WEBfactory 2010

WFUserManager Active Directory Integration

Active Directory Integration
User management

A project engineer can define explicit WEBfactory users or activate Active Directory security for WEBfactory .

If Active Directory security is active then the log-in with valid Active Directory credentials will be accepted also within WEBfactory .

Users that log-in with valid Active Directory credentials will be granted with those WEBfactory authorizations that belong to authorization groups which have the same name as those Active Directory roles/ user groups that were granted to the corresponding Active Directory user.

Example:

Active Directory user “Hans” belongs to Active Directory user groups “Scada Admins” and “Scada Users”. Also he belongs to Active Directory user groups “Administrators” and “Users”. Within WEBfactory there are also authorization groups called “Scada Admins” and “Scada Users”, but no authorization groups called “Administrators” and “Users”. Therefore Active Directory user “Hans” will be granted during log-on with all WEBfactory authorizations that belong to the WEBfactory authorization groups “Scada Admins” and “Scada Users”.

There will be a special dialog within the WEBfactory user manager where the project engineer can activate the Active Directory security for WEBfactory and where he also can define the name of the corresponding domain or workgroup.

In this dialog he can also define the default user settings for Active Directory users like “Auto-log off interval”, “User level”, “Max. failed log-ons”, etc …

When a user logs-in with valid Active Directory credentials a corresponding user entry will be created inside the WEBfactory database if it doesn’t already exist as this is required for the referential integrity of the database management system which is behind WEBfactory .

The initial user settings will be adopted from the Active Directory default user settings that were defined by the project engineer.

Also there will be an additional user property that defines if a user account belongs to a WEBfactory user or an Active Directory user.

The password verification for Active Directory users while log-on will always be done in real-time against the Active Directory server. The WEBfactory system will not store any Active Directory user passwords.

Using Local Users instead of Active Directory Users

Using Local Users in WEBfactory login requires the following settings:

  • Set the Computer Name for the local machine the same as the Domain Name in WEBfactoryStudio Settings > server > General.

WF_SE_524.jpg

Domain Name in WEBfactoryStudio

NOTE

Usernames are case sensitive! The Username must be written using the same case as it is in the Local User list.

  • The Local Groups must have the same name as the Authorization Groups from the WEBfactory User Manager.

User login control

The WEBfactory user login control will support to log in with WEBfactory user credentials as well as with Active Directory Credentials.

At login time the user can define if he wants to login as a WEBfactory or an Active Directory user to the WEBfactory system. Therefore there will be an option group available within the login dialog of the control.

This option group can be disabled by the project engineer during design-time. In this case the project engineer can define also at design time if the users will be logged in always as WEBfactory or as Active Directory users.

The WEBfactory user login control will support auto-login operations

  1. when the visualization was just started and

  2. when a user logged out manually or was logged out by the system.

Therefore there will be 4 additional properties that can be set by the project engineer during design time.

  1. AutoLoginAtStartup

  2. AutoLoginAfterLogout

  3. InitialUserName

  4. InitialUserPassword

The first 2 additional properties can take the following values:

  1. No auto login

  2. Login current windows user

  3. Login initial user

By this properties the project engineer can define if no user, the current windows user or a default user should be logged in automatically either at startup of the visualization or when any user was logged off and there is currently no user logged in.

WEBfactory Server

The WEBfactory Server can validate WEBfactory user credentials as well as Active Directory user credentials.

In case of Active Directory user credentials the WEBfactory Server will forward the login request to the domain/ workgroup controller.

In case of successful user verification either of a WEBfactory user or an Active Directory user the WEBfactory Server will grant the new user session with the correct WEBfactory authorizations.

For WEBfactory user there will be no changes in calculating the appropriate list of authorizations.

For Active Directory users the server will grant those WEBfactory authorizations to the new user session that belong to authorization groups which have the same name as those Active Directory roles/ user groups to which the logged-in Active Directory user belongs to.

After the login operation there will be no difference between user sessions that belongs to a WEBfactory user or an Active Directory user by any means.