holds any number of applications, stores information about
each application, and makes that information available to FactoryTalk products
and services.
See also
Security in a FactoryTalk system FactoryTalk Security is intended to improve the security of an automation system
by limiting access to those with a legitimate need. Security in FactoryTalk is
accomplished through authentication and authorization. Security services are
managed separately in the FactoryTalk local directory and the FactoryTalk
network directory.
Authentication
Authorization
Securing resources
"Who can carry out what actions upon which secured resources from which
locations?"
The principle of inheritance determines how access permissions are set. For
example, if you assign security to an area in an application, all of the items in the
area inherit the security settings of the area. You can override this behavior by
setting up security for one or more of the individual objects inside the area as well.
System-wide policies dictate some security settings. For example, you can set up a
policy that requires users to change their passwords once every 90 days.
See also
Example: Two directories on Different software products have different requirements for the FactoryTalk
Directory. Both directories are installed and configured as part of installing the
one computer
FactoryTalk Services Platform. Which directory you need depends upon which
software products you plan to use and whether you plan to work in a stand-alone
or a networked environment.
Even though a local directory and a network directory reside on the same
computer, all of their project information and security settings remain completely
separate and cannot be shared, including:
The graphic below shows three computers. Each computer has both a local
directory and a network directory configured. Each directory holds objects, which
represent project information, such as applications, references to data servers, and
security settings, including user accounts. In each local directory, these project
objects can be accessed only by software products installed on that same local
computer. The network directory, however, can share references to its objects
across a network.
For example, suppose each colored icon above represents the project information
and security settings that are part of a FactoryTalk system. The local directories on
each computer hold completely separate sets of information (represented by the
green, blue, and yellow icons). In the case of the network directory, all client
computers that point to the same network directory server computer share the
same set of information across the network (represented by the orange icons).
computer. "Terry" can now log on to the network directory from any of the three
computers.
Now suppose we create a user account named "Terry" with the password
"OpenSesame" in each Local Directory on every computer. Even though the user
name and password are the same, each user account is a separate object in each
local directory.
If we change the password in the local directory on Computer 1, the change does
not affect the user account held in the network directory server on the same
computer, nor does it affect the user accounts held in the local directories on
computers 2 and 3.
In the same way, you might have multiple user accounts, all with the same user
name and password, on your computer at home. For example, you might log on to
your Windows system with the user name "HomeAccount" and password
"NorthAndSouth." You might create accounts and use the same user name and
password to log on to your local bank, a bill-paying service, several online shopping
accounts, and your online broker. Suppose you log on to your bank and change
your password to "EastAndWest." This change will not affect the password for
your Windows system, bill-paying service, online shopping accounts, or online
broker, because each of these accounts is separate, even though each has the same
user name and password.
See also
FactoryTalk Services Platform and FactoryTalk Security software are not installed
Install FactoryTalk Services
separately — FactoryTalk Security is an integrated part of the FactoryTalk
Platform Services Platform.
To install FactoryTalk Services Platform, you must log on to Windows with a user
account that is a member of the Windows Administrators group on the local
computer.
• FactoryTalk Directory
• FactoryTalk Security
• FactoryTalk Diagnostics
• FactoryTalk Live Data
• FactoryTalk Administration Console – a stand-alone tool for configuring,
managing, and securing applications.
All of these components and services install together as a platform, integrated into
the software install process for each FactoryTalk-enabled product.
Tip: FactoryTalk Services Platform establishes a Network Directory server when installed, other computers on
which FactoryTalk Services Platform is installed will be client computers. Determine which computer in the
system is going to be used as the directory server and note this computer name. After FactoryTalk Services
Platform is installed on the client computers, run the FactoryTalk Directory Server Location Utility and
identify the computer name of the Network Directory server.
See also
About FactoryTalk Security FactoryTalk Security improves the security of your automation system by limiting
access to those with a legitimate need. FactoryTalk Security authenticates the
identities of users, and authorizes user requests to access a FactoryTalk system
against a set of defined user accounts and access permissions held in the
FactoryTalk local directory or FactoryTalk local directory.
"Who can carry out what actions upon which secured resources from where?"
The principle of inheritance determines how access permissions are set. For
example, if you assign security to an area in an application, all of the items in the
area inherit the security settings of the area. You can override this behavior by
setting up security for one or more of the individual objects inside the area.
System-wide policies dictate some security settings. For example, you can set up a
policy that requires users to change their passwords once every 90 days.
See also
Security on a local directory By default, security is open in the FactoryTalk local directory. All users who have
successfully logged on to Windows have full access to the local directory.
Because the network directory and local directory are separate, you must secure
them separately. Some Rockwell Automation software products require the
FactoryTalk network directory, others require the FactoryTalk local directory, and
some require both directories to be configured, depending on what you want to do
with the product.
See also
Security on a network directory By default, security is open in the FactoryTalk network directory. This means that
all users who are logged on to Windows with a user account that is a member of
the local Windows Administrators group on any computer connected to the
network directory have full access to the directory.
Because the network directory and local directory are separate, you must secure
them separately. Some Rockwell Automation software products require the
FactoryTalk network directory, others require the FactoryTalk local directory, and
some require both directories to be configured, depending on what you want to do
with the product.
See also
How security authenticates user When a user attempts an action that is secured, security authenticates user names
and passwords in the following order:
accounts
1. Against the list of FactoryTalk user accounts. If a match is found, the user is
allowed to proceed.
See also
Things you can secure You can use Allow or Deny permissions to secure access to resources in your
system. Resources include:
Security for resources is always tied to users or groups of users, the actions they are
performing, for example, read, write, and so on, and the computers, or groups of
computers where they are working.
This helps you ensure that only authorized personnel can perform actions on the
equipment and resources in your system from appropriate locations, for example,
computers located within line of sight of equipment.
In a local FactoryTalk directory, actions can be performed only from the local
computer.
For each resource, for example, an application, or an area within it, you can restrict
actions such as writing values, to particular users or groups of users. In a network
directory, you can also restrict actions to particular computers, or groups of
computers.
You can group actions together and then assign security permissions to all of the
actions in the group. For example, you want to assign permissions to an area so
that only operators working on computers located within the line of sight of heavy
machinery can write values to the programmable controllers in that area.
Suppose that:
First, you would clear the Allow check box for All Users and All Computers in the
Punch Presses area. Next, you would select the Allow check box for the user group
called Operators and the computer group called Heavy Machinery.
When you right-click an item in the Explorer window and then click Security,
you are setting up which users or user groups on which computers may access the
resource you selected.
Important: Right-clicking the System folder, Users and Computers folder, Users
folder, or the Computers folder, and then specifying security permissions
sets security on that actual folder. It does not limit users’ access to the
system.
To limit access to resources in the FactoryTalk system, you must right-click
the resource you want to secure, click Security, and then specify security
permissions for the user and computer accounts you want to access the
resource.
Security settings are completely separate in the network directory and local
directory. Changes you make to the security settings in the network directory do
not affect the local directory and vice versa. If you are using both a network
directory and a local directory, you must set up security in each directory
separately.
Security settings that you configure for resources apply to all FactoryTalk products
in your system. For example, if you deny a user Read access to an area from a
particular computer, that user will not be able to see that area in any FactoryTalk
product while working from that computer.
See also
Best practices Use the following tips when setting up your FactoryTalk system to achieve
efficient management of user authentication and authorization.
Administrator accounts
• Always have more than one user account that is a member of the
FactoryTalk Administrators group. If the password to one administrator
account is lost, you can use a second administrator account to reset the
password to the first one. Without a second administrator account, you can
be locked out of the FactoryTalk system because a lost password to a user
account is not recoverable.
• Always have at least one Windows-linked user account that is a member
of the FactoryTalk Administrators group. If the Windows-linked
administrator account is locked out, for example because the user exceeds
the maximum number of logon tries, the Windows domain administrator
can reset the account. Alternatively, the user can wait until Windows
automatically resets and frees the locked-out account. When this happens
depends on the Account lockout duration policy in Windows.
Windows-linked accounts
If you expect the need to move Windows accounts from one domain to another,
avoid using individual, Windows-linked user accounts as much as possible. Use
Windows-linked user group accounts instead. Windows-linked user group
accounts can be moved from one domain to another, while keeping security
permissions for the group accounts intact. Windows-linked user accounts must be
deleted and then re-created in the new domain, causing all security permissions for
the user accounts to be lost. You must then recreate all of the permissions for any
individual Windows-linked user accounts.
Permissions
See also
Audit trails and regulatory To achieve compliance in regulated industries, your plant might be required to
keep records that answer questions such as the following:
compliance
• Who performed a particular operation on a specific resource?
• Where did the operation occur?
• When did the operation occur?
• Who approved the operation?
When choosing user names, ensure that they are unique in the following ways:
• A user should have the same user name on every computer. This is mostly
for convenience, both for the user and for the administrator.
• A particular user name should always refer to the same person. A system in
which the same user name refers to more than one person is never really
secure.
To ensure that all user accounts remain unique, keep track of deleted accounts.
This might also be required to satisfy audit requirements such as tracking a user's
actions throughout the system, even after the user's account has been deleted.
To ensure that only unique user accounts can be created, enable the security policy
called Keep record of deleted accounts. To make it easier to avoid a
trial-and-error process of creating unique user accounts, make deleted accounts
visible in lists of users by enabling the security policy called Show deleted
accounts in user list.
Log information about user and system activity to diagnostic log files
1. Choose what information needs to be logged and then send the information
to FactoryTalk Diagnostics. For example, enable audit logging to record
what changes were made to security policies or other objects, who made the
changes, and when they were made. If you do not enable the audit policy
called Audit configuration and control system changes FactoryTalk
Diagnostics will not receive any audit messages, and will not be able to store
them in log files.
The most common type of auditing activity is keeping records of failures. This
helps you trace failures, and isolate and correct their causes.
See also
Configure a computer to be FactoryTalk Services Platform quietly configures both a network directory and a
local directory on every computer where it is installed. Which directory you need
the FactoryTalk Directory depends upon which software products you plan to use and whether you plan to
network server work in a stand-alone or a networked environment.
After installing and activating FactoryTalk software, specify one of the computers
on the network as the network directory server. In this example, Computer 1
serves as the network directory server.
Next, point the client computers on the network to the network directory server.
This step allows all of the computers on the network to share FactoryTalk
network directory services and resources.
See also
Configure a computer to be the After installing and activating FactoryTalk software, specify one of the computers
on the network as the network directory server. This step allows all of the
network directory server
computers on the network to share FactoryTalk network directory services and
resources. In the image below, Computer 1 is the network directory server
computer.
1. On the computer that you want to use as the Network Directory Server,
choose Start > All Programs > Rockwell Software > FactoryTalk Tools >
Specify FactoryTalk Directory Location.
See also
Configure a network directory After specifying one of the computers on the network as the network directory
server, use the Specify FactoryTalk Directory Location utility to point each
client computer
computer in the network to the FactoryTalk Directory network directory server.
If single sign-on is enabled on the computer when you change the location
of the network directory server, the single sign-on session terminates, and
you must log on to the new network directory server. The user name and
password you enter becomes the new single sign-on credentials for all
participating FactoryTalk products on the computer.
See also
Check network directory server When a connection to the FactoryTalk network directory server is lost, the system
sends an error message to FactoryTalk Diagnostics. Likewise, when the
connection status
36 Rockwell Automation Publication FTSEC-QS001M-EN-E
Getting started with FactoryTalk Security Chapter 3
If a connection to the network directory server is not available, you can still open a
network application, but the information is based on the data held in a local cache.
While disconnected, FactoryTalk Administration Console operates in read-only
mode and does not allow most commands and operations.
See also
FactoryTalk Directory Server How do I open the FactoryTalk Directory Server Location Utility?
Location Utility Perform one of the following actions:
• From the Start menu, select All Programs > Rockwell Software >
FactoryTalk Tools > Specify FactoryTalk Directory Location.
• From the FactoryTalk Administration Console, select Tools >
FactoryTalk Directory Server Options.
See also
Manage users
If you have the proper security permissions, you may modify all properties for
FactoryTalk user accounts. For example, you may:
See also
Add a FactoryTalk user account To create a user account that is separate from a user's Windows account, add a
FactoryTalk Directory account. This allows you to specify the account's identity,
to set up how the account operates, and to specify the groups the account belongs
to.
Prerequisites
Obtain the following permissions in the Users folder in the Explorer window:
2. Right-click the Users folder, point to New, and then click User.
3. In New FactoryTalk User, type a short name for the user in User Name,
and the full name of the user in Full name.
6. (optional) Click the check box to set one or more of these settings for
password access:
See also
Add a Windows-linked user Add a Windows-linked user account when the security needs of your Windows
network are the same as the security needs of your FactoryTalk system. When
account
accessing FactoryTalk resources using a Windows-linked account, the
FactoryTalk Directory relies on Windows to determine whether the user's name
and password are valid, and whether the account is enabled or locked out.
However, you can add Windows-linked user accounts to FactoryTalk Security
user groups. This allows the FactoryTalk Directory to determine a
Windows-linked user's level of access to the FactoryTalk system independently of
the user's level of access to a Windows domain.
Add user accounts to the FactoryTalk network directory or local directory from
the list of users or groups in a Windows domain or workgroup. If your computer is
disconnected from the Windows domain, you cannot add Windows-linked user
accounts until your computer reconnects to the domain. However, any users who
have previously logged on to the Windows domain from that computer can log on
to FactoryTalk using their Windows-linked user account while the computer is
disconnected from the Windows domain.
Prerequisites
4. In Select Users, select the Windows user accounts you to want to link to
the FactoryTalk system.
• If you know the names of the user accounts you want to add, type them
in the text box. For domain accounts, use the format
DOMAIN\username, for workgroup accounts use the format
COMPUTERNAME\username. To check that the user names you
typed are valid, click Check Names. Correct any errors, and then click
OK.
• To search for user names, or to select multiple users, click Advanced. In
Select Users, click Locations, select the domain or workgroup from
which you want to select users, and then click OK. Optionally, use the
Common Queries settings to search by name. Click Find Now. In the
list of users, select the user accounts you want to add, then click OK.
5. When you finish selecting Windows user accounts, in Select Users, click
OK.
• To remove any users you might have added unintentionally, select the
users, and then click Remove.
• To add more users, repeat steps 3, 4, and 5.
7. Click OK.
See also
Add group memberships to a To quickly change the permissions for a user account to those of an existing
FactoryTalk user group, assign the user account to the user group. New group
user account
memberships take effect only when the user logs off FactoryTalk and then logs on
again.
Prerequisites
To change the group memberships of a user account, you need the following
permissions in the Users folder in the Explorer window:
1. In the Explorer window, expand System > Users, right-click the user
account that you want to add to user groups, and then click Properties.
3. In Select User Group, select the groups to which you want the user account
to belong, and then click OK.
See also
Remove group memberships When a user account belongs to a user group, the user account automatically
inherits all of the permissions assigned to the group, unless you have specifically
from a user account
denied permissions for the user account.
Delete a group from Group Membership User Properties to remove the link
between the permissions of the user account and the permissions assigned to that
user group.
Changes to group memberships take effect only when the user logs off
FactoryTalk and then logs on again.
1. In the Explorer window, expand System > Users, right-click the user
account containing the group memberships you would like to change, then
click Properties.
3. In the list of groups, select the groups you want to remove the user account
from, and click Remove.
See also
Delete a user account Delete a user account to permanently remove the account from your FactoryTalk
Directory. To help prevent you from inadvertently locking yourself out of the
FactoryTalk Directory, you cannot delete the last user account that is a member of
the Administrators group.
To delete a user account from both a network directory and a local directory, you
must delete the account from one directory, log off that directory, log on to the
second directory, and then delete the account in the second directory.
Prerequisites
To delete a user account that is a member of a user group, obtain the following
permissions in the Users folder in the Explorer window:
To delete a user account that is not a member of a user group, obtain the following
permissions in the Users folder in the Explorer window:
• In the Explorer window, expand System > Users, right-click the user
account you want to delete, and then click Delete.
Tip: You can only create an account using the name of a deleted account if the security
policy called Keep record of deleted accounts is disabled. You must still
recreate the security settings of the user accounts.
See also
• User group accounts exist only in the FactoryTalk Directory in which you
created them.
• FactoryTalk user accounts cannot be members of Windows-linked user
groups.
• A Windows-linked user group cannot be a member of a FactoryTalk user
group. However, individual Windows-linked user accounts can be members
of FactoryTalk user groups. This allows you to use FactoryTalk user groups
when setting permissions.
• A FactoryTalk user account or Windows-linked user account can be a
member of more than one FactoryTalk user group.
See also
Add a FactoryTalk user group Create a new FactoryTalk user group so that you can administer security
permissions for specified users as a group. By changing the memberships of a user
account, you can quickly change the resources a user can access.
Use New User Group to add a FactoryTalk user group account to your
FactoryTalk Directory that is separate from a Windows user group account. This
allows you to specify the group account's identity (for example, the name of the
group), and specify the user accounts that are members of the group.
Prerequisites
Obtain the following permissions in the User Groups folder in the Explorer
window:
2. Right-click the User Groups folder, point to New, and then click User
Group.
4. (optional) Enter any notes about the group in the Description box.
5. (optional) In the E-mail box, type only one e-mail address or group address
you want to associate with this group account.
6. Click Add to add user accounts to your group. In Select User or Group,
click to select the users or groups to add to the new user group account.
Under Filter Users, choose from the following:
7. Click OK to add the selected user or group to the Members List in New
User Group.
8. When you are finished creating the user group, click OK.
See also
Add a Windows-linked user If you expect the need to move Windows accounts from one domain to another,
create Windows-linked user group accounts instead of individual
group
Windows-linked user accounts. Windows-linked user group accounts, and the
user accounts they contain, can be moved from one domain to another while
keeping security permissions for the group accounts intact.
When you add a Windows-linked user group account, all user accounts in the
Windows user group will have access to the FactoryTalk system. To prevent some
users in a Windows-linked group from having access to the FactoryTalk system,
create Windows-linked user accounts for those users, and then set permissions to
deny access to those user accounts.
Prerequisites
2. Right-click the User Groups folder, point to New, and then click
Windows-linked User Group.
4. In Select Groups, select the Windows groups you want to add, and then
click OK.
• If you know the names of the user group accounts you want to add, type
them in the text box. For domain accounts, use the format
DOMAIN\groupname, for workgroup accounts use the format
COMPUTERNAME\groupname. To check that the names you typed
are valid, click Check Names. Correct any errors, and then click OK.
• To search for group names, or to select multiple groups, click
Advanced. In the Select Groups dialog box that appears, click
Locations and then select the domain or workgroup from which you
want to select groups. Click Find Now. In the list of groups, select the
group accounts you want to add, and then click OK.
• To remove any groups you might have added unintentionally, select the
groups, and then click Remove.
• To add more groups, repeat steps 3 and 4, above.
6. Click OK.
Tip: You should use a password for all Windows accounts in a Windows-linked group,
otherwise you might experience intermittent security failures or an inability to log
on. As a matter of good security practice, do not use blank passwords with
accounts. If you do not want to use a password for Windows-linked accounts, on
your local computer disable the Windows local security policy called Accounts:
Limit local account use of blank passwords to console logon only.
See also
Edit or view user group You can modify the properties of a FactoryTalk user group account that is not
linked to a Windows user group account. You can only view the properties of a
properties
Windows-linked user group account. You may not change the name of a user
group.
Group memberships added to a user group account take effect only when the user
logs off FactoryTalk and then logs on again.
Prerequisites
Obtain the following permissions in the User Groups folder in the Explorer
window:
1. In the Explorer window, expand System > User Groups, right-click the
user group account you want to modify, and then click Properties.
2. (optional) In the Description box, type a description of the user group. For
example, use this box to record information about where the group is
located, what part of the system is relevant to the group, or contact
information for the leader of the group.
3. (optional) In the E-mail box, type only one e-mail address or group address,
if any (for example [email protected], or
[email protected]), you want to associate with this
account. Ensure that the address you typed is a valid address, and that you
typed the address correctly. Some FactoryTalk-enabled products can send
messages or notifications to an e-mail address. For details, see the
documentation supplied with your FactoryTalk-enabled product.
5. (optional) To remove user accounts, click to select the users or user groups
you would like to remove from your group, and click Remove.
6. Click OK.
See also
Delete a user group Delete a user group when you no longer need a particular group account to
manage a group of users. You may wish to view the properties of a user group
account before you delete it.
To help prevent you from inadvertently locking yourself out of the FactoryTalk
Directory, you cannot delete the Administrators group.
Prerequisites
To delete a user group account that has no members, obtain the following
permissions in the User Groups folder:
To delete a user group account that has members, obtain the following
permissions in the User Groups folder:
• In the Explorer window, expand System > User Groups, right-click the
user group account you want to delete, and then click Delete.
See also
Add accounts to a FactoryTalk Any time after you create a FactoryTalk user group, you may add or remove the
user accounts that belong to it. You may not add or remove the members of a
user group
Windows-linked user group. However, you may add individual Windows-linked
user accounts to FactoryTalk user groups.
Tip: Alternatively, you may change the groups a user belongs to. Use Group
Membership User Properties to add or remove user groups from a FactoryTalk
or Windows-linked user account.
1. In the Explorer window, expand System > User Groups, right-click the
user group account you want to modify, and then click Properties.
2. Click Add.
3. In Select User or Group, click on each user or user group to add to the user
group account. Use the options under Filters to show only users, only user
groups, or all accounts you may add to the group. Click OK when you are
finished.
See also
Remove accounts from a Any time after you create a FactoryTalk user group, you remove the user accounts
that belong to it. You may not add or remove the members of a Windows-linked
FactoryTalk user group
user group after it has been added to the FactoryTalk Directory.
Tip: Alternatively, you may change the groups a user belongs to. Use Group
Membership User Properties to add or remove groups from either a FactoryTalk
or Windows-linked user account.
1. In the Explorer window, expand System > User Groups, right-click the
user group account you want to remove, and then click Remove.
2. In Select User or Group, click on each user or user group to remove from
the user group account. Use the options under Filters to show only users,
only user groups, or all accounts you may remove. Click OK when you are
finished.
See also
Manage computers
• Add a computer
• Delete a computer
• Add group memberships
• Remove group memberships
• Change the name of a client computer
• Change the name of a server computer
• Set the override directory cache policies
See also
Add a computer To allow a computer to access the FactoryTalk system, add a computer to a
FactoryTalk network directory. Once you have added the computer account, you
can specify security settings for the computer, for example to allow or deny access
to parts of the FactoryTalk system from the computer. You can also add the
computer to a group account that includes multiple computers, and then specify
security settings for the group.
Important: Even if the security policy called Require computer accounts for all
client machines is disabled, you must still create computer accounts for
any computers hosting servers — for example, Terminal Servers,
Rockwell Automation Device Servers (FactoryTalk Linx), OPC data servers,
Tag Alarm and Event Servers, or HMI servers.
Prerequisites
4. Click OK.
See also
Delete a computer Delete a computer from the FactoryTalk network directory to remove its access to
the FactoryTalk system.
Prerequisites
To delete a computer
• In the Explorer window, expand System > Computers and Groups >
Computers, right-click the computer account you want to delete, and then
click Delete.
See also
Edit or view computer Modify the name of a computer, its description, and the computer groups to
which it belongs in General Computer Properties.
properties
Prerequisites
1. In the Explorer window, expand System > Computers and Groups >
Computers, right-click the computer account you want to edit, and click
Properties.
See also
Security for FactoryTalk resources is always tied to users or groups of users, the
Add and remove
actions they are performing, for example, read, write, and so on, and the
user-computer pairs computers, or groups of computers where they are working.
This helps you ensure that only authorized personnel can perform actions on the
equipment and resources in your system from appropriate locations, for example,
computers located within line of sight of equipment.
You may:
See also
Add a user-computer pair Use Select User and Computer to pair a group of users, or an individual user,
with a group of computers, or an individual computer. You can then specify
security settings for the pair. For example, you may set permissions for a resource
that allow or deny access to the pair.
Prerequisites
1. Navigate to Select User and Computer, select the filter criteria that show
the users and user groups, and computers or computer groups that you want
to select.
To create a new user account, click Create New and then click the type of
account you want to create. Use the following window—New FactoryTalk
To create a new computer account, click Create New and then either
Computer or Computer Group. Use New Computer or New Computer
Group to specify the account settings.
4. Click OK.
See also
Remove a user-computer pair Remove a user-computer pair when you no longer need to specify permissions on a
resource for the pair.
Prerequisites
1. Navigate to Select User and Computer, select the filter criteria that show
the users and user groups, and computers or computer groups that you want
to delete.
2. In the Users list, click the user account or user group account that belongs
to the pair you wish to delete.
4. Click Remove.
5. Click OK.
See also
Edit or view user account Follow the steps below to view and edit the general properties of a FactoryTalk
user account, such as the user name and password, a description of the user, an
properties
e-mail address for the user, and options for password access by the user. For a
Windows-linked user account, you may view, but not edit, these properties. Use
Windows to edit the general properties of a Windows-linked user account.
Prerequisites
Obtain the following permissions in the Users folder in the Explorer window:
2. Right-click the user account, and then click Properties on the context
menu. Edit the General User Properties settings as needed.
You must fill out the User name, Full name, Password, and Confirm
fields. Description, E-mail, and the settings for password access are
optional fields.
3. Click OK.
Tip: Changing the properties of a FactoryTalk user account in one FactoryTalk directory
does not modify it in the other, even if the account has the same name in both
directories. Before you edit the properties of a user account, log on the FactoryTalk
directory that contains the user account you wish to edit.
See also
To avoid having to set permissions for individual actions, group actions together
Add and remove action
to grant or deny permissions for a set of actions in one step.
groups
When adding an action group, you decide:
Use action groups to assign permissions based on any convenient grouping. For
example:
See also
Add an action group You can group actions together to grant or deny permissions for a set of actions in
one step rather than having to set permissions for each action separately.
Prerequisites
Obtain the following security permissions for the Action Groups folder in the
Explorer window:
• In the Explorer window, right-click the Action Groups folder and then
click New Action Group.
See also
Delete an action group When you delete an action group, any explicit permissions assigned to that group
are no longer in effect. For example, suppose that we delete an action group called
Operators. This action group explicitly granted Write access to an area called
Mixing, for a user called Chris, from all computers. If we delete the Operators
action group, Chris can no longer write to the Mixing area.
Recreating an action group using the same name as one that was deleted does not
restore the security permissions of the deleted action group. If you cannot restore
the FactoryTalk Directory from a backup, you must recreate all security
permissions assigned to all resources that were using the action group.
Prerequisites
2. Obtain the following security permissions for the Action Groups folder:
2. Right-click the action group you want to delete and click Delete.
See also
Add an action to an action To manage security settings for an action as part of an existing action group, add
the action to the action group.
group
Prerequisites
• Obtain the following security permissions for the Action Groups folder in
the Explorer window:
• Common > Read
• Common > List Children
• Common > Create Children
• Common > Write
3. In the Available Actions and Action Groups list, click to select the action
you wish to add to the action group, and click the >> button.
4. Click OK.
See also
Remove an action from an If you no longer wish to manage security settings for a particular action as part of
an action group, remove the action from the action group.
action group
Prerequisites
• Obtain the following security permissions for the Action Groups folder in
the Explorer window:
• Common > Read
• Common > List Children
• Common > Create Children
• Common > Write
3. In the Selected Actions and Action Groups list, click to select the action
you wish to remove from the action group, and click the << button to
remove it from the group.
4. Click OK.
See also
Set system policies to manage settings that apply across the entire FactoryTalk
manufacturing system. Policy settings are separate in the network directory and
the local directory.
Navigate to System > Policies > System Policies to view and edit the following:
See also
Tip: To configure the Application Authorization policy, you must log into FactoryTalk with
an account that is a member of the FactoryTalk Administrators group.
2. In the Explorer window, expand the System > Policies > System Policies
folders.
6. Click a process, and scroll to the right to view its access status. Check
Access Allowed to provide access to the FactoryTalk Directory, or clear the
check box to deny access to the FactoryTalk Directory.
See also
2. In the Explorer window, expand the System > Policies > System Policies
folders.
Tip: To configure the Application Authorization policy, you must log into FactoryTalk
with an account that is a member of the FactoryTalk Administrators group.
See also
FactoryTalk Service Application Use FactoryTalk Service Application Authorization settings to authorize the
applications that have access to FactoryTalk Directory.
Authorization settings
If you enable the option to verify the publisher certificate information,
applications that are not signed by Rockwell Automation or Microsoft are not
allowed access to FactoryTalk Directory. To configure the Application
Authorization policy, you must log into FactoryTalk with an account that is a
member of the FactoryTalk Administrators group.
Column Description
Process Shows the process name of the application that is requesting a service token.
Some applications are required by FactoryTalk and cannot be removed or denied. These entries are displayed with gray text in the list.
To sort the application list by process name, computer name, or access allowed status, click the corresponding column header.
Version Shows the version number of the application that is requesting a service token.
Computer Shows the computer name where the application runs.
To sort the application list by process name, computer name, or access allowed status, click the corresponding column header.
Publisher Info Shows the publisher name of the application. If no certificate exists, the cell is displayed with None.
To view the detailed publisher certification information, click the desired cell in this column.
Access Allowed Shows whether the current process is allowed to access to FactoryTalk Directory.
Use the following settings to specify how FactoryTalk allows access to the
FactoryTalk Directory.
Setting Description
Enable default access Determines whether new applications are automatically allowed access to FactoryTalk Directory.
Default: Enabled
To disable the default access, clear the check box. All new applications will be automatically denied access.
If the default access of a FactoryTalk Directory server is disabled, you can still configure your local computer to join the directory server.
Verify publisher information Determines whether to verify the publisher certificate information of FactoryTalk applications.
If enabled, FactoryTalk Services Platform verifies whether the application requesting a service token is signed by Rockwell Automation or
Microsoft. Any application not signed by them will fail to receive a service token.
Default: Disabled
To disable the publisher information verification, clear the check box. FactoryTalk Services Platform will not verify the publisher
information. Applications are verified by the corresponding Access Allowed settings.
Some applications of Microsoft (for example, msiexec.exe) are not signed. Some earlier versions of FactoryTalk products were not signed
when they were released. You may fail to verify the publisher information on these applications.
Allow or deny an application Determines whether an application is authorized to access the FactoryTalk Directory.
Default: Allowed
To deny an application, clear the check box of the entry. If an application is denied access and thus fails the request for service token, a
message is sent to FactoryTalk Diagnostics, for example, Login failure for application [RNASecurityTestClient.exe] on directory [Network]. The
application was denied access. You can view the messages using the FactoryTalk Diagnostics Viewer.
Some applications are required by FactoryTalk and cannot be removed or denied. These entries are displayed with gray text in the list. See
the Process name table below for details.
Remove an application To remove one or more applications from the list, select the entries and click Remove.
Some applications are required by FactoryTalk and cannot be removed or denied. These entries are displayed with gray text in the list.
When you try to remove one or more of these required entries, a warning message is displayed indicating that the required entries are not
removed.
Refresh application authorization Manually refresh the list to show the latest application list. To do this, click Refresh.
information When refreshing the list, if a newer version of an existing application from the same computer is found, the entry will be updated to
reflect the new version or certificate information.
Save the changes before refreshing. Any changes that are not saved will be lost when refreshing.
Process name
See also
Publisher Certificate Use Publisher Certificate Information to view digital signature details to and
verify the identity and authenticity of software.
Information
Field Description
Issued to Shows the publisher name (or a portion of the name) of the entity to which the certificate is issued.
Issued by Shows the name (or a portion of the name) of the issuer.
Status Shows the status of the certificate, for example, valid, revoked, or expired.
Serial # Shows the unique serial number (or a portion of the serial number) of the certificate.
Date signed Shows the date when the binary was signed.
Valid from Shows the beginning date of the period for which the certificate is valid.
Valid to Shows the ending date of the period for which the certificate is valid.
See also
Digitally signed FactoryTalk FactoryTalk Services Platform 2.51 or later provides the ability to verify whether
an application requesting a service token is signed by Rockwell Automation. The
products
access to FactoryTalk Directory is denied if the certification is not signed by
Rockwell Automation.
Some earlier versions of FactoryTalk products were not signed when they were
released. You may fail to verify the publisher information on these products.
The table below shows which versions of FactoryTalk products are signed.
See also
Assign user rights to make In User Rights Assignment Policy Properties, specify which users are permitted
to:
system policy changes
• Back up or restore FactoryTalk Directory, the System folder, or
applications
• Change the FactoryTalk Directory server computer
Policy settings are completely separate in the network directory and local
directory. The network directory and local directory also have different default
policy settings.
1. Log into the FactoryTalk directory whose user rights assignment policies
you want to modify.
2. In the Explorer window, expand System > Policies > System Policies.
4. In User Rights Assignment Policies, next to the policy you want to secure
and to the right of Configure Security, click Browse (...).
5. In the Configure Securable Actions, on the Policy Setting tab, click Add.
6. In Select User or Group, select the user or group of users, and in the
network directory, the computer or group of computers for which you want
to specify security settings, and then click OK.
• To allow the user permission to perform the action from the specified
computer or group, select the Allow check box.
• To deny the user permissions to perform the action from the specified
computer or group, select the Deny check box.
• If you want to remove explicit Allow permissions, select the user and
computer and then click Remove. If no permissions are specified, Deny
is implied.
See also
User rights assignment policies In FactoryTalk, administrators control the rights that users have to access the
system. Settings that apply to the entire FactoryTalk directory are especially
important to secure. User rights assignment policies specify which users are
permitted to do the following:
Policy settings are completely separate in the network directory and local
directory. The network directory and local directory also have different default
policy settings.
See also
User Rights Assignment Policy How do I open User Rights Assignment Policy Properties?
Properties 1. Start FactoryTalk Administration Console or FactoryTalk View Studio
and then log on to the FactoryTalk Network Directory or FactoryTalk
Local Directory where you want to edit policies.
In User Rights Assignment Policy Properties, specify which users are permitted
to:
Policy settings are completely separate in the network directory and local
directory. The network directory and local directory also have different default
policy settings.
See also
2. In the Explorer window, expand the System folder > Policies > Product
Policies, expand the folder for the product whose policies you want to
secure, and then double-click Feature Security.
3. In the Feature Security Properties dialog box, click the row containing the
feature you want to secure. A description of the feature appears at the
bottom of the dialog box.
4. Click the Browse button beside the feature you want to secure. This opens
the Configure Securable Action dialog box.
Use Configure Securable Action to view or set the permissions that determine
access to a single feature for a user or group of users working from a computer or
group of computers connected to the FactoryTalk network directory. The product
policy features you can secure depend on what FactoryTalk products you have
installed.
You may also use this window to configure permissions for the actions in User
Rights and Assignment Properties.
In a FactoryTalk local directory, all security settings apply to only the local
computer.
Setting Description
Permissions list This list shows the users and computers that have Allow or Deny permissions set for this feature.
To allow access to the feature, select the Allow check box.
To deny access to the feature, select the Deny check box.
If you clear both the Allow and Deny check boxes, the user is denied access to the feature.
Add Click this button to select the user and computer for which you want to specify permissions. Once you are finished selecting a user and
computer, click OK.
Remove In the permissions list, click the combination of users and computers for which you want to remove security settings, and then click the
Remove button.
See also
Select a user or group Use Select User or Group to select a user account or FactoryTalk user group
account. You can then specify security settings for the user or group.
Use the options under Filters to show only users, only user groups, or all accounts
you may add to the group.
1. Right-click the FactoryTalk user group account you wish to modify and
click Properties.
3. At the bottom of Select User or Group, select the filter criteria that show
the users or groups you want to select.
• In the list of users and groups, select a user account or user group
account.
• To create a new user account, click Create New and then click the type
of account you want to create.
5. When you are finished selecting a user or group account, click OK.
See also
Change the default To change the default communications protocol for a distributed FactoryTalk
system, use Live Data Policy Properties.
communications protocol
Change this setting only if necessary, for example, if your system is experiencing
communications problems and you want to switch to DCOM for troubleshooting
purposes. Thoroughly test communications before deploying this change to a
running production system. Keep in mind that many factors affect
communications, including firewalls, closed ports, and differences in network
architectures and configurations.
1. In the Explorer window, expand System > Policies > System Policies.
4. Click OK.
See also
Use the Policy Settings tab of Live Data Policy Properties to set the default
protocol from TCP/IP to DCOM or vice versa.
The FactoryTalk Services Platform installation process evaluates the services and
components on your network and sets the communication protocol appropriately.
For example, if you upgrade from an earlier version of the FactoryTalk platform to
FactoryTalk Services Platform 2.10 (CPR 9) or later, the communications default
is automatically set to DCOM. If you install FactoryTalk Services Platform 2.10
or later for the first time on a computer, the communications default is
automatically set to TCP/IP. Typically, it is not necessary or advisable to change
the default setting.
See also
Live Data Policy Properties How do I open Live Data Policy Properties?
In the Explorer window, expand System > Policies > System Policies.
Double-click Live Data Policy.
Use the Policy Settings tab of Live Data Policy Properties to select a default
communications protocol for a distributed FactoryTalk system.
This setting affects communications between client and server services and
between the FactoryTalk Directory and servers on the network. This setting is
considered a "default" because if the FactoryTalk Live Data service detects that
some components on the network are not compatible with the selected policy
setting, it overrides the policy and uses whichever setting is most likely to ensure
uninterrupted communications. For example, for third-party servers and RSLinx
Classic,FactoryTalk Live Data will not attempt a TCP/IP connection and will
always use DCOM.
Change this setting only if necessary, for example, if your system is experiencing
communications problems and you want to switch to DCOM for troubleshooting
purposes. Thoroughly test communications before deploying this change to a
running production system. Keep in mind that many factors affect
communications, including firewalls, closed ports, and differences in network
architectures and configurations.
Important: Changing this policy setting can have unexpected results. Do not change
this setting in a running production system. For changes to take effect, all
computers on the network must be shut down and restarted.
See also
Set network health Use Health Monitoring Policy Properties to fine tune the parameters that the
system uses when determining whether a network failure is occurring and how
monitoring policies long to wait before switching to a Standby server.
Tip: Changing health monitoring policy settings can have unexpected results. The
preset default settings typically provide optimal efficiency for most networks.
1. In the Explorer window, expand System > Policies > System Policies.
3. Under Rates, click to select the policy setting you wish to edit. A
description of the policy appears at in the bottom pane of the window.
4. To the right of the current rate, click the down arrow button to enter a new
number, or use the small up and down arrows to choose a higher or lower
number.
5. Click OK.
See also
2. In the Explorer window, expand the folders System > Policies > System
Policies.
When these policy settings are applied, the changes affect all computers that are
clients of the FactoryTalk network directory server. The changes take effect
immediately, as soon as the network directory server notifies the client computers
of the changes.
Tip: To monitor system health messages, use the FactoryTalk Diagnostics Viewer.
Important: Changing health monitoring policy settings can have unexpected results.
The preset default settings typically provide optimal efficiency for most
networks.
See also
Health Monitoring Policy Use the Policy Settings tab in Health Monitoring Policy Properties to fine
tune the parameters that the health monitoring service uses when determining
Properties settings
whether a network failure is occurring and how long to wait before switching to a
standby server. The health monitoring service policies are described below.
See also
Set audit policies Use Audit Policy Properties to specify what security-related information is
recorded while the system is being used. Audit policies include whether access
checks are audited, whether access grants, denies, or both are audited, and so on.
Audit messages are sent to FactoryTalk Diagnostics, where you can view them
using the FactoryTalk Diagnostics Viewer.
1. In the Explorer window, expand System > Policies > System Policies, and
double-click Audit Policy.
3. In Audit security access failures, select one of the following from the
drop-down button next to the current setting:
4. In Audit security access successes, select one of the following from the
drop-down button next to the current setting:
5. Click OK.
See also
Audit policies Auditing user actions in a control system helps answer "who changed this process
variable, when, and why?"
If you are in an industry that must comply with governmental regulations, such as
U.S. Government 21 CFR Part 11, your plant must be able to answer this
question. The answer is also important if your plant manufactures products with
critical tolerances, or if unmanaged changes could negatively affect product quality
or risk consumer safety.
Like other FactoryTalk policy settings, audit policies are managed separately in the
network directory and the local directory.
Each FactoryTalk product defines its own rules for auditing changes. This means
that the messages that appear in the FactoryTalk Diagnostics Viewer vary,
depending on what products are installed. If the setting Audit changes to
configuration and control system is enabled, audit messages are generated when
any configuration and control system changes occur across the FactoryTalk
system.
For example, suppose an area called Ingredients is secured so that only members of
the OperatorsLine5 group can write to it. If the Audit object access success
policy is enabled, every time an operator is granted write access to this area, a
message is logged to FactoryTalk Diagnostics. If the Audit object access failure
policy is enabled, every time an operator is refused Write access to this area, a
message is logged to FactoryTalk Diagnostics.
Auditing security access success can consume large amounts of system resources.
This policy should only be enabled when necessary, for example, while testing the
system, or if required in industries that must comply with governmental
regulations.
See also
2. In the Explorer window, expand the System folder > Policies > System
Policies.
Setting Description
Audit changes to configuration and control system Determines whether to generate audit messages when configuration and control system changes occur
across the FactoryTalk system.
Default: Enabled
To disable audit logging, set this policy to Disabled.
If this policy is disabled, audit messages are not routed to FactoryTalk Diagnostics log files, even if
logging destinations are configured for audit messages on the Message Routing tab in Diagnostics
Setup.
Any changes made to the value of the Audit changes to configuration and control system policy
itself are always recorded, regardless of whether audit logging is enabled or disabled. If enabled, audit
information is sent to FactoryTalk Diagnostics.
Audit security access failures Determines whether to generate an audit message when a user attempts an action and is denied access
to the secured object or feature because of insufficient security permissions.
Default: Disabled
To record audit messages when users fail to access objects because of insufficient security permissions,
set this policy to Enabled. If enabled, audit information is sent to FactoryTalk Diagnostics.
Audit security access successes Determines whether to generate an audit message when a user attempts an action and is granted
access to the secured object or feature because the user has the required security permissions.
Default: Disabled
To record audit messages when users succeed in accessing objects because of sufficient security
permissions, set this policy to Enabled. When enabled, this policy might generate a large number of
audit messages. Enable this policy only if you have a specific reason for doing so, for example, testing or
troubleshooting whether users are able to access particular features or objects in the system.
If enabled, audit information is sent to FactoryTalk Diagnostics.
See also
Monitor security-related events Monitor security-related events to find out if changes are made to security policies
or other objects, who made the changes, and when they were made. You can
monitor security-related events by setting up audit policies.
See also
Example: Audit messages If the setting Audit changes to configuration and control system is enabled in
Audit Policy, audit messages are generated when any configuration and control
system changes occur across the FactoryTalk system.
See also
Set system security policies Use Security Policy Properties to define general rules for implementing security
across all FactoryTalk products in your system.
See also
Modify account policy settings Use Security Policy Properties to change the following user account policy
settings:
1. In the Explorer window, expand System > Policies > System Policies, and
double-click Security Policy.
3. To set the maximum number of hours that a user can remain logged on
before the system checks whether the user’s account is still valid,
double-click Logon session lease, and type a value from 0-999. Setting this
value to 0 allows the logon session to be used indefinitely, allowing users to
have continuous access, even if their accounts are disabled or deleted.
A locked account cannot be used until the Account lockout auto reset
period expires, or until the account is reset by a FactoryTalk administrator.
This helps prevent an unauthorized user from gaining access to the system
by guessing a password through a process of elimination.
5. To specify the amount of time that must expire before a locked account is
reset and the user can attempt access again, click Account lockout auto
reset and type a value between 0 and 999 minutes.
7. If deleted account records are kept, you may choose whether or not to list
deleted account records in the Users folder in the System tree. Double-click
Show deleted accounts in user list, and select one of the following:
8. When you have finished modifying account policy settings, click OK.
See also
Modify computer policy settings Use Security Policy Properties to change the following policy settings for
computer accounts:
1. In the Explorer window, expand System > Policies > System Policies, and
double-click Security Policy.
5. When you have finished modifying account policy settings, click OK.
Important: If you set Identify terminal server clients using the name of to
Server Computer, disable single sign-on because the computer name is
saved as part of the single sign-on user's credentials, and might affect the
level of access a Remote Desktop Services user has to the FactoryTalk
system.
See also
Modify directory protection Use Security Policy Properties to change the policy settings that determine:
policy settings • If computers with FactoryTalk versions less than 2.50, which are considered
non-secure, can access a directory server with FactoryTalk CPR 9 SR5 or
later, and if so, whether or not an audit message is generated
• How long cache files remain available after a client computer disconnects
from the server, and if a warning message displays
1. In the Explorer window, expand System > Policies > System Policies, and
double-click Security Policy.
5. By default, cache files never expire. Instead, the cache files remain available
after the client computer is disconnected from the server. To set a time limit
for when cache files expire, double-click Directory cache expiration and
type or select a number from 1-9999. When the time limit is reached, you
must reconnect to the server to access the files.
6. By default, you will not get warnings prior to cache expiration, but you can
still see notifications upon disconnection and cache expiration. Click in
Directory cache expiration warning and type a number from 1-24 to set
the number of hours before cache expiration when a warning notification is
displayed.
Important: If you set Identify terminal server clients using the name of to
Server Computer, disable single sign-on because the computer name is
saved as part of the single sign-on user's credentials, and might affect the
level of access a Remote Desktop Services user has to the FactoryTalk
system.
See also
Modify password policy settings Use Security Policy Properties to set the conditions for a valid FactoryTalk
password, such as minimum and maximum password length, password complexity
requirements, and when a password expiration warning is given.
1. In the Explorer window, expand System > Policies > System Policies, and
double-click Security Policy.
6. To require users to wait at least one day before changing their password,
double-click Minimum password age and enter a number between 1 and
999.
See also
Enable single sign-on Use Security Policy Properties to enable single sign-on capability. When the
single sign-on is enabled, it allows you to log on just once, per directory, on a given
computer. Once you log on, all participating FactoryTalk products that run in
that directory on that computer automatically use those same security credentials.
1. Open the System folder, and then open Policies > System Policies and
double-click Security Policy.
2. In the Single Sign-On Policy Settings list, to the right of Use single
sign-on, click in the Disabled field.
If single sign-on still does not seem to be working properly, it is likely that the
FactoryTalk product you are using does not support the single sign-on capability.
Some FactoryTalk products always require users to log on, even if single sign-on is
enabled.
See also
Disable single sign-on To require users to log into each FactoryTalk product separately, use Security
Policy Properties to disable single sign-on capability.
1. Open the System folder, and then open Policies > System Policies and
double-click Security Policy.
2. In the Single Sign-On Policy Settings list, to the right of Use single
sign-on, click in the Enabled field.
See also
Account policy settings Use the following Account Policy Settings to specify how FactoryTalk manages
policies for user, computer, and group accounts. A few additional policy settings
for computer accounts are managed in Computer Policy Settings.
Setting Description
Logon session lease Sets the maximum number of hours that a user can remain logged on before the system checks whether the user’s account is still valid.
Use this setting to prevent logged on users from having access indefinitely, even after their accounts are disabled or deleted.
If a user's account has, for example, been disabled or its password changed, and the account name and password cannot be
reauthenticated, the logon session becomes invalid. The user can no longer access secure system resources until the user logs on
successfully again.
Setting this value to 0 allows the logon session to be used indefinitely, allowing users to have continuous access, and preventing the
system from automatically reauthenticating users. This means that the system does not check whether the user’s account is still valid.
Minimum: 0 hours
Maximum: 999 hours
Default: 1 hour
Account lockout threshold Sets the number of consecutive times a user can unsuccessfully attempt to log on before the account is locked. If set to 0, accounts are
never locked.
An invalid logon attempt occurs if the user attempts to log on and specifies a correct user name but an incorrect password.
A locked account cannot be used until the Account lockout auto reset period expires, or until the account is reset by a FactoryTalk
administrator. This helps prevent an unauthorized user from gaining access to the system by guessing a password by a process of
elimination.
Minimum: 0 invalid logon attempts
Maximum: 999 invalid logon attempts
Defaults:
• For the Network Directory, 3 invalid logon attempts.
• For the Local Directory, 0 invalid logon attempts.
Account lockout auto reset Specifies the amount of time that must expire before a locked account is reset, allowing the user to attempt access again. Type a value
between 0 and 999 minutes to specify the amount of time a user must wait before using the account again to gain access to the system.
If set to 0, locked accounts are not reset automatically, and must be unlocked manually by a FactoryTalk administrator.
Minimum: 0 minutes
Maximum: 999 minutes
Default: 15 minutes
Keep record of deleted accounts Determines whether user accounts can be permanently deleted with no record retained in the system, or flagged as deleted and be
permanently disabled, with a record of the deleted account retained in the system.
To keep a record of accounts that have been deleted, and force all new accounts to be unique, select Enabled. You can also change a
policy setting to show deleted accounts in the list of users.
To discard accounts when they are deleted, select Disabled. This means that if a user account is deleted, a user account can be recreated
again later with the same user name. If the policy is enabled and a user account is deleted, a user account cannot be recreated again later
with the same user name, because its record still exists in the system.
If the policy is disabled and you recreate a user account with the same name, the new user account does not inherit the security settings of
the old account. This is because all user accounts are identified by means of a unique identifier that is separate from the user name. When
you delete a user account, the user's access rights are deleted, but the user account's unique identifier is not deleted.
When you create another user account with the same name, you must recreate the security settings of the account. You can do this either
by adding the user account to a group that already has security settings defined for it, or you can create permissions for a user account
when securing a resource.
For security and audit tracking reasons, and to satisfy compliance requirements in regulated manufacturing industries, it might be
necessary to:
• Keep a record of previously deleted accounts
• Ensure that all user accounts can be uniquely identified in the system
Default: Disabled
Show deleted accounts in list Sets whether deleted account records are listed in the Users folder in the System tree. This policy works together with the Keep record
of deleted accounts policy. If Keep record of deleted accounts is enabled, enabling Show deleted accounts in user list allows a
FactoryTalk administrator to view details about accounts that have been deleted.
To hide deleted accounts in the list of users, select Disabled. This means that accounts that you delete are not shown in the list of user
accounts, even if you keep a record of deleted accounts. Enable the Show deleted accounts in user list policy if you keep a record of
deleted accounts (for example, for regulatory compliance), and want to view details about accounts that have been deleted.
Default: Disabled
See also
Computer policy settings The policies in this table apply only to computer accounts in the FactoryTalk
network directory because the FactoryTalk local directory does not permit remote
access.
Setting Description
Require computer accounts for all client machines Determines whether client computers can access the FactoryTalk network directory without having a
computer account in the network directory. Disable this policy if you want users to be able to connect
remotely from any computer, even if the computer does not have a computer account in the FactoryTalk
Directory.
Even when this setting is disabled, you must still create computer accounts for any computers hosting
servers — for example, Rockwell Automation Device Servers (FactoryTalk Linx, OPC data servers, Tag Alarm
and Event Servers, or HMI servers. Without the server computer accounts, you will not be able to configure
the servers from client computers on the network because the FactoryTalk network directory Server cannot
locate these servers on the network without their computer accounts.
Enabled allows users to log on to FactoryTalk only if they are logging on from a client computer that has an
account in the FactoryTalk Directory. Even if set to Enabled, Remote Desktop Services clients can still log on
to FactoryTalk Directory without computer accounts if the Identify terminal server clients using the
name of policy is set to Server Computer. See below.
Disabled allows users to log on to FactoryTalk from any client computer, even if that computer has no
computer account in the FactoryTalk network directory.
Default: Enabled
Identify terminal server clients using the name of Determines what computer name identifies clients connecting to the FactoryTalk Directory through Remote
Desktop Services. This policy also affects whether client computers connecting through Remote Desktop
Services require computer accounts in the FactoryTalk Directory.
Server Computer allows client computers to connect through Remote Desktop Services without requiring
accounts in the FactoryTalk Directory, even if the Require computer accounts for all client machines
policy is Enabled. This is possible because the FactoryTalk Directory behaves as if the client computer were
accessing the FactoryTalk Directory from the Remote Desktop Connection computer.
If set to Terminal Client and the Require computer accounts for all client machines policy is
Enabled, client computers must have computer accounts in the FactoryTalk Directory to access FactoryTalk
applications.
If set to Terminal Client and the Require computer accounts for all client machines policy is
Disabled, client computers do not require computer accounts in the FactoryTalk Directory to access
FactoryTalk applications. This combination of settings is useful for diagnostic logging because the name of
the client computer where actions originate can be logged.
The Identify terminal server clients using the name of policy also determines which computer name
appears in the FactoryTalk Diagnostics Log of actions performed on the system over a Remote Desktop
Services connection:
Terminal Client logs actions using the name of the client computer where the user is connecting to the
Terminal Server. The computer name logged in FactoryTalk Diagnostics will be different for each client
connecting via Remote Desktop Services.
Server Computer logs actions using the name of the Terminal Server computer for all users. The computer
name logged in FactoryTalk Diagnostics will be the same for all users connecting via Remote Desktop
Services.
Default: Terminal Client
Important: If you set Identify terminal server clients using the name of to
Server Computer, disable single sign-on because the computer name is
saved as part of the single sign-on user's credentials, and might affect the
level of access a Remote Desktop Services user has to the FactoryTalk
system.
See also
Directory protection policy The Directory protection policy settings below apply only to computers in the
FactoryTalk network directory.
settings
Setting Description
Support non-secure clients Determines whether client computers with FactoryTalk versions earlier than 2.50 can access a directory server computer
with FactoryTalk CPR 9 SR5 or later. The policy is ignored if client computers are installed with FactoryTalk 2.50 or later.
Allow means client computers with FactoryTalk versions earlier than 2.50 can connect to and retrieve information from a
directory server computer with FactoryTalk 2.50 or later.
Deny means only client computers with FactoryTalk 2.50 can connect to and retrieve information from a directory server
computer with FactoryTalk 2.50 or later. Clients with FactoryTalk versions earlier than 2.50 are denied access and a
Protocol version mismatch error occurs.
Default: Allow
The directory server must be disconnected from the network before you change this policy. Reconnect to the network after
applying the change. Otherwise, this policy will not be properly enforced.
Audit non-secure client connections Determines whether an audit message is created when client computers with FactoryTalk versions earlier than 2.50 connect
to a directory server computer with FactoryTalk 2.50 or later.
Enabled means an audit message is created when a client computer with a FactoryTalk version earlier than 2.50 connects
to a directory server computer with FactoryTalk 2.50 or later.
Disabled means an audit message is not created when a client computer with a FactoryTalk version earlier than 2.50
connects to a directory server computer with FactoryTalk 2.50 or later.
Default: Enabled
Directory cache expiration Determines how long the cache files remain available after the client computer is disconnected from the server. Once this
time elapses, reconnect to the directory server to access the latest data files.
If this is set to 0, cache files never expire.
Minimum: 0 hours
Maximum: 9999 hours
Default: 0 hours
Directory cache expiration warning Determines when a warning notification is displayed in the notification area prior to the directory cache expiring. You can
click the FactoryTalk Directory icon in the notification area to quickly view the time expiration information.
If this is set to 0, you will not get warnings prior to cache expiration. However, you can still see notifications upon
disconnection and cache expiration.
Minimum: 0 hours
Maximum: 24 hours
Default: 0 hours before expiration
See also
Cache expiration policies In FactoryTalk, rules for directory cache expiration are managed system-wide in
Security Policy Properties. These policies determine:
• how long cache files remain available after the client computer is
disconnected from the server
• if a warning is displayed before the directory cache expires
You cannot modify the directory cache timeout policies in a FactoryTalk local
directory.
Tip: The directory cache timeout policies are not supported if the client computer is
installed with FactoryTalk Services Platform version 2.40 or earlier.
The cache expiration policies in FactoryTalk are applied in the following order of
precedence:
The example below shows how the cache expiration policies work.
Suppose that:
Although the current setting covers the majority of your computers, you have the
option to customize specific settings for some cases. Suppose you want to allow
computers of Laptops to operate in a disconnected state for a longer period (for
example, 7 days, that is, 168 hours). You also want to turn off the cache expiration
functionality for computer MYSERVER.
See also
Password policy settings Passwords for FactoryTalk user accounts can be up to 16 characters long. A set of
password policies determines how long or how complex passwords must be. As a
matter of good security practice, do not use blank passwords with accounts.
To help avoid intermittent security failures or an inability to log on, always use a
password for all Windows-linked accounts. If you do not want to use a password
for Windows-linked accounts, on your local computer disable the Windows local
security policy called Accounts: Limit local account use of blank passwords to
console logon only. Define password policies for Windows-linked accounts in
Windows.
For FactoryTalk user accounts, use Security Policy Properties to adjust these
password policy settings:
• Password complexity
• Minimum password length
• Number of previous passwords remembered
• Minimum password age
• Maximum password age
• Password expiration warning
Setting Description
Passwords must meet complexity Determines how simple or complex passwords must be.
requirements Disabled means that passwords to user accounts can include any characters or combinations of characters.
Enabled requires users to create passwords that are more secure, because passwords used for user accounts:
• Cannot contain all of the user account name. For example, a user account called John12 cannot have the password
John1234. However, the password 12John is permitted. This check is also case sensitive so John12 could have the
password jOHN12.
• Must contain at least six characters (you can change the minimum value using the Minimum password length policy)
• Must contain characters from three of the following four categories:
• Unaccented uppercase characters (A to Z)
• Unaccented lowercase characters (a to z)
• Numerals (0 to 9)
• Non-alphanumeric characters (!, @, #, %)
If enabled, any passwords that do not meet these minimum requirements will be rejected, and the user will be prompted to
create a password that satisfies the criteria. These complexity requirements are defined by the system and you cannot
change them.
The Passwords must meet complexity requirements policy overrides the Minimum password length policy if the
minimum password length is less than 6 characters. If the minimum password length is greater than 6 characters,
Minimum password length takes precedence.
Default: Disabled.
Minimum password length Sets the minimum number of characters a password to a user account must contain. A value of 0 allows you to create user
accounts without passwords.
If enabled, the Passwords must meet complexity requirements policy requires a minimum password length of 6
characters. However, if the Minimum password length policy is set to more than 6 characters, this overrides the
Passwords must meet complexity requirements policy.
Minimum: 0 characters. A value of 0 means that you can create user accounts without passwords.
Maximum: 16 characters
Defaults:
• For the network directory, 6 characters.
• For the local directory, 0 characters. This means that users can set the passwords to their accounts to be blank.
Previous passwords remembered Sets the number of unique new passwords that must be created before an old password can be reused. If set to 0, old
passwords can be reused immediately. This policy allows you to ensure that old passwords are not continually reused.
To maintain the effectiveness of the Previous passwords remembered policy, set the Minimum password age policy
to a non-zero value to prevent passwords from being changed immediately. This policy is also necessary to make the
Maximum password age policy meaningful. If this policy is set to zero, users can immediately re-use their existing
passwords when their passwords expire.
Minimum: 0 passwords
Maximum: 24 passwords
Default: 3 passwords
Minimum password age Sets the minimum number of days passwords must be in effect before they can be changed. If set to 0, users can change
their passwords immediately following a prior change.
This policy works together with the Previous passwords remembered policy to prevent a user from changing a
password repeatedly until one of the user's old password favorites can be used again.
If the value of the Minimum password age is greater than the value of the Maximum password age, the minimum
password age is ignored.
• Minimum: 0 days
• Maximum: 999 days
• Default: 0 days. This means that users can change their passwords at any time.
Maximum password age Sets the maximum number of days passwords can be used before they must be changed. If set to 0, passwords never
expire. When setting this value, be sure also to specify a smaller value for the Password expiration warning.
If the Maximum password age expires, the user is prompted to change the password when next logging on with the
account.
If the value of the Maximum password age policy is less than the value of the Minimum password age policy, the
minimum password age is ignored.
• Minimum: 0 days
• Maximum: 999 days
• Default: 0 days. This means that users are never prompted to change their passwords.
Password expiration warning Sets the number of days before passwords are due to expire that the system begins prompting users to change their
passwords.
If Maximum password age is set to 0, the password expiration warning never appears.
If the value of the Password expiration warning is greater than the value of the Maximum password age, a password
expiration warning appears the next time the user attempts to log on.
• Minimum: 0 days before expiration
• Maximum: 999 days before expiration
• Default: 14 days before expiration
See also
Single sign-on policy settings Use the Single sign-on policy settings in Security Policy Properties to set
whether users can log on once to the FactoryTalk system, or must log on to each
FactoryTalk product separately.
Setting Description
Enabled Requires users to log on to the FactoryTalk system only once. The system checks the user's access rights as the user performs actions after logging
on. If the user has the required access rights, the action is allowed to proceed. If the user does not have the necessary access rights, the action is
prevented from taking place. The user is not prompted repeatedly to log on with a user name and password.
Disabled Requires users to log on to each FactoryTalk product separately.
See also
When to disable single sign-on If multiple users are sharing the same Windows user account, but have different
FactoryTalk user accounts, it might be necessary to disable single sign-on. This is
because with single sign-on enabled, the last user that logged on to FactoryTalk is
automatically logged on to all subsequent FactoryTalk products. If you need to be
able to distinguish the actions of individual users, disable single sign-on to force all
users to identify themselves to each FactoryTalk product they use.
There is no way to log all users off all FactoryTalk products simultaneously. This is
because some products might need to run without interruption in the
background. To log all users off all FactoryTalk products simultaneously, log off
Windows. Logging off Windows also shuts down all FactoryTalk products that
were started in the Windows session, regardless of how many users were logged on.
If single sign-on still does not seem to be working properly, it is likely that the
FactoryTalk product you are using does not support the single sign-on capability.
Some FactoryTalk products always require users to log on, even if single sign-on is
enabled.
See also
2. In the Explorer window, expand the System > Policies > System Policies
folders.
Use Security Policy Properties to define general rules for implementing security
across all FactoryTalk products in your system. To modify security policies, you
will need to obtain the appropriate permissions for the System Policies folder in
the Explorer window.
See also
Navigate the Policy All of the Product Policies and System Policies windows contain the same
features to help you navigate to the property setting you want to edit.
Properties windows
To navigate the Policy Properties windows
See also
Export policies to XML Export policies to save current FactoryTalk Directory policy settings to an XML
file. Use an XML or text comparison tool to determine policy changes between
exported policy files.
The exported policies are limited to the policies accessible by the logged on user. If
the logged-on user does not have Read, Execute, or List Children permissions for a
policy or its parent folders, that policy is not exported.
Prerequisites
3. Click Export.
See also
Use Export Policies to create an XML file containing the current FactoryTalk
Directory policy settings.
The exported policies are limited to the policies accessible by the logged on user. If
the logged-on user does not have Read, Execute, or List Children permissions for a
policy or its parent folders, that policy is not exported.
See also
For example, when you set up product policies for RSLinx Classic, you might
restrict the ability to shut down the RSLinx Classic service to a small group of
users, to prevent parts of your automation system from going down at runtime.
Typically, you will want to restrict access to features of multiple products at once.
For FactoryTalk Linx Gateway, however, you have to configure security on a
feature-by-feature basis.
See also
Secure features of a single To restrict access to one or more features of a single FactoryTalk property, use
Feature Security Properties.
product
To secure features of a single product
2. In the Explorer window, expand System > Policies > Product Policies.
3. In the Product Policies folder, expand the folder for the product whose
features you want to secure and then double-click Feature Security.
4. In Feature Security Properties, click the row containing the feature you
want to secure. A description of the feature appears at the bottom of the
window.
• If the product policy contains settings that you can configure using
drop-down lists, configure the settings, click OK, and then skip the rest
of the steps.
• If the product policy is not configured using drop-down lists, in the
column on the right, click Browse (...) beside Configure Security.
6. Use Configure Securable Acton to select the users or user groups that can
access the feature, and click OK.
7. Repeat steps 4-6 as needed to configure the features that make up your
product policy.
8. Click OK.
See also
Secure multiple product Use Feature Security for Product Policies to secure features of multiple
FactoryTalk products at once. The term action in Feature Security for Product
features Policies refers to a product feature. Each FactoryTalk product you install provides
different securable features (actions).
Click the plus (+) icon next to each FactoryTalk product to view the features you
may secure.
4. (optional) To add a user and computer to the Users list, click Add. In
Select User and Computer, select a user or group of users, and a computer
or group of computers, and click OK.
• In the Users list, click to select the user or user group whose access you
need to secure.
• In the Actions list, expand the list of products and categories as needed
to locate the feature you wish to secure, and click to select the feature.
• Skip to step 8.
• In the Actions list, expand the list of products and categories as needed
to locate the feature you wish to secure, and click to select the feature.
• In the Users list, click to select the user or group for whose access to the
feature you need to secure.
• To allow a user to perform the action, select the Allow check box.
• To deny a user access to the action, select the Deny check box.
• If you clear both the Allow and Deny check boxes, the user is denied
access to the feature.
See also
Feature Security for Product How do I open Feature Security for Product Policies?
Use the Permissions tab in Feature Security for Product Policies to secure
features in multiple FactoryTalk products at the same time. If you are using both a
local and a network FactoryTalk Directory you must configure product policies in
each directory separately.
Tip: Security for FactoryTalk Linx Gateway must be configured one feature at a time.
Setting Description
View permissions by View the same set of permissions from two different points of view:
• by user — Click User, select a user and then specify what product features that user can access
• by action — Click Action, select a product feature and then specify which users can perform the feature
Add Click Add to add a user and computer to the list.
Remove Click Remove to remote a user and computer from the list.
Action list The term action in Feature Security for Product Policies refers to a product feature. Each FactoryTalk product you install provides
different securable features (actions).
Click the plus (+) icon next to each FactoryTalk product to view the features you may secure. For more information about each
product, refer to the product's documentation.
Allow Click to allow access to a product feature.
Deny Click to deny access to a product feature.
Allow and Deny Clear both check boxes to deny access to the feature.
See also
2. In the Explorer window, expand the System folder > Policies > Product
Policies, expand the folder for the product whose policies you want to
secure, and then double-click the type of product policies you want to secure
for the product.
Use the Policy Settings tab in Feature Security Properties to secure a single
feature of a FactoryTalk product. You may secure other features of the same
product in Feature Security Properties, but this is not the most efficient way to
do so.
Policy settings are completely separate in the network directory and local
directory. Changes you make to the policy settings in one directory do not apply to
the other directory.
See also
In some cases, there are securable actions and product policies for the same
capability. For example, Logix Designer application has both a securable action
and a product policy called Firmware: Update.
• The securable action applies to all products—if you are denied permission
to the Firmware: Update action in an application or area, you cannot
update firmware in the controller from that application or area using any
product.
• The product policy applies to only Logix Designer application—if you are
denied permission to Firmware: Update, you cannot update firmware
when using Logix Designer application to configure any controller.
Unlike securable actions for resources, product policies do not inherit security
settings. When specifying permissions for product policies, clearing both the
Allow and Deny check boxes does not allow the policy setting to inherit security.
Instead, clearing both check boxes denies access to the product feature.
For details about securable actions and product policies in a particular FactoryTalk
product, see the documentation for your product.
See also
A logical name is an alias that identifies a control network or device. Use a logical
name to provide a shorter or more intuitive name to identify a device, instead of
using its network relative path. Logical names also change the way devices inherit
security permissions. Control devices with identical logical names share security
permissions across different control networks and across different computers,
without requiring identical driver names or relying on identical network paths.
You can:
See also
Logical names A logical name is an alias that identifies a control network or device. You can use
the logical name to provide a shorter or more intuitive name to identify a device
instead of using its network relative path. Logical names also change the way
devices inherit security permissions.
Control devices with identical logical names share security permissions across
different control networks and across different computers, without requiring
identical RSLinx Classic driver names or relying on identical network paths.
If you add a logical name for a control device, the security system automatically
uses the security permissions associated with that name, rather than with the
device's network relative path, to determine access permissions. After defining a
new logical name, you must also establish security permissions for the control
device. Be sure to add an identical logical name for the control device on each
computer on the network that has access to the device, if the different computers
have different relative paths to the device.
If you later change a control device's logical name, the original security permissions
remain associated with the first logical name. You must re-add security
permissions for the device, to associate them with the new logical name.
When you delete a logical name, the security system automatically uses the security
permissions associated with the device's network relative path.
The logical name and its associated security permissions still exist in the security
system after a name is deleted. For example, suppose the name "MyPLC1" is
assigned to Device1 on Computer A and Computer B, and each computer has a
different relative path to Device1. When a user attempts to perform an action on
114 Rockwell Automation Publication FTSEC-QS001M-EN-E
Manage logical names Chapter 11
Device1 from either computer, the security system checks the permissions
associated with "MyPLC1."
Now suppose we delete the name "MyPLC1" on Computer A, but leave it assigned
on Computer B. If a user attempts to perform an action on Device1 from
Computer A, security uses the permissions associated with the Device1's network
relative path. If a user attempts to perform an action on Device1 from Computer
B, however, security uses the permissions associated with the logical name
"MyPLC1."
Do not delete logical names for RSLogix 5000 controllers. Because RSLogix 5000
controllers do not have network relative paths, deleting a logical name can cause
unexpected results.
See also
Add a logical name Add a logical name to Networks and Devices to create an alias that identifies a
control network or a device. Use a logical name to provide a shorter or more
intuitive name to identify a device, instead of using its network relative path.
Logical names also change the way devices inherit security permissions. Control
devices with identical logical names share security permissions across different
control networks and across different computers, without requiring identical
driver names or relying on identical network paths.
Follow the steps below to add a logical name without associating it with an area or
application. Use Resources Editor to associate the logical name with an area or
application.
Alternatively, you can select an area or application and add a logical name to it.
This assigns the logical name to the area or application so that it immediately
inherits the security permissions of that area or application.
1. In Explorer, expand the Networks and Devices tree until Logical Names
is visible.
3. In New Logical Name, enter the name for your new logical name. For a
RSLogix 5000 controller, type a name that is identical to the device name
stored in the controller.
4. Click OK.
See also
Delete a logical name Delete a logical name from Networks and Devices when you no longer need the
logical name as an alias for a control device or network. When you delete a logical
name, the security permissions for the devices associated with it revert to the
permissions of the device or network.
Important: Because RSLogix 5000 controllers do not use network relative paths,
deleting a logical name associated with a RSLogix 5000 controller can
cause unexpected results.
1. In the Explorer window, expand the Networks and Devices tree until
Logical Names is visible.
2. Right-click on the logical name you wish to delete, and click Delete.
See also
Add a device to a logical Use Logical Name Properties to add control devices or networks to a logical
name. When you add a device or network to a logical name, its associated devices
name inherit the security permissions of the logical name.
1. In the Explorer window, expand the Networks and Devices tree until the
logical name you wish to edit is visible.
5. Click OK.
See also
Remove a device from a Use Logical Name Properties to remove a device from a logical name when you
longer wish to associate the device with the logical name.
logical name
Important: Do not remove an RSLogix 5000 controller from a logical name. Because
RSLogix 5000 controllers do not use network relative paths, removing the
device from a logical name can cause unexpected results.
1. In the Explorer window, expand the Networks and Devices tree until the
logical name you wish to edit is visible.
See also
Assign a control device to a A logical name is an alias that identifies a control network or device. You must add
logical names in FactoryTalk Administration Console before configuring security
logical name for RSLogix 5000 controllers. If assigned to an area or application, a logical name
inherits the security permissions of that area or application.
Use Device Properties to assign a control device to a logical name. You may add a
device to an existing logical name, or add the device to a new logical name.
1. Expand the Networks and Devices tree until the network or device you
want to create an alias for is visible.
3. In Device Properties, the Logical name list displays the current logical
name the device or network it is assigned to.
5. Click OK.
Tip: If you change the logical name of a control device, the security permissions remain
associated with the first logical name. You must re-add security permissions for the
device to associate them with the new logical name.
See also
Add a logical name to an Devices with identical logical names share security permissions across different
control networks and across different computers, even if those devices are
area or application configured with different driver names or network paths. You must add logical
names before configuring security for RSLogix 5000 controllers. For all other
types of control hardware, you can choose whether to associate security settings
with logical names or with network relative paths.
Add a logical name to an area or application when you want the permissions
associated with the logical name to be inherited from that area or application.
Prerequisites
Obtain the following permissions in the area or application where you want to add
a logical name:
1. In the Explorer window, right-click the application or area you want to add
the logical name to, and click Resource Editor.
4. In New Logical Name, type a name for the logical name, and click OK.
See also
Delete a logical name from Delete a logical name from an area or an application to break the link between the
logical name and the permissions associated with the area or application.
an area or application
Prerequisites
Obtain the following permissions for the application or area in the Explorer
window:
1. In the Explorer window, expand the local or network directory tree until
the application or area that contains the logical name is visible.
4. In the Associated Resources list, click to select the logical name you wish
to delete, and click Cut.
5. Click Close.
See also
2. Expand the Explorer tree until the application or area containing the
resource grouping you want to edit is visible.
3. Right-click the application or area, and then click Resource Editor on the
context menu.
4. In the Resources Editor dialog box, click Manage Resources. In the Select
resources for dialog box, do one of the following:
Use New Logical Name to create an alias for the path to a device. A logical name
associates security permissions directly with the name, rather than with the path.
This allows you to associate a network or device with a single set of security
permissions. Devices with identical logical names share security permissions across
different control networks and across different computers.
Important: When using RSLogix 5000® controllers, you must use logical names to add
a mapping between FactoryTalk Administration Console and the devices.
After you create a new logical name, type a descriptive name to identify it.
See also
2. Expand the Explorer tree until the application or area containing the
resource grouping you want to edit is visible.
3. Right-click the application or area, and then click Resource Editor on the
context menu.
4. In the Resources Editor dialog box, click Manage Resources. In the Select
resources for dialog box, do one of the following:
Setting Description
Logical name Select a logical name to edit the control devices associated with it. To create a new logical name, select New and then, in New
Logical Name, type a logical name. For a RSLogix 5000 controller, type a name that is identical to the device name stored in the
controller. Devices with identical logical names share security permissions across different control networks and across different
computers, even if those devices are configured with different driver names or network paths.
After defining a logical name, create security permissions for the control device. The new security permissions that you define are
now associated with the logical name. Any security permissions defined earlier, before a logical name was added, remain associated
with the device's network relative path, and are not copied to the logical name.
Because RSLogix 5000 devices do not use network relative paths, define logical names for RSLogix 5000 devices before configuring
security.
Device members This list shows the network relative paths of the devices that are referenced by the selected logical name.
To add devices to the selected logical name, click Add. You can add multiple devices to a single logical name, but you cannot add a
single device to multiple logical names. To save changes, click Apply.
To remove a device from the selected logical name, click the device and then click Remove.
Area associated with If the selected logical name is a member of a hardware resource grouping, this field shows the area from which the logical name
inherits its security permissions. The information in this field appears only as a reference. You cannot edit this field.
To remove the logical name from the area, click Remove.
See also
Device Properties For control hardware displayed in the Networks and Devices tree, use Device
Properties to:
Setting Description
Device path This field displays the network relative path of the device whose properties you are viewing. The information in this field appears only as
a reference. You cannot edit this field.
Logical name Select a logical name to view the area associated with the logical name. The area indicates the resource grouping to which the logical
name belongs. Do one of the following:
• To create a new logical name, select <New...>. In New Logical Name, enter a descriptive name and click OK.
• To select from an existing logical name, or to change the logical name associated with the device, click the Logical name drop-down
and select the logical name you want to assign the device to.
• To remove the logical name the device is associated with, select None. The security system automatically uses the security
permissions associated with the device's network relative path.
Area associated with If the selected logical name is a member of a hardware resource grouping, this field shows the area from which the logical name inherits
its security permissions. The information in this field appears only as a reference. You cannot edit this field.
To remove the logical name from the area, click Remove. This removes the logical name from the resource grouping.
See also
Resource grouping
See also
Resource groupings A resource grouping is a collection of hardware resources from the Networks and
Devices tree that is associated with an application or area. It is not a separate
account type.
You can create a resource grouping in any application or area in the FactoryTalk
Directory by selecting resources to be associated with the area in the Resources
Editor. You may add or delete resources at any time. A resource grouping
automatically inherits the security settings of the application or area where the
resource group is located.
See also
Group hardware resources Group hardware resources in an application of area if you prefer to manage their
security settings through the application or area. Devices in a resource grouping
in an application or area inherit security permissions from their associated application or area.
Prerequisites
To group hardware resources together in an application or area, you must have the
following security permissions for the application or area:
1. In the Explorer window, right-click any application or area and then click
Resource Editor.
If you would like to add a logical name, click one of the following to filter
the list of logical names:
5. Click on the resource you would like to add, and click the > button to move
it into the Selected resources list.
6. Click OK.
See also
Move a resource between Use the Resources Editor to move a hardware resource from one application or
area to another. The device or control network that is moved inherits the security
areas permissions of its new area or application.
Prerequisites
To group hardware resources together in an application or area, you must have the
following security permissions for the application or area:
1. In the Explorer window, right-click any application or area and then click
Resource Editor.
2. In the Areas list, click the area containing the resource you want to copy.
3. In the Associated resources list, right-click the resource, and then click
Cut.
4. In the Areas list, click the area you want to copy the resource to, right-click
the Associated resources list again, and then click Paste.
5. Click Close.
See also
Remove a device from a Remove a device from a resource grouping to break the link between its security
permissions and those of the application or area to which it belongs.
resource grouping
When you remove a device from a resource grouping, the security permissions for
the device revert to what they were for either the logical name of the device — if
the device is associated with a logical name — or for the network relative path of
the device. The changes take effect immediately when you click OK.
Prerequisites
Obtain the following security permissions for the application or area where the
resource grouping is located:
2. In the Areas list of the Resources Editor, click the area or application
containing the resource you want to delete.
3. In the Associated resources list, right-click the resource, and then click
Cut.
4. Click Close.
See also
2. In the Explorer window, right-click any application or area and then click
Resource Editor on the context menu.
Setting Description
Areas This list displays the applications and areas in the FactoryTalk network directory, or the applications in the FactoryTalk local
directory. Click an area or application to view the list of resources associated with it.
Associated resources This list shows the hardware devices located in the application or area. Devices that are represented by logical names are
displayed using their logical names. Devices that are represented by network relative paths are shown by their network
relative paths.
• To remove a resource, right-click the resource and then click Cut. When you remove a device from a resource
grouping, the security permissions for the device revert to what they were for either logical name of the device, if the
device is associated with a logical name, or for the network relative path of the device. The changes take effect
immediately when you click OK.
• To move a resource from one area to another, in the Areas list, click the area containing the resource you want to
copy. In the Associated resources list, right-click the resource, and then click Cut on the context menu. In the Areas
list, click the area you want to copy the resource to, right-click the Associated resources list again, and then click
Paste.
Manage Resources Click Manage Resources to add or remove resources in the selected application or area, or to map resources to logical
names.
See also
Select Resources Use Select Resources to associate resources with an application or area. The
hardware devices can be referenced either by logical name or by network relative
path. Use the following settings to specify how resources are added to the
grouping.
Setting Description
Select resources to be associated with an area • To view the logical names for only those devices that are not already associated with an application or
area, click Show only logical names not associated with areas. Ignore this setting if you are not
using logical names with networks and devices.
• To view all logical names, even if they are already associated with an application or area, click Show
all logical names. Ignore this setting if you are not using logical names with networks and devices.
• To add a logical name to the list of resources in the grouping, click the logical name and then click the
> button. You cannot add the same network or device (represented by a logical name) to multiple
resource groupings.
• To add a device using its network relative path, expand the Networks and Devices tree until the
device you want to add is visible. Click the device and then click the > button. You cannot add the
same network or device to multiple resource groupings.
Add New Logical Name Click this button to create a new logical name for a device so that you can add the logical name to an
application or area.
Delete Logical Name Use this button to delete logical names that are no longer in use in the system, but remain visible in this
dialog box. This can happen if you added a logical name, but later removed the device associated with
that logical name. The Delete Logical Name button is disabled if the selected logical name is in use.
Selected resources This list shows the resources that are associated with the application or area. To remove a resource from
the list, click the resource and then click the < button.
See also
Secure resources
To secure the resources in your FactoryTalk system, you select the resource, and
Secure resources
then use Allow or Deny permissions to specify which users can perform what
actions on that resource from what computers. This helps ensure that only
authorized personnel can perform approved actions from appropriate locations.
Common actions include the ability to see the resource, to edit or delete it, and to
add additional items to the resource. Additional securable actions might appear,
depending on which FactoryTalk products you have installed.
Security for networks and devices follows some special rules for inheriting security
permissions, and includes the use of logical names, permission sets, and resource
groupings. For this reason, it is covered in its own section: Secure networks and
devices.
See also
Permissions Permissions determine which users can perform which actions on specific
resources in the system from which computers.
There are two kinds of permissions that you can set on resources:
You can also remove all permissions from an object by clearing both the Allow and
Deny check boxes. This allows the object to inherit permissions assigned at a
higher level. For example, if you remove all permissions from an area located in an
application, the area inherits permissions from the application.
Product policies do not inherit security settings. When specifying permissions for
product policies, clearing both the Allow and Deny check boxes does not allow
the policy setting to inherit security. Instead, clearing both check boxes denies
access to the product feature.
Networks and devices that are referenced by logical names, rather than by network
relative paths, inherit permissions differently than other resources.
The actions that users can perform on resources are grouped into categories. The
Common category is common to all FactoryTalk products. You can create your
own action groups, so that you can assign security permissions to all of the actions
in the group in one step rather than assigning permissions to each action
separately.
Effective permissions
If you want to find out what actions a user or group can perform on a resource,
you can view the permissions in effect (called effective permissions) for the
resource. The effective permissions are shown in the Effective Permissions tab of
the Security Settings for the resource.
Effective Permissions shows the permissions that are granted to the selected user,
computer, or group. When calculating effective permissions, the system takes into
account the permissions in effect from group membership, as well as any
permissions inherited from the parent object.
If a check mark appears for an action, it means that permission is allowed, whether
explicitly or by inheritance. If a check mark does not appear, it means that
See also
Breaking the chain of inheritance By default, resources inherit permissions automatically from their parent
resources. For example, if you assign security to an area in an application, all of the
items in the area inherit the security settings of the area, and the area inherits
security settings from the application. The top of the hierarchy is the network
directory or local directory.
Permissions can be inherited only as far up the network directory or local directory
tree as the chain of inheritance remains intact. For example, if you select the Do
not inherit permissions check box for an area, items that inherit permissions
inside the area can inherit permissions only as far as the area. They cannot inherit
permissions from the application in which the area is located. Because breaking the
chain of inheritance complicates administration, you should only do so when
absolutely necessary.
See also
Order of precedence When the system evaluates the level of access a user, computer, or group has, the
following rules apply:
• If conflicting explicit permissions are set at the same level, Deny takes
precedence over Allow. For example, if you explicitly deny the Operators
group access to a data server, but you explicitly allow an individual user
account (Jane) access to the data server, Deny takes precedence over Allow,
and Jane cannot access the data server if she is a member of the Operators
group. This happens because conflicting explicit permissions are set on the
same resource. To Allow Jane access to the data server, you must Deny the
Operators group access to the resource at a higher level in the hierarchy (for
example, the area in which the data server is located), and then explicitly
allow exceptions for the data server.
See also
Actions When setting up security you specify which actions a user or group can perform
on a selected resource. In a FactoryTalk network directory, you can also specify
which computer or group of computers a user can perform the action from.
A group of common actions are installed by default with the FactoryTalk Services
Platform. However, different sets of actions apply to different resources in the
directory. Additional securable actions might appear, depending on which
FactoryTalk products you have installed. For details about using those actions, see
the documentation for your FactoryTalk products.
Read
Controls whether a user or group can see the resource in the Explorer window
from a computer or group of computers.
Application Prevents users from seeing the application or its contents. Denying Read does not prevent users from
reading tag values from data servers in the application.
Area Prevents users from seeing the area or its contents. Denying Read does not prevent users from reading tag
values from data servers in the area.
System folder Prevents users from seeing the System folder or its contents. Denying Read does not prevent users from
reading tag values for devices in the Networks and Devices tree.
Networks and Devices tree Prevents users from seeing the Networks and Devices tree and its contents. Denying Read does not prevent
users from reading tag values for a particular device.
Individual network or device in the Networks and Devices tree Prevents users from seeing the network or device and its contents. Denying Read does not prevent users
from reading tag values for a particular device.
Write
Controls whether a user or group can write to the resource from a computer or
group of computers.
System folder Prevents users from modifying the properties of any item in the System folder. For example, denying Write
prevents users from modifying policy settings, and the properties of user accounts, such as an account's
description or group memberships. Denying Write also prevents deleting user and group accounts, if the
accounts have group memberships associated with them. This is because the group memberships are
updated automatically when an account is deleted, and updating group memberships is controlled by the
Write action.
Networks and Devices tree Prevents users prevents users from defining or undefining logical names for networks or devices. Denying
Write does not prevent users from writing tag values to devices.
Individual network or device in the Networks and Devices tree Prevents users from defining or undefining logical names for the network or device. Denying Write does not
prevent users from writing tag values to devices.
Configure Security
Controls whether a user or group can change the security permissions for the
resource, while working from a computer or group of computers, by clicking
Security on the context menu.
Denying Configure Security has the same effect on all types of securable
resources. For example, if a user is denied Configure Security for an area, the user
cannot change the security settings of the area, such as allowing or denying users
permission to perform actions in the area, while working from the specified
computer or group of computers.
Similarly, denying Configure Security on the Users and Groups folder prevents
users from setting security permissions for the Users and Groups folder. Denying
Configure Security on the Users and Groups folder does not limit the access users
have to resources in the system.
Create Children
Controls whether a user or group can create a new, related resource beneath an
existing resource in the directory tree while working from a computer or group of
computers.
Application Prevents users from creating areas or data servers in the application.
Area Prevents users from seeing the area or its contents. Denying Read does not prevent users from reading tag
values from data servers in the area.
System folder Prevents users from creating user, computer, or group accounts. Denying Create Children has no effect on
policies.
Networks and Devices tree Create Children is not available because users cannot add items to the Networks and Devices tree.
Networks and Devices is populated automatically, based on the networks and devices that are available to
your local computer.
Individual network or device in the Networks and Devices tree Create Children is not available because users cannot add items to the Networks and Devices tree.
Networks and Devices is populated automatically, based on the networks and devices that are available to
your local computer.
List Children
Controls whether a user or group can list the children of the resource from a
computer or group of computers.
Denying List Children has the same effect on all types of securable resources. For
example, if List Children access is denied to an application, the user or group can
see the application, but not its contents while working from the specified
computer or group of computers.
Unlike the Read action, List Children does allow the user to see the resource that
contains other resources, for example, the application that contains areas or data
servers.
Execute
Instead of using the Execute action, each FactoryTalk product can use its own
actions to secure its executable features. For details about what, if anything, the
Execute action does in a particular FactoryTalk product, see the documentation
for that product.
Delete
Controls whether a user or group can write to tags in data servers from a computer
or group of computers. This action can be configured on the network directory or
local directory, an application, or an area.
The Write Value action does not prevent users from writing values to tags in
specific hardware devices. Write Value prevents writing values to all of the tags
managed by a data server.
This category contains the action groups you have added. If you have not added
any action groups, this category does not appear.
See also
Set FactoryTalk Directory Set permissions on your FactoryTalk Directory folder in order to control whether
a user or group can:
permissions
• See the directory or its contents (Read)
• Modify the properties of any item in the directory (Write)
• Add applications, areas, and data servers to the directory (Create Children)
• Change the security settings of the directory (Configure Security)
• Ciew child folders within the directory (List Children)
• Write tags in data servers (Write Value)
• Perform other product-specific actions
• Perform actions defined in user action groups
Tip: • Denying Write prevents users from modifying the properties of any item in the
directory. However, if Create Children is allowed, the user or group can add
items to the directory.
• The Write Value action does not prevent users from writing values to tags in
specific hardware devices.
Prerequisites
5. When you have finished configuring security for the FactoryTalk Directory,
click OK.
See also
Set application permissions Set permissions on your application in order to control whether a user-computer
pair can:
If you have associated a resource grouping with the application, the networks or
devices in the resource grouping inherit the security permissions of the
application.
Tip: • Denying Read does not prevent users from reading tag values from data
servers in the application.
• Denying Write prevents users from modifying the properties of any item in the
application. However, if Create Children is allowed, users can add areas or
data servers to an application.
• The Write Value action does not prevent users from writing values to tags in
specific hardware devices.
Prerequisites
3. Click Allow or Deny, or clear both boxes. Clear both Allow and Deny to
make the application inherit its security settings from the FactoryTalk
Directory folder.
5. When you have finished configuring security for the application, click OK.
See also
Set area permissions Set permissions on an area in order to control whether a user-computer pair can:
For example, you could set Read and Write permissions to the Ingredients area
within an application to allow the operators of the Ingredients machinery to read
and write values to and from controllers in their own area, but only when using
computers located within sight of the equipment.
If you have associated a resource grouping with the area, the networks or devices in
the resource grouping inherit the security permissions of the area.
Tip: • Denying Read does not prevent users from reading tag values from data
servers in the area.
• Denying Write prevents users from modifying the properties of any item in the
area. However, if Create Children is allowed, users can add areas or data
servers within the area.
• The Write Value action does not prevent users from writing values to tags in
specific hardware devices.
Prerequisites
1. In the Explorer window, expand the application, right-click on the area you
wish to secure, and click Security.
3. Click Allow or Deny, or clear both boxes. Clear both Allow and Deny to
make the area inherit its security settings from a resource higher in the the
FactoryTalk Directory tree.
5. When you have finished configuring security for the area, click OK.
See also
Set System folder permissions Set permissions on your System folder in order to control whether a
user-computer pair can:
Tip: • Denying Read does not prevent users from reading tag values for devices in the
Networks and Devices tree.
• Denying Write prevents users from modifying the properties of any item in the
System folder. Denying Write also prevents deleting user and group accounts,
if the accounts have group memberships associated with them.
• Denying Create Children has no effect on policies.
• If a user, computer, or group account has group memberships associated with
it, deleting the account also requires Write permission, because updating the
group memberships of accounts is controlled by the Write action.
• The Write Value action does not prevent users from writing values to tags in
specific hardware devices.
Prerequisites
1. In the Explorer window, right-click the System folder or the subfolder you
would like to secure, and then click Security.
3. Click Allow or Deny, or clear both boxes. Clear both Allow and Deny to
make the System folder inherit its security settings from the FactoryTalk
Directory folder.
5. When you have finished configuring security for the System folder, click
OK.
See also
Set action group permissions Set permissions on your action group in order to control whether a user-computer
pair can:
Prerequisites
Obtain the following security permissions for the action group you want to secure:
1. In the Explorer window, expand the network directory tree, the System
folder, and the Action Groups folder, right-click on the action group you
want to secure, and then click Security.
3. Click Allow or Deny, or clear both boxes. Clear both Allow and Deny to
make Action Groups or the individual action group inherit its security
settings from a resource higher in the directory tree.
5. When you have finished configuring security for the action group, click
OK.
See also
Set database permissions Set permissions on a database to specify which user-computer pairs can:
Prerequisites
Obtain the following security permissions for the database you want to secure:
In the Explorer window, expand System > Connections > Databases, right-click
on the database you want to secure, and then click Security.
2. Click Allow or Deny, or clear both boxes. Clear both Allow and Deny to
make the folder inherit its security settings from a resource higher in the
directory tree.
4. When you have finished configuring security for the database, click OK.
See also
Set logical name permissions Set permissions on your logical name in order to control whether a user-computer
pair can:
Prerequisites
1. In the Explorer window, expand the System > Logical Names, right-click
on the logical name you want to secure, and then click Security.
3. Click Allow or Deny, or clear both boxes. Clear both Allow and Deny to
make Action Groups or the individual action group inherit its security
settings from a resource higher in the directory tree.
5. When you have finished configuring security for the logical name, click OK.
See also
Allow a resource to inherit Permissions determine which users can perform which actions on specific
resources in the system from which computers. Allow and Deny are the two kinds
permissions
of permissions you can set on resources.
Allow a resource to inherit permissions when you would like the selected resource
to have the same permissions as its parent resource. For example, if you assign
security to an area in an application, all of the items in the area inherit the security
settings of the area, and by default the area inherits security settings from the
application. The top of the hierarchy is the network directory or local directory.
3. To remove explicit permissions, clear the black check mark in the Allow or
Deny check box. Inherited permissions appear as gray check marks. You
cannot remove inherited permissions, but you can override them with
explicit permissions.
4. Click OK.
Tip: Security settings that you configure for resources apply to all FactoryTalk products
in your system in the current FactoryTalk directory. For example, if you deny a user
and computer Read access to an area, that user and computer will not be able to
see the area in any of the FactoryTalk products in your system.
See also
Prevent a resource from When you break the chain of inheritance, the resource no longer inherits
permissions from its parent resources. For example, you can stop an area from
inheriting permissions
inheriting permissions from the application in which it is located by selecting the
Do not inherit permissions check box when setting up security for the area.
Tip: Security settings that you configure for resources apply to all FactoryTalk products
in your system in the current FactoryTalk directory. For example, if you deny a user
and computer Read access to an area, that user and computer will not be able to
see the area in any of the FactoryTalk products in your system.
See also
View effective permissions To determine what permissions are currently in effect for a resource, use the
Effective Permissions tab in Security Settings. In this tab, you can view the
permissions in effect for:
For example, in Security Settings for an area, the Effective Permissions tab can
show whether the selected users and computers can read the contents of the area.
To view the permissions in effect for a computer or group of computers, you must
be using a FactoryTalk network directory, because a FactoryTalk local directory is
restricted to a single computer.
Prerequisites
Obtain the following security permissions for the resource (for example, an
application) or the container (for example, an area) the resource is located in:
4. To test the permissions for a user or user group, under User or group, click
Browse (...) and browse for the user or user group whose permissions you
would like to see.
The Effective permissions list does not show separate columns for Allow
and Deny permissions, and does not distinguish between explicit and
inherited permissions. Instead, the presence or absence of a check mark in
the Allowed column indicates the permissions in effect on the resource for
the selected user and computer, or group:
are allowed. Expand the category to see which actions are allowed or
denied.
See also
Effective permission icons In Security Settings, check boxes indicate which permissions are in effect for an
action.
Icon Description
A blank check box beside an action means that no permissions are assigned. If both the Allow and Deny check boxes are cleared beside an action, Deny is implied for
the action.
However, a blank check box shown beside the name of a group of actions, for example, All Actions or Common, means that some of the actions within that group do
not have permissions assigned. If collapsed, you must expand the group to see which actions do not have permissions assigned.
A black check mark means that Allow or Deny permissions have been assigned explicitly.
A gray check mark means that Allow or Deny permissions have been inherited.
The following examples show how the Allow and Deny columns indicate what
permissions have been set for the resource.
Inherited permissions
The gray check marks show that Allow permissions are inherited for all actions.
Explicit permissions
If you click Allow beside All Actions, the check boxes have black check marks.
This means that you have overridden the inherited values and explicitly granted
Allow on All Actions. If the inherited permissions change later, the change will
not affect this security setting.
In this example, the resource does not inherit permissions from its parent (in this
illustration, we are configuring security for the FactoryTalk network directory,
which has no parent). If you have set all actions to Allow, and then you click Deny
beside Read, the following happens:
• The All Actions and Common check boxes are cleared. Because they
represent groups of actions, the blank check boxes beside All Actions and
Common mean that not all of the actions within those groups have check
marks in the Allow column. You must expand the group to see which
actions do not have Allow permissions.
• For the Read action, the Allow check box is cleared.
In this example, the resource inherits permissions from its parent (for example, an
area might inherit permissions from an application). If you have set all actions to
Allow, and then you click Deny beside Read, the following happens:
• The All Actions and Common check boxes are cleared, but because they
previously inherited permissions, they now contain gray check marks. You
must expand the group to see which actions do not have Allow permissions.
• For the Read action, the Allow check box is cleared, but because it
previously inherited permissions, the Read check box now contains a gray
check mark. Because explicit permissions take precedence over inherited
permissions, these check boxes indicate that Read access is denied.
Select the Do not inherit permissions check box to remove all inheritance from
the resource. You can then set permissions for the resource as shown in the
example shown above.
See also
Disaster Recovery
Back up a FactoryTalk For safekeeping and disaster recovery, or to move a FactoryTalk system from one
set of computers to another, backup and restore an archive containing one of the
system following:
• An entire FactoryTalk Directory with all of its applications and its System
folder.
• Only an individual application, with or without the System folder. An
application archive file typically contains areas (in a network directory),
resource grouping information, and references to data servers, device servers,
alarm servers, and HMI servers.
• Only a System folder. The System folder includes a list of user, computer,
and group accounts, passwords, system policy settings, product policy
settings, system security settings, action groups, and alarm and event
database definitions.
The backup process creates an archive file that contains only objects and references
to objects held within the FactoryTalk Directory. The archive file does not
contain project files that are specific to individual products.
Important: Take care to choose the correct backup options when creating a backup
archive. Restoring from the wrong type of backup archive can overwrite
existing data that affects all applications.
See also
Back up a FactoryTalk Directory Back up a FactoryTalk Directory to move a development FactoryTalk system to a
When you back up an entire FactoryTalk Directory, the archive file includes:
• All objects, references to objects held within the FactoryTalk Directory, and
the security authority identifier. The archive file does not contain project
files that are specific to individual products.
• All applications associated with that directory. Typically an application
contains areas (in a network directory), resource grouping information, and
references to data servers, device servers, alarm servers, and HMI servers.
• The System folder, which includes a list of user, computer, and group
accounts, passwords, system policy settings, product policy settings, system
security settings, action groups, and alarm and event database definitions.
Tip: To back up a FactoryTalk Directory without its security authority identifier, or to
back up only the security authority identifier, click Tools > Security Authority
Identifier. In Modify Security Authority Identifier, click Backup and follow
the on-screen instructions.
Prerequisites
3. Use the default name or type another name for the backup file.
Tip: It is recommended that you do not change the default archive name. The default
name contains the leading digits of the security authority identifier which allows
you to easily identify the archive file associated with a specific directory.
5. To encrypt your archive file, select the Encrypt file contents check box,
and then enter the same passphrase in the Passphrase and Confirm
passphrase fields. If you clear this check box, your backup archive file will
not be encrypted or protected.
Encrypt file contents will not be available if your operating system does not
support the proper level of encryption.
Important: Remember the passphrase if you choose to encrypt your file contents. The
archive file cannot be restored without the correct passphrase.
7. After backing up a directory, back up and restore project files and databases
separately from individual software products that are participating in the
FactoryTalk system.
See also
Back up a System folder Back up a System folder to create a backup archive that contains:
Prerequisites
2. Use the default name or type another name for the backup file.
• To encrypt your archive, select Encrypt file contents and then enter
the same passphrase in the Passphrase and Confirm passphrase fields.
• To create an archive without encryption, clear Encrypt file contents.
This creates a plain text file with no password protection.
Encrypt file contents will not be available if your operating system
does not support the proper level of encryption.
Important: Remember the passphrase if you choose to encrypt your file contents. The
archive file cannot be restored without the correct passphrase.
See also
Back up an application Back up an application and create an archive file so that later you can:
Prerequisites
1. In Explorer, right-click the application you want to back up, and click
Backup.
2. Use the default name or type another name for the backup file.
4. To back up the application without including the System folder, clear the
Backup System in archive check box. To include the System folder in the
backup, select the Backup System in archive check box.
Tip: You can still choose to restore only the application from the backup archive file
later even if you include the System folder in the backup.
5. To encrypt your archive file, select the Encrypt file contents check box,
and then enter the same passphrase in the Passphrase and Confirm
passphrase fields. If you clear this check box, your backup archive file will
not be encrypted or protected.
The Encrypt file contents check box will not be available if your operating
system does not support the proper level of encryption.
Important: Remember the passphrase if you choose to encrypt your file contents. The
archive file cannot be restored without the correct passphrase.
See also
Back up a Security Authority Each FactoryTalk Directory has a unique Security Authority identifier generated
during installation. Back up a Security Authority identifier to save the identifier in
identifier
case of disaster.
Secure controller projects and controllers running secure projects can only be
accessed when the FactoryTalk Directory Security Authority identifier matches
the identifier saved in the project. This prevents unauthorized access to a
controller or controller project if moved or copied to a different FactoryTalk
Directory.
Prerequisites
• Obtain the following permissions from System > System Policies> User
Rights Assignment:
• Specify archive name: Type the name for the backup archive.
• Specify archive location: Type or browse to a path for the backup
archive.
• Encrypt file contents: Select to protect the backup archive with a
passphrase, then enter the passphrase into the passphrase fields. Clear to
save the backup archive as plain text.
4. Click OK.
See also
Passphrase Type a passphrase for the archive file you want to encrypt.
The passphrase must meet the following requirements:
• Any alphanumeric character or other characters
• Minimum length: 0
• Maximum length: 64
Confirm passphrase Type the same passphrase you typed in the Passphrase field.
Important: Remember the passphrase if you choose to encrypt your file contents. The
archive file cannot be restored without the correct passphrase.
See also
Backup and restore options Use backup and restore options to select which data in the FactoryTalk Directory
should be backed up or restored.
Important: Restoring from the wrong type of backup archive can overwrite existing
data that affects all applications.
See also
Secure controller projects and controllers running secure projects can only be
accessed when the FactoryTalk Directory Security Authority identifier matches
the identifier saved in the project. This prevents unauthorized access to a
controller or controller project if moved or copied to a different FactoryTalk
Directory.
See also
Restore a FactoryTalk After backing up an entire FactoryTalk Directory, individual application, System
folder, or security authority identifier in an archive file, restore these resources to:
system
• Recover from a data loss
• Move a development FactoryTalk system to a run-time system
• Copy FactoryTalk Directory components to another computer
See also
Restore a FactoryTalk Directory To move an entire FactoryTalk system from one computer to another, restore a
FactoryTalk Directory backup archive. As a safeguard, create a backup archive of
the directory first, before performing a restore operation.
Prerequisites
3. Log on to the directory you want to restore into, and create a backup
archive of the existing directory.
3. In Restore, click Browse, select the backup file (*.bak) you want to restore,
and click Open.
4. Click Next.
5. If the backup file is encrypted, Restore Backup File opens. Type the
passphrase that was used during the backup operation.
An error message opens if the passphrase you entered is not correct. Enter
the passphrase again. If the wrong passphrase is entered three times, Restore
Backup File closes. Select the archive file and try again.
After you enter the correct passphrase, Restore shows the type of archive
you are restoring and what applications are contained in the archive. You
cannot select individual applications. The entire FactoryTalk Directory will
be restored, including all applications, all user and computer accounts and
groups, passwords, policy settings, security settings, and the security
authority identifier.
8. If you are hosting servers on different computers than those that were
configured in the restored directory, the following additional steps are
required:
See also
Restore a System folder To overwrite the contents of the existing System folder with the contents in the
backup archive, you can restore an archive that contains only a System folder. A
System folder archive includes the following:
Prerequisites
4. Log on to the directory you want to restore into, and create a backup
archive of the existing directory.
2. Click Browse, and then select the backup archive file you want to restore.
(The default name is System.bak.) Click OK to close the browse window,
and then click Next.
3. If the backup file is encrypted, Restore Backup File opens. Type the
passphrase that was used during the backup operation.
An error message opens if the passphrase you entered is not correct. Enter
the passphrase again. If the wrong passphrase is entered three times, Restore
Backup File closes. Select the archive file and try again.
4. After entering the correct passphrase, click Finish to restore the System
folder.
5. After restoring the System folder, back up and restore project files and
databases from your individual software products.
See also
• Any references will be broken from the application to objects that do not
exist in the installed System tree, for example, network or device addresses.
• Security does not work for user accounts, user groups, and computers that
do not exist in the installed System folder.
Tip: Do not restore an archive file, created under FactoryTalk Services Platform 2.10
(CPR 9) or later, into a FactoryTalk Directory that is currently running FactoryTalk
Automation Platform 2.00 (CPR 7). This restore scenario is not supported and may
have unexpected results.
Prerequisites
4. Log on to the directory you want to restore into, and create a backup
archive of the existing directory.
To restore an application
2. In Restore, click Browse, and then select the backup archive file
(ApplicationName.bak) that you want to restore. Click OK, then click
Next.
3. If the backup file is encrypted, Restore Backup File opens. Type the
passphrase that was used during the backup operation.
An error message opens if the passphrase you entered is not correct. Enter
the passphrase again. If the wrong passphrase is entered three times, Restore
Backup File closes. Select the archive file and try again.
4. Restore shows information about the application you are restoring. Choose
one of the following restore options:
5. To restore the application with its original name, click Finish. To restore an
application with a different name, select the Restore into a new
application named check box, type the name, and then click Finish.
If you type an optional name, the system leaves the original application
intact and restores the backup as a new application, in effect copying the
application.
7. If you restored an application with its System folder, verify that the security
settings managed through the System folder are correct, and make edits as
needed.
See also
Restore a Security Authority Each FactoryTalk Directory has a unique Security Authority identifier generated
during installation. Restore a Security Authority identifier to replace the current
identifier
identifier with an identifier from a backup file.
Secure controller projects and controllers running secure projects can only be
accessed when the FactoryTalk Directory Security Authority identifier matches
the identifier saved in the project. This prevents unauthorized access to a
controller or controller project if moved or copied to a different FactoryTalk
Directory.
Prerequisites
1. Obtain the following permissions from System > System Policies> User
Rights Assignment:
3. Use Logix Designer to remove security from any controllers and controller
projects in the FactoryTalk Directory.
3. In Restore, click Browse (...) to specify the archive to restore, then click
Next.
4. (optional) If the backup file was encrypted, in Restore Backup File, type
the passphrase to unlock the backup file, then click OK.
See also
Verify security settings after After you restore a FactoryTalk Directory backup archive, check to see that the
FactoryTalk Directory security settings on the new FactoryTalk system meet your
restoring a FactoryTalk system
requirements, and make adjustments as needed.
See also
Update computer accounts in the After you restore any backup archive that includes a System folder, you may need
network directory to update computer accounts to allow them access to the network directory.
If the system policy Require computer accounts for all client machines is
enabled, then only client computers that have been added to the list of computers
in the network directory can access that directory. When a backup archive is
restored, the directory automatically adds the computer on which the network
directory server resides, and the client computer from which the restore operation
was performed, to the System folder in the network directory.
2. Rename existing computer accounts from the old domain to easily map
them to computers on the new domain. This retains any security settings
that were applied to the computer accounts in the old domain.
3. Delete computer accounts that no longer exist in the new domain, and that
do not map to computers in the new domain.
Tip: If you delete a computer account and then recreate it, its security settings are lost.
To map computers from one domain to another, rename the computer accounts
rather than deleting and recreating them.
See also
Recreate a Windows-linked user You cannot move individual Windows-linked user accounts from one domain to
account another. You can move only Windows-linked user group accounts to a new
domain. This allows you to retain all of the security permissions for the group.
If you are using individual Windows-linked user accounts, you will need to
recreate these accounts when restoring your FactoryTalk Directory to a new
FactoryTalk system.
Prerequisites
1. In the Explorer window, expand System > Policies > System Policies, and
double-click Security Policy.
5. Recreate all the security permissions for the new account. Choose one of the
following:
• Add the user account to a group that already has security settings
defined for it
• Create permissions for a user account when securing a resource
See also
Update Windows-linked user groups When the System folder is restored to a new Windows domain, Windows-linked
user groups that existed in the original domain may no longer exist in the new
domain.
You may need to change the original Windows-linked groups to groups that exist
in the new domain. Security settings that refer to the Windows-linked groups in
the new domain are then updated automatically. This allows you to move your
applications to a different domain without having to change or recreate each user
account separately.
See also
Update security settings for After you restore an entire FactoryTalk Directory you may need to update
networks and devices security settings for networks and devices in order to secure them in the new
domain.
The Networks and Devices tree shows information about the networks and
devices that are connected to the local computer. The contents of the Networks
and Devices tree are not included in the backup archive, but any security settings
that are defined for networks and devices are included in the backup archive.
2. To check the security settings for a network or device, right-click on its icon,
then click Security. Use Security Settings to view permissions by user or by
action, and to see if permissions are inherited from higher levels in the
FactoryTalk directory tree.
See also
Restore alarm log database If your FactoryTalk system includes Microsoft SQL Server databases for logging
historical data, including FactoryTalk Alarms and Events logs, restore any data
from the development FactoryTalk system that you want to deploy to the new
system. Next, re-establish a connection between a database definition, held in the
directory, and its associated Microsoft SQL Server database.
2. From the Explorer window, open System > Connections > Databases.
3. Double-click the database definition to open its properties, update the SQL
Server host computer name if it has changed, and then click OK.
The system checks for database tables and creates them, if they do not exist.
See also
Restore an earlier system after Before restoring to an earlier system, keep the following in mind:
upgrading FactoryTalk platform • Following the instructions in this topic overwrites all data in the
software FactoryTalk Directory and returns it to the state it was in before upgraded.
For example, any applications, security settings, or system policies will be
lost. If you want to keep any of this data, back up the network directory and
local directory now.
• When reverting from FactoryTalk Services Platform 2.10 (CPR 9) or later
to an earlier version of the platform, you must restore backup archives for
both the network directory and the local directory, even if you plan to use
only one of the directories.
• If you upgraded to FactoryTalk Services Platform version 2.10 (CPR 9) or
later, backups of the earlier version of the local directory and network
directory were automatically created. You can use those backups to revert to
an earlier version.
• Do not restore an archive file created with FactoryTalk Services Platform
2.10 (CPR 9) or later into a FactoryTalk Directory that is running
FactoryTalk Services Platform 2.00 (CPR 7). This is not supported and may
have unexpected results.
• As part of re-installing an earlier version of FactoryTalk Services Platform
or FactoryTalk Automation Platform, you will need to enter the
FactoryTalk administrator user name and passwords that were saved in the
backup archive of the FactoryTalk Directory.
1. Uninstall all FactoryTalk software products that are incompatible with the
version of the FactoryTalk platform you plan to use.
b. Click Start > Settings > Control Panel > Uninstall a program or
Programs and Features.
4. Install the version of the FactoryTalk platform software you plan to use. If
the version is 2.10 (CPR 9) or later, skip to the next step after installation. If
the version is 2.00 (CPR 7), do the following:
5. Install earlier versions of all software products that are compatible with the
version of the FactoryTalk platform software you plan to use. To verify the
version of the FactoryTalk platform software that a product requires, see the
product's installation documentation.
7. Click File > Log Off to log off the local directory, and then log on to the
network directory. Right-click the Network icon and then restore a
network backup archive created with the earlier version of the FactoryTalk
platform software.
See also
Generate a Security Authority Each FactoryTalk Directory has a unique Security Authority identifier generated
during installation. Generate a Security Authority identifier to change the
identifier
Security Authority identifier assigned to the FactoryTalk Directory.
Secure controller projects and controllers running secure projects can only be
accessed when the FactoryTalk Directory Security Authority identifier matches
the identifier saved in the project. This prevents unauthorized access to a
controller or controller project if moved or copied to a different FactoryTalk
Directory.
Prerequisites
1. Obtain the following permissions from System > System Policies> User
Rights Assignment:
3. Use Logix Designer to remove security from any controllers and controller
projects in the FactoryTalk Directory.
4. (optional) Click Backup to back up the current directory with the new
identifier.
5. Click Close.
See also
Use Restore to specify the name of the backup file you wish to use to restore all or
part of a FactoryTalk Directory.
• A full FactoryTalk Directory backup archive. This will be named with its
security authority identifier (for example, Network -
72CE2C2E-5175-4C26-98AE-3ABE5AC7F8EC.bak or Local -
C565C77A-4664-4E6C-9779-1EC729B3A8A0.bak). It contains all
applications, and all user and computer accounts and groups, passwords,
policy settings, and security settings.
• A System folder archive. A system folder archive contains a backup of a
System folder, including user and computer accounts and
groups, passwords, policy settings, and security settings. It is named
System.bak by default.
• An application archive. This archive contains a backup of the application,
and may contain a backup of the System folder. By default, an application
archive file has the same name as the application.
Before restoring an archive file, shut down all FactoryTalk software products,
components, and services, except FactoryTalk Administration Console and
FactoryTalk Help, then create a backup archive of the directory you are restoring
into before continuing with the restore process.
An archive file created under FactoryTalk Automation Platform 2.00 (CPR 7) can
be restored into a FactoryTalk Directory that has been upgraded to FactoryTalk
Services Platform 2.10 (CPR 9) or later. The restore operation automatically
updates the data in the System folder to be compatible with FactoryTalk Services
Platform 2.10 or later, while leaving the original data unchanged.
Important: Do not restore an archive file created under FactoryTalk Services Platform
2.10 (CPR 9) or later into a FactoryTalk Directory that is running
FactoryTalk Automation Platform 2.00 (CPR 7). This restore scenario is not
supported and may have unexpected results.
See also
Important: Do not restore an archive file created under FactoryTalk Services Platform
2.10 (CPR 9) or later into a FactoryTalk Directory that is running
FactoryTalk Automation Platform 2.00 (CPR 7). This restore scenario is not
supported and may have unexpected results.
Setting Description
Archive name The name of the backup archive file to be restored.
Archive type Identifies the type of information held within the backup archive file.
FactoryTalk Directory - Identifies an archive file that contains the contents of an entire directory, including all
applications and the System folder.
Important: Restoring the System folder overwrites all user and computer accounts and groups, passwords, policy
settings, and security settings for all applications in the FactoryTalk Directory.
Application(s) Lists the names of the applications held in the backup archive file. You cannot select individual applications. When you
restore an entire directory, all of the applications included in that directory are also restored.
Restore Only appears when an application is open in the FactoryTalk Directory, which prevents a full restore. If hidden, the entire
FactoryTalk Directory will be restored.
Select which portions of the FactoryTalk Directory to restore:
• Restore directory contents only
Restores applications, users, computers, groups, passwords, policies, and security settings. The security authority
identifier is not restored.
• Restore security authority identifier only
Only restores the security authority identifier. Applications, users, computers, groups, passwords, policies, and
security settings are not restored.
Back up your directory and remove the old bindings from all controllers and controller projects before continuing.
Backup the directory with the new identifier after the restore process is complete.
Tip: After restoring from a backup archive, manually back up and restore project files
and databases from other software products participating in the FactoryTalk
system, and check security settings and computer accounts.
See also
After selecting a system-only archive file, Restore displays the archive name and
the archive type.
Restoring a System folder moves the following system-wide settings from one
FactoryTalk Directory to another:
Review the following settings before clicking Finish to restore a System folder.
Setting Description
Archive name The name of the backup archive file to be restored.
Archive type Identifies the type of information held within the backup archive file.
System Only - Restoring the System folder overwrites all user and computer accounts and groups, passwords, policy settings, and
security settings for all applications in the FactoryTalk Directory.
Application(s) (none) - Confirms that applications are not included in the backup archive to restored.
See also
If the System folder was backed up with the application, you can choose whether
to restore it along with the application.
Important: Do not restore an archive file created under FactoryTalk Services Platform
2.10 (CPR 9) or later into a FactoryTalk Directory that is running
FactoryTalk Automation Platform 2.00 (CPR 7). This restore scenario is not
supported and may have unexpected results.
Setting Description
Archive name The name of the backup archive file to be restored. By default, the archive name is
ApplicationName.bak file.
Archive type Identifies the type of information held within the backup archive file.
• Application and System - Identifies an archive file that contains both an application and a
System folder.
• Application - Identifies an archive file that contains only an application.
Application(s) The name of the application or applications held in the backup archive file.
Restore System If the backup archive file includes a System folder, this option is available.
• To restore the application and the System folder, select Restore System. Restoring the System
folder overwrites all user and computer accounts and groups, passwords, policy settings, and
security settings for all applications in the FactoryTalk Directory.
• To restore the application without restoring the System folder, clear Restore System.
Restoring the System folder overwrites all user and computer accounts and groups, passwords, policy
settings, and security settings for all applications in the FactoryTalk Directory.
If you restore an application without its associated System folder to a different directory or to a
different computer, security permissions for FactoryTalk users and groups need to be manually
recreated in the restored application.
Restore into a new application named: Choose whether to overwrite an existing application or create a new application.
• To restore the contents of the backup archive file into an application with a new name, select
Restore into a New Application Named, then type a unique name. When you click Finish, the
system leaves the original application intact and restores the backup archive as a new application
in the directory. When both applications are the same, it serves to copy the archived application
into the directory.
• To restore an existing application with its original name, clear Restore into a New Application
Named. When you click Finish, the system confirms that you want to overwrite the existing
application of the same name. Click Yes to restore the application.
See also
Restore Backup File Use Restore Backup File to enter the passphrase which was used during the
archive file backup operation. The archive file cannot be restored without the
correct passphrase.
An error message opens if the passphrase you entered is not correct. Enter the
passphrase again. If the wrong passphrase is entered three times, Restore Backup
File closes. Select the archive file and try again.
See also
Reconfigure a FactoryTalk The FactoryTalk Directory allows products to share a common address book,
which finds and provides access to plant floor resources, such as data tags and
Directory graphic displays.
If your administrator account was disabled, have another user enable your account
for you in FactoryTalk Administration Console. You cannot disable the last
FactoryTalk administrator account in a directory. If no other user is available, or
you do not know the password to another administrator account (for example,
because that user left the organization), contact Rockwell Automation Technical
Support.
See also
Select a FactoryTalk Directory to The first step in configuring a FactoryTalk Directory is to select which
FactoryTalk directory you wish to configure from the first page in the
configure
FactoryTalk Directory Configuration Wizard.
1. From the Start menu, choose All Programs > Rockwell Software >
FactoryTalk Tools > FactoryTalk Directory Configuration Wizard.
3. Click Next.
See also
Configure or reconfigure a network To configure a new FactoryTalk network directory or to upgrade an existing
directory FactoryTalk network directory, you must log on. This allows the wizard to access
the directory and configure it. To configure the FactoryTalk network directory,
run the FactoryTalk Directory Configuration Wizard at the computer that is the
FactoryTalk network directory server. You cannot configure the FactoryTalk
network directory from a remote computer, for example.
Depending on what accounts are available in the network directory, you might be
prompted to log on using:
You can also log on using an existing FactoryTalk administrator account to enable
the account if it has become locked, or if the password to the account has expired.
Important: Keep your administrator user name and password in a safe place. To
enable the administrator account, you must have both the original user
name and password to the account. If either is lost, the account cannot be
enabled.
If your administrator account was disabled, you cannot use the FactoryTalk
Directory Configuration Wizard to enable the account. Instead, have another user
enable your account for you in FactoryTalk Administration Console. The last
FactoryTalk administrator account in a directory cannot be disabled.
See also
What reconfiguring a network Reconfiguring the FactoryTalk network directory does different things,
directory does depending on the state of the directory when you run the wizard. The wizard can
do any of the following:
See also
Configure or reconfigure a local To configure a new FactoryTalk local directory, or to upgrade an existing
directory FactoryTalk local directory, you must log on. This allows the wizard to access the
directory and configure it. Reconfiguring the FactoryTalk local directory allows
Depending on what accounts are available in the local directory, you might be
prompted to log on using:
You can also log on using an existing FactoryTalk administrator account to enable
the account if it has become locked, or if the password to the account has expired.
Important: Keep your administrator user name and password in a safe place. To
enable the administrator account, you must have both the original user
name and password to the account. If either is lost, the account cannot be
enabled.
If your administrator account was disabled, you cannot use the FactoryTalk
Directory Configuration Wizard to enable the account. Instead, have another user
enable your account for you in FactoryTalk Administration Console. The last
FactoryTalk administrator account in a directory cannot be disabled.
See also
What reconfiguring a local directory Reconfiguring a local directory does different things, depending on the state of the
does directory when you run the wizard. The wizard can do any of the following:
See also
Product support for network and FactoryTalk Directory allows products to share a common address book, which
local directories finds and provides access to plant-floor resources, such as data tags and graphic
displays.
Which directory you need depends upon which software products are part of your
FactoryTalk system. The table below shows which products require a network
directory, which require a local directory, and which can use either directory.
*The FactoryTalk local directory is not supported in RSLogix 5000 v20 software.
See also
Enter an administrator user Enter a Windows Administrator account user name and password. If the user
name and password are accepted, the directory is configured and the FactoryTalk
name and password
Directory Configuration Wizard closes.
Prerequisites
1. If you are not already on the second page of the wizard, choose All
Programs > Rockwell Software > FactoryTalk Tools > FactoryTalk
Directory Configuration Wizard.
3. Click in Password, and type the password that corresponds to the user
name you entered.
4. Click Next.
See also
Reset an expired password If the password to your administrator account has expired, Change Password
opens automatically. It cannot be opened manually.
1. In the New password field, type the new password to the account.
2. In the Confirm new password field, type the same password you typed in
the New password box, and click OK.
See also
Change Password (local) The Change Password window appears automatically if the FactoryTalk local
directory contains an administrator account with an expired password. There is
no way to make this window appear manually if there is no administrator account
with an expired password in the directory.
If no other user is available and you cannot remember the password to your
FactoryTalk administrator account, contact Rockwell Automation Technical
Support.
Setting Description
Administrator user name This box displays the user name you typed for the expired administrator account in the previous step of the
wizard.
Old password This box displays asterisks (*) as a placeholder for the old password you typed for the expired account in the
previous step of the wizard.
New password Type the new password to the account.
Confirm new password Type the same password you typed in the New password box.
Depending on how the FactoryTalk security policies are configured, a minimum password length and
password complexity requirements might apply. Check with your FactoryTalk administrator if the suggestions
below do not work.
If the wizard will not accept your new password, make sure that your new password:
• Is not the same as any of the last 3 passwords you used for the account
• Does not contain all of the user account name. For example, a user account called John12 cannot have the
password John1234. However, the password 12John is permitted. This check is also case sensitive so
John12 could have the password jOHN12.
• Is at least six characters long
• Contains characters from three of the following four categories:
• Unaccented uppercase characters (A to Z)
• Unaccented lowercase characters (a to z)
• Numerals (0 to 9)
• Non-alphanumeric characters (!, @, #, %)
Important: Keep your administrator user name and password in a safe place. To
enable the administrator account, you must have both the original user
name and password to the account. If either is lost, the account cannot be
enabled.
See also
Change Password (network) When running the Configuration Wizard, if your administrator account has an
expired password, Change Password appears automatically. There is no way to
make this window appear manually if there is no administrator account with an
expired password in the directory.
If no other user is available and you cannot remember the password to your
FactoryTalk administrator account, contact Rockwell Automation Technical
Support.
Use the following settings to reset the password in your FactoryTalk network
directory.
Setting Description
Administrator user name This box displays the user name you typed for the expired administrator account in the previous step of the wizard.
Old password This box displays asterisks (*) as a placeholder for the old password you typed for the expired account in the previous step
of the wizard.
New password Type the new password to the account.
Confirm new password Type the same password you typed in the New password box.
Depending on how the FactoryTalk security policies are configured, a minimum password length and password
complexity requirements might apply. Check with your FactoryTalk administrator if the suggestions below do not work.
If the wizard will not accept your new password, make sure that your new password:
• Is not the same as any of the last 3 passwords you used for the account
• Does not contain all of the user account name. For example, a user account called John12 cannot have the password
John1234. However, the password 12John is permitted. This check is also case sensitive so John12 could have the
password jOHN12.
• Is at least six characters long
• Contains characters from three of the following four categories:
• Unaccented uppercase characters (A to Z)
• Unaccented lowercase characters (a to z)
• Numerals (0 to 9)
• non-alphanumeric characters (!, @, #, %)
If no other user is available and you cannot remember the password to your
FactoryTalk administrator account, contact Rockwell Automation Technical
Support.
See also
• Insufficient disk space. Clear some disk space and then run the wizard
again.
• You are not logged on as an administrator. You must be logged on as an
administrator to run the FactoryTalk Directory Configuration Wizard. To
run the wizard because an error occurred during installation for the first
time on a computer, you must be logged on as a Windows local
administrator.
• The FactoryTalk Directory is in read-only mode. This error applies to
only the FactoryTalk network directory. This error appears as a warning
when your computer cannot communicate with the FactoryTalk network
directory server, or if the network connection is lost while configuring the
directory. Make sure both your computer and the FactoryTalk network
directory are connected to the network. You do not need to run the wizard
again after reconnecting to the FactoryTalk network directory server.
• You are attempting to configure the FactoryTalk Directory from a
remote computer. You cannot use Remote Desktop Services to configure a
FactoryTalk Directory. You must configure a FactoryTalk local directory at
the local computer. You must configure a FactoryTalk network directory at
the computer that is the FactoryTalk network directory server.
See also
2. Click Start > All Programs > Rockwell Software > FactoryTalk Tools >
FactoryTalk Directory Configuration Wizard.
See also
Default passwords If you are trying to configure a directory but you are being prompted for a
password you don't have, this might be because you are upgrading from
FactoryTalk Automation Platform version 2.00.
• For the FactoryTalk local directory, the original default user name was
Administrator, and the password field was left blank.
• For the FactoryTalk network directory, the original default user name was
Administrator, but you were prompted to provide a password.
If you cannot remember the password to an existing directory, you cannot access
that directory. Contact Rockwell Automation Technical Support.
See also
Prerequisites
c. Insert the product disc and select FactoryTalk Services Platform, or run
the standalone FactoryTalk Services Platform installation file.
e. Insert the product disc and select FactoryTalk Services Platform, or run
the standalone FactoryTalk Services Platform installation file.
See also
Identify the installed Identify the installed FactoryTalk Services Platform version to determine if an
upgrade of FactoryTalk Services Platform is necessary.
FactoryTalk Services
Platform version To identify the installed FactoryTalk Services Platform version
The FactoryTalk Security Web Service allows clients to interact with the
FactoryTalk Directory for authentication and authorization. The web service also
provides support for products running in environments such as Linux and Java.
For details about using FactoryTalk Web Services with your FactoryTalk-enabled
product, see your product documentation.
See also
Add an HTTPS site binding for FactoryTalk Web Services on page 202
Install FactoryTalk Web FactoryTalk Web Services is installed from any FactoryTalk-enabled product CD
that includes FactoryTalk Services Platform, version 2.10.02 (CPR 9 Service
Services Release 2) or later. It is an optional component and is not installed automatically
with FactoryTalk Services Platform.
For most applications, install FactoryTalk Web Services on the computer that is
the FactoryTalk Network Directory server. Specific FactoryTalk-enabled products
using FactoryTalk Web Services might also have additional installation
requirements. For details, see the documentation supplied with your
FactoryTalk-enabled product.
5. In the list of program features, click FactoryTalk Web Services, then click
This feature, and all subfeatures, will be installed on local hard drive.
See also
Add an HTTPS site binding for FactoryTalk Web Services on page 202
Add an HTTPS site binding If deploying FactoryTalk Web Services in an environment where privacy of the
network communications might be at risk, add an HTTPS site binding to encrypt
for FactoryTalk Web all client connections to FactoryTalk Web Services.
Services
Prerequisites
See also
• The firewall on the FactoryTalk Web Services host computer does not
allow incoming traffic on the ports configured in IIS Manager.
On the client computer, open a browser and connect to the login URL.
Replace server_path with the fully qualified domain name of the
FactoryTalk Web Services host computer and replace the port number with
the port number configured in IIS Manager:
HTTP:
http://server_path:80/FactoryTalk/Security/WebService/200810.asmx
HTTPS:
https://server_path:443/FactoryTalk/Security/WebService/200810.asmx
If the FactoryTalk Web Services page does not appear, verify that the
firewall on the FactoryTalk Web Services host computer allows incoming
traffic to the ports configured in IIS Manager.
See also
FactoryTalk Web Services • User account does not have permission to log into FactoryTalk Web
Services
HTTP:
http://localhost:80/FactoryTalk/Security/WebService/200810.asmx
HTTPS:
https://localhost:443/FactoryTalk/Security/WebService/200810.asm
x
2. Select Login.
If the page returns an XML string, the user account is valid for use with
FactoryTalk Web Services.
See also
You can view the Rockwell Automation End-User License Agreement ("EULA")
by opening the License.rtf file located in your product's install folder on your hard
drive.
Other Licenses
Trademark Notices
Other Trademarks
Microsoft, Access, ActiveX, SQL Server, Surface, Visual Basic, Windows, and
Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
All other trademarks are the property of their respective holders and are hereby
acknowledged.
Warranty
This product is warranted in accordance with the product license. The product’s
performance may be affected by system configuration, the application being
performed, operator control, maintenance, and other related factors. Rockwell
Automation is not responsible for these intervening factors. The instructions in
this document do not cover all the details or variations in the equipment,
procedure, or process described, nor do they provide directions for meeting every
possible contingency during installation, operation, or maintenance. This
product’s implementation may vary among users.
This document is current as of the time of release of the product; however, the
accompanying software may have changed since the release. Rockwell Automation,
Inc. reserves the right to change any information contained in this document or
the software at any time without prior notice. It is your responsibility to obtain the
most current information available from Rockwell when installing or using this
product.
Environmental compliance
A
L
accounts 15, 16
administrator 16, 31, 35, 36 list children 39, 41, 42, 44, 47, 49, 50, 52, 55, 56, 57, 60, 63, 64, 65, 66,
computer 15, 28, 55, 56, 57, 59, 60, 89, 94, 96 104, 105, 118, 119, 126, 127, 128, 137, 140, 142, 143, 145, 190
user 39, 47 local applications 11, 19, 20, 23, 187, 192
action groups 63, 64, 65, 66, 131, 132, 137, 140
actions 65, 66, 137 M
after restoring 166, 167, 168, 170, 172, 173, 175, 176, 177, 178, 181, 182
application 11, 19, 20, 23, 25, 27, 36, 67, 68, 69, 71, 72, 73 multiple applications 13, 166
local 11, 19, 20, 23, 187
network 11, 19, 20, 36 N
application authorization policy 68, 69
networks 25, 28, 79, 80, 113, 114, 115, 116, 117, 118, 120, 121, 122, 125,
area 83, 86, 97, 111, 113, 115, 116, 117, 125, 126, 127, 131, 132, 143, 151
129, 131, 132, 137, 142, 143, 145, 175, 177
audit policies 20, 27, 32, 67, 81, 83, 84, 86
authenticated users 27, 189
O
B order of precedence 31, 98, 136
back up 73, 74, 157, 160, 161, 163, 164, 166, 167
best practices 19, 25, 28, 31 P
permissions 15, 16, 19, 25, 27, 31, 131, 132, 140, 142, 143, 145, 147, 148,
C 149, 151, 152, 154
plan your system 13, 20, 23, 35
chain of inheritance 132, 134, 136, 151
policies 32, 67, 72, 73, 74, 78, 80, 81, 83, 84, 87, 104, 105, 107, 108, 110,
client computer 34, 35, 36, 37, 55, 80, 89, 96, 102, 103, 175, 203, 204
111
common actions 131, 137
ports 77, 78, 203
computer account 28, 55, 56, 57, 59, 60, 89, 94, 96, 164, 168, 175, 181
D R
read 19, 25, 28, 132, 136, 137, 142, 143, 145, 151, 152, 154, 189, 190
devices 77, 114, 116, 117, 122, 125, 126, 128, 131, 137, 177
rename 175
resource groups 113, 120, 121, 122, 125, 126, 127, 128, 129, 131, 142,
E 143, 157, 161
effective permissions 132, 152, 154 resources 64, 72, 73, 157, 166, 167, 168, 170, 172, 173, 178, 179
restore 64, 72, 73, 157, 166, 167, 168, 170, 172, 173, 175, 176, 177, 178,
179, 181, 182, 183, 184, 185
G runtime security 25, 107, 157, 167, 176
groups 11, 15, 16, 19, 28, 31, 42, 43, 47, 49, 50, 52, 53, 63, 131, 137
S
I security authority identifier 157, 163, 164, 166, 167, 168, 173, 180, 181,
inheritance 19, 25, 132, 134, 136, 151, 152, 154 182, 185
server 19, 20, 23, 34, 35, 36, 37, 55, 72, 73, 74, 77, 78, 79, 80, 81, 89, 91,
96, 97, 136
single sign-on 25, 36, 87, 88, 89, 91, 93, 94, 96, 101, 102, 103
stand-alone system 13, 20, 23, 27, 34
system folder 11, 28, 50, 72, 73, 74, 75, 84, 93, 94, 111, 131, 137, 145,
147, 157, 160, 161, 164, 167, 168, 170, 172, 175, 177, 181, 182, 183, 184,
185
T
tag actions 13, 137, 140, 142, 143, 145, 186, 192, 197
test 77, 78, 152
tighten security 27
troubleshoot 77, 78, 81, 84
U
upgrade 77, 179, 199
user rights assignment 67, 72, 73, 74
W
write 28, 137, 143, 145
In addition, we offer multiple support programs for installation, configuration, and troubleshooting. For more information, contact your local
distributor or Rockwell Automation representative, or visit http://www.rockwellautomation.com/services/online-phone .
Installation assistance
If you experience a problem within the first 24 hours of installation, review the information that is contained in this manual. You can contact
Customer Support for initial help in getting your product up and running.
United States Contact your distributor. You must provide a Customer Support case number (call the phone number above to obtain one) to
your distributor to complete the return process.
Outside United States Please contact your local Rockwell Automation representative for the return procedure.
Documentation feedback
Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete the
feedback form, publication RA-DU002.
Supersedes Publication FTSEC-QS001L-EN-E Copyright © 2018 Rockwell Automation Technologies, Inc. All Rights Reserved. Printed in the U.S.A.