Proficy* Historian - GE Intelligent Platforms: Support Home

Proficy* Historian - GE Intelligent Platforms: Support Home

Proficy Historian Getting Started Guide

Does Historian 5.5 support 64-bit

Microsoft Excel Add-In?

Can I create 64-bit SDK applications?

Yes. Historian 5.5 supports Microsoft 2010 64-bit Excel Addin.

No.

Can I use User API applications (such as,

CollectorLike, PlotLike, ReportLike, and

MigrationLike) to read and write data to a 64-bit Historian server?

Yes. Historian allows you to use the User API applications

(such as, CollectorLike, PlotLike, ReportLike, and

MigrationLike) to read and write data to a 64-bit Historian server.

Can I write 64-bit Visual Basic ado applications to OLEDB?

No.

Implementing Historian Security

Historian is a high performance data archiving system designed to collect, store, and retrieve time-based information efficiently. By default, access to these Historian archives, tags, and data files is available to any valid operating system user account. In this default environment, all users are allowed to read, write, change, and delete archives, tags, or data files in the Historian Administrator, SDK, Migration Tools, and Excel Add-In.

However, you may find that you want to make these functions and data available only to authorized personnel.

You can do this by creating and defining Historian Security Groups in your Windows Security.

Historian includes an Electronic Signature and Electronic Records security feature. This option provides installations concerned with the FDA's 21 CFR Part 11 regulation – or any site interested in added security or tracking – the ability to require a signature and password every time a change in data or configuration is requested. For more information on the Electronic Signature and Electronic Records feature, refer to the Using

Historian in a Regulated Environment section of the Using the Historian Administrator manual.

Whether or not you use Historian security, make sure that you disable Guest accounts on your computer to limit access to valid Windows user accounts.

48

Getting Started with Historian

Protecting Your Process

If you want to restrict access to Historian archives, files, and tags, or protect your data files from unauthorized changes, you can enable Historian security. Using security is optional and is disabled by default. By enabling security, you can restrict access to the following:

Modifying data using the Excel Add-In

Updating security for individual tags or groups of tags

Creating, modifying, and removing tags

Tag protection (adding, modifying, removing, an so on) can be applied at a global level to all tags or at the individual tag level. Refer to Implementing Tag Level Security for more information.

Reading data in the iFIX Chart object, Excel Add-In, and Migration Utilities

Writing data

Starting and stopping collectors

Creating and deleting collectors

Creating, modifying, and deleting archives

Historian uses the operating system security groups to create a security structure. You enable security for a particular set of functions by adding specific Historian Security Groups to your groups. You can also add security groups to your domain controller. Refer to Security Tab section in the Historian Administrator Manual for information on selecting local or domain security groups.

By defining one or all of the groups, you begin to set up a security structure. Refer to the Historian Security

Groups section for more information on the Historian Security Groups available.

Implementing Strict Authentication

With Proficy Historian's strict user account authentication features, Enforce Strict Client Authentication and

Enforce Strict Collector Authentication, you can control access to the Historian server and safeguard user account credentials.

With strict authentication enabled, only known user accounts configured on the Data Archiver server computer will be able to access a Historian server. Similarly, enabling strict collector authentication enforces the same requirement for incoming collector connections.

For an account to be known at the Data Archiver, it has to exist on that archiver as a local account or exist on a

Domain Controller available to the data archiver. Historian will access the local accounts or Domain Controller

49

Proficy Historian Getting Started Guide

via Microsoft’s Security Support Provider Interface (SSPI) and this involves having a Kerberos server setup optionally to assist in account validation.

By default, strict client and collector authentication is enabled on new installations to maximize security. When upgrading from a previous version of Historian, strict client and collector authentication is disabled to allow compatibility with older clients or collectors that cannot be upgraded concurrently.

It is recommended that all clients and collectors receive timely upgrade to the latest version, which permits enabling both strict client and collector authentication on the server for the highest security configuration.

By treating clients and collectors separately, it is possible to accommodate new and legacy authentication during the upgrade process. However, upgrading all clients and collectors to the latest version immediately will achieve a high level of security. The two options, Enforce Strict Client Authentication and Enforce Strict

Collector Authentication, permit flexibility during the upgrade process by selectively accommodating legacy clients and/or collectors.

The following table enumerates a guideline about the different combinations of strict client and collector authentication options and their use:

Strict Client

Enabled

Strict Authentication Options

Authentication

Strict Collector

Enabled

Comment

Use this for highest available security. You will need to install

SIMs, if available on all pre-5.5 collectors and clients.

Clients can refer to any program that connects to the Data Archiver.

This includes Historian

Administrator, Microsoft Excel, any

OLEDB program, user written programs, or any other Proficy software.

50

Getting Started with Historian

Enabled

Disabled

Disabled

Disabled

Enabled

Disabled

Use this if you are unable to upgrade collectors to the latest version if there is no SIM update for your collector.

Use this if you have to support legacy clients and you are unable to install SIM update on all clients.

Use this for maximum compatibility with existing systems.

For more information, refer to the product IPI (Important Product Information) e-book or SIM release notes.

Disabling Strict Client or Collector Authentication

To permit older versions of clients and collectors to access a Historian 5.5 server, disable strict client and collector authentication.

To disable strict client and collector authentication:

1. Open the DataStore Maintenance screen, click the Security tab.

2. In the Global Security section:

Select the Disabled option button for Enforce Strict Client Authentication option.

Select the Disabled option button for Enforce Strict Collector Authentication option.

Troubleshooting Strict Authentication Issues

If the Proficy Historian Server rejects valid collector or client user credentials while connecting, consider the following conditions:

Windows XP computer rejects valid credentials when accessing the Historian server with strict authentication enabled

If a Windows XP (SP3) computer that is a member of a work group is rejecting valid credentials while trying to access a server with strict authentication enabled, it means that the ForceGuest registry value is set to 1 by

51

Proficy Historian Getting Started Guide

default, in the registry key. Use the following steps to choose the correct option:

1. Open the Control Panel, and then from the Administrative Tools, select Local Security Policy, Local

Policies, and then Security Options.

2. Go to Network access, and then Sharing and security model for local accounts.

3. Set the Classic - local users authenticate as themselves option.

Time Sync between the Server Time and Domain Controller Time

If a client or collector is attempting to connect to the Historian server with Strict Authentication enabled on a

Kerberos configuration, ensure that the Server’s and Domain Controller’s time match with each other.

Otherwise, the server rejects valid credentials and does not allow the connection.

Creating and Implementing a Security Strategy

When you begin to implement security, you should first define a clear strategy. Consider the following when beginning to set up your security strategy:

If you disabled the Guest account, a user must provide a valid username and password even if no groups are created.

Protection is only provided for the functional areas for which you have built the associated Historian

Security Groups.

If you only choose to define some of the security groups, all users still have all access to any uncreated groups. All users are still assumed to be a member of a group unless that group has been created, with the exception of iH Audited Writers group. You must add the iH Audited Writers group to the

Windows security groups so that a user can become a member of this group.

For example, if you elect to define the iH Security Admins group and iH Archive Admins group, both the members associated with those defined groups and all other valid users still have access to such functions as creating and modifying tags until you create the iH Tag Admins security group.

If you decide to implement any of the Historian Security groups, you should first add and define the iH

Security Admins group.

WARNING: If you do not create and define the iH Security Admins group, all valid users are assumed to be members of this group. This membership overrides any other security group that you set.

For more information on the Historian Security Groups available and their security functions, refer to the

Historian Security Groups section and the Historian Security Groups table.

52

Getting Started with Historian

Historian Login Security

Use Historian Login Security settings if you want to validate users at the Data Archiver, instead of at the client.

By applying these settings, users and applications will be forced to provide a user name and password at connect time so that archiver can validates them. For example, users in the security group such as "ih Security

Admins” will be checked by the Archiver.

For Historian Login Security settings, you can view and set the property from the HistorianSDKsample server properties. The current setting is shown in the data archiver SHW file.

Historian Login Security property is available only in Historian SDK.

To set login security using the Historian SDK:

1. Run the SDK sample.

2. Connect to a server.

3. Double-click on the server from the list box, The Server Properties dialog box appears.

4. On the right side of the dialog box, locate the AllowClientValidation setting. By default, this value is set to

TRUE. Click to set to FALSE, and then, click OK.

Historian Security Groups

The following are the available Historian Security groups:

iH Security Admins – Historian power security users. Security Administrators have rights to all Historian functions. This group also has the ability to change tag level security, archive security, and modify the Electronic Records and Signatures option. This is the only Historian security group that overrides tag level security.

iH Collector Admins – Allowed to start and stop collectors, browse collectors, configure collectors, and add new collectors.

iH Tag Admins – Allowed to create, modify, and remove tags. Tag level security can override rights given to other Historian security groups. Tag Admins can also browse collectors. iH Tag Admins are not responsible for setting Tag Level Security. This task can only be performed by an iH Security Admins. For more information on setting Tag Level Security, refer to the Implementing

Tag Level Security section.

iH Archive Admins – Allowed to create, modify, remove, backup, and restore archives.

53

Proficy Historian Getting Started Guide

iH UnAudited Writers – Allowed to write data without creating any messages.

iH UnAudited Logins – Allowed to connect the DataArchiver without creating login successful audit messages.

iH Audited Writers – Allowed to write data and to produce a message each time a data value is added or changed.

Tag, archive, and collector changes log messages regardless of whether the user is a member of the iH

Audited Writers Group.

iH Readers – Allowed to read data and system statistics. Also allowed access to Historian Administrator.

Historian Group Rights

Use the security table that follows to identify which types of user groups you need to create and define in your security system.

Historian Security Groups

54

Getting Started with Historian

Function

Create Tags:

• Excel

Add-

In

• SDK

• Histo rian

Admi nistra tors

• File

Colle ctor

Remove Tags:

• Histo rian

Admi nistra tors

• SDK

• File

Colle ctor

X

X

iH

Secu rity

Adm ins iH

UnAu dited

Write rs iH

UnAu dited

Login iH

Aud ited

Wri ters iH

Rea ders iH

Arc hive

Ad min s iH

Tag

Ad min s iH

Colle ctor

Admi ns

X

X

55

Proficy Historian Getting Started Guide

Modify Tags:

• Histo rian

Admi nistra tors

• Excel

Add-

In

• SDK

• File

Colle ctor

Modify Archive

Security:

• Histo rian

Admi nistra tors

• SDK

X

X

Backup Archive:

• Histo rian

Admi nistra tors

• SDK

X

X

X

56

Getting Started with Historian

Restore Backup:

• Histo rian

Admi nistra tors

• SDK

Create Archive:

• SDK

• Histo rian

Admi nistra tors

Start/Stop

Collector:

• SDK

• Missi on

Contr ol

(iFIX)

• Histo rian

Admi nistra tors

Browse

Collector:

• Histo rian

Admi nistra tors

X

X

X

X

X

X

X

X

57

Proficy Historian Getting Started Guide

Read Data:

• Chart

Obje ct

• Excel

Add-

In

• SDK

Write Data

(UnAudited):

• Excel

Add-

In

• SDK

Write Data

(Audited):

• Excel

Add-

In

• SDK

Modify Data:

• Excel

Add-

In

• SDK

X

X

X

X

X

X

X

X

X

X

X

58

Getting Started with Historian

Update Security for Tag:

• Excel

Add-

In

• SDK

• Histo rian

Admi nistra tors

Migrate

• Migra tion

Tools

X

X

Login Connection

Messages

X X

Security Setup Example

The following example takes you through the process of establishing your security needs and defining and setting up the levels of security.

Example

This example demonstrates how to implement security with Historian, starting with the default open security system.

1. Establish your user needs.

For this example, assume the following user needs in a plant of 14 users:

X X X X X

59

Proficy Historian Getting Started Guide

User

USER1

USER2

USER3

USER5

USER6

USER8

Needs

Power user. Needs total access to security.

• Read/Write Data (no messages).

• Create, modify, and delete tags.

• Backup, restore, and create archives.

• Connect to DataArchiver without creating login successful audit messages

Added to Security Group

iH Security Admins

Writers

• iH Tag Admins

Admins

Logins

USER4

USER7

• Read/Write Data (no messages).

• Create, modify, and delete tags.

• Backup, restore, and create archives.

Writers

• iH Tag Admins

Admins

Admins

USER9-

14

Read Data.

2. Add and define the iH Security Admins Group.

Once you determine that you want to establish a security structure, you must create and define the iH

Security Admins group. This group of users is typically the "power users" of the Historian. Security

Administrator rights allow them to manage configuration and give them free rein to the entire system.

For this example, only USER1 would be added to the iH Security Admins group.

3. Establish and create any other Historian Security Groups as needed.

NOTE: Any user with Windows administrative permissions can add or remove Windows groups and users. As such, an administrator on a Windows computer, can add himself to any Historian security group.

You should then set up the functional security groups as needed. For this example, Write, Tag,

60

Getting Started with Historian

Archive, and Collector security is required, so the groups associated with those functions should be added and defined. There is no need for Audited Writers and all valid users can read data, so neither the iH Audited Writers Group nor the iH Readers Group need to be added.

4. Define any individual Tag Level security.

In addition to defining iH Tag Admins that have the power to create, modify, and remove tags, you can also define individual tag level security to restrict access to sensitive tags. You can grant read, write, or administrative privileges per tag. For more information on setting Tag Level security, refer to the

Implementing Tag Level Security section.

Setting up Historian Security Groups

This section describes how to add the Historian Security Groups to your local and domain Windows security systems.

You can choose whether Historian uses LOCAL or DOMAIN security by selecting an option on the Security

Tab of the Data Store Maintenance screen in the Historian Administrator. If you select the local security option, the groups are defined as local groups on the Historian Server. If you select the Domain security option, the groups are defined as global groups in the primary domain controller of the Historian Server. With domain security, Historian locates the Primary Domain Controller (PDC), if available, or a Backup Domain Controller

(BDC) in order to establish groups. If the PDC and all BDCs are unavailable, the system locks all users out until rights can be established with a valid PDC or BDC.

NOTE: If you change this setting, you must stop and re-start the Historian Server for this change to take effect.

Setting Local Groups on Windows Systems

The following procedures applies setting local groups on a Windows XP® Professional with Service Pack2 or 3

(32-bit); Windows Vista® (32-bit and 64-bit); Windows Server® 2003, 2008, and 2008 R2; or Windows 7 (32bit and 64-bit).

To create a new local group:

1. Open the Control Panel.

2. Double-click the Administrative Tools.

3. Double-click the Computer Management icon. The Computer Management console opens.

4. Select Groups from the Local Users and Groups folder in the system tree.

5. From the Action menu, select New Group. The New Group dialog box appears.

61

Proficy Historian Getting Started Guide

6. Enter the Historian Security Group name in the Group Name field. For a list of available Historian

Security Groups and their functions, refer to the Historian Security Groups section.

IMPORTANT: You must enter the Historian Security Group name exactly as it appears. The security groups are case sensitive.

7. Optionally, enter a description of the Historian Security Group in the Description field.

8. Click Create.

9. Click Close.

Adding Users to Windows Security Group

Before adding users to your group, you must first add your users to the Windows system. For more information on adding users, refer to the Users Overview section of the Windows 2003 or XP Pro online Help.

To add a user to a group:

1. Open the Control Panel.

2. Double-click the Administrative Tools icon.

3. Double-click the Computer Management icon.

4. Select Groups from the Local Users and Groups folder in the system tree.

5. Select the group to which you want to add users.

6. From the Action menu, select Properties. The Users Properties dialog box appears.

7. Click Add.

8. Select the users or groups to add from the listed users or enter the names of the users or groups you want to add in the bottom field.

9. Click Add.

TIP: To validate the user or group names that you are adding, click Check Names.

10. When you have added all users to the group, click OK.

To add a local user:

1. Verify object types is Users or Groups.

2. Verify the From This Location setting is your local machine. (Click Locations to specify the local machine, if required.)

3. Click Advanced. The Advanced dialog box appears.

62

Getting Started with Historian

4. Click Find Now.

5. From the list of users, select the users or groups to add or enter the names of the users or groups you want to add in the bottom field.

6. In the Advanced dialog, click OK.

7. In the Select Users dialog, click OK.

8. In the group properties dialog, click OK.

To Add a Domain User:

1. Verify object types is Users or Groups.

2. Verify the From This Location setting is your windows domain. a. Click Locations to specify the domain, if required. b. Select Entire Directory or the specific domain underneath Entire Directory. c. Click OK

3. Click Advanced. The Advanced dialog box appears.

4. Click Find Now.

5. From the list of users, select the users or groups to add or enter the names of the users or groups you want to add in the bottom field.

6. In the Advanced dialog, click OK.

7. In the Select Users dialog, click OK.

8. In the group properties dialog, click OK.

Avoiding Unauthorized Access When Using Historian Security

To ensure a secure environment when using Historian security, do not create any local user accounts unless

Historian is set up on a stand alone machine. Also, disable the Windows Guest account.

Working with Domain Security

When you configure Historian to use Domain security groups, the Data Archiver attempts to locate the groups on the Primary Domain Controller (PDC) or one of the Backup Domain Controllers (BDC). If you don't have primary domain controller or if it is slow to access, you can have the Data Archiver access the nearest domain controller via the UseADSICalls registry key. When using a PDC, if a Primary or Backup Domain Controller cannot be located when the Historian Data Archiver service starts, access to Historian is denied to all users.

63

Proficy Historian Getting Started Guide

For troubleshooting, the data archiver show (.SHW) file lists all PDCs and BDCs available at the time of archiver startup. Use this list to verify that the Historian Server has visibility into the appropriate domain.

When using a PDC, after the list of Domain Controllers has been established, the Historian Server will use that list to query for Security Group Membership on an as needed basis. If at any time a request for Group

Membership information is made and the Primary Domain Controller is not available, Historian selects the first

Backup Domain Controller and attempts the same request. If a Backup Domain Controller successfully responds to the request, the process of querying for Group Membership can stop. Otherwise, Historian will attempt to query Group Membership information from the next available Backup Domain Controller. If no

Backup Domain Controller successfully responds, access to the system is denied.

When using UseADSICalls registry key, Historian does not connect to a specific domain controller and lets the operating system contact the most available one.

Changing security group configuration from Local to Domain or vice versa requires that the Historian Data

Archiver service be restarted for the change to take effect.

Creating Security Groups in Windows 2003 Domain Controller

To create a new Global security group in a Windows 2003 Domain:

1. In the Control Panel, double-click Administrative Tools. The Administrative Tools dialog box opens.

2. Double-click the Active Directory Users and Computer icon. The Active Directory dialog box opens.

3. In the Active Directory Tree display, select the required Domain and select Users.

4. Right-click Users, select New and then click Group. The New Object - Group dialog box appears.

5. In the Group name field, enter the name of the new Historian group exactly as you have defined it.

Leave the other default options unchanged.

6. Click OK to create the new group.

Creating Security Groups in Windows 2008 Domain Controller

To create a new security group in a Windows 2008 Domain:

1. In the Control Panel, double-click Administrative Tools. The Administrative Tools dialog box opens.

2. Double-click the Active Directory Users and Computer icon. The Active Directory dialog box opens.

3. In the Active Directory Tree display, select Users.

4. Right-click Users, select New and then click Group. The New Object - Group dialog box appears.

5. In the Group name field, enter the name of the new Historian group exactly as you have defined it.

64

Getting Started with Historian

Leave the other default options unchanged.

6. Click OK to create the new group.

Using a Windows 2003 Domain Controller with a Windows 2008 Historian

Server

When you use domain security with a Windows 2008 Historian Server and the domain controller is a Windows

2003 controller, you must configure the Historian DataArchiver service to log on as a valid domain account and you must add the user right. To Act as a Part of the Operating System to its list of rights.

To set up logon of Historian data archiver service

1. In Control Panel > Administrative Tools, double-click Services. The Services dialog box opens.

2. Double-click Historian Data Archiver. A Service dialog box appears.

3. In the Log On As panel, click This Account and select a domain user account.

4. Click OK.

To add the Act As Part of Operating System right to the domain account

1. In Administrative Tools, double-click Domain Security Policy. The Default Domain Security Settings dialog box appears.

2. In the Security Settings tree, select User Rights Assessment from Local Policies .

3. Double-click Act as a part of the operating system policy. The Act as a part of the operation system dialog box appears.

4. Select Define these policy settings check box, and then click Add User or Group button. The Add

Users and Groups dialog box appears.

5. Select your domain username.

6. Click Add and then click OK.

7. In Services, restart Historian DataArchiver.

You should now be able to log on to Historian Administrator using Domain Security.

If you attempt to log on to the Historian Data Archiver as a Local System Account, you may be denied access because the System Account in Windows 2008 is not privileged to access the Windows 2003 Domain

65

Proficy Historian Getting Started Guide

Administrator. A valid domain user account, however, is privileged to access the Windows 2003 Domain

Administrator if it is has also been granted the Act as a Part of the Operating System right.

Configuring DataArchiver to use Active Directory Service Interface

By default, the DataArchiver tries to enumerate all the available domain controllers during startup. If a Primary or Backup Domain Controller cannot be located when the Historian DataArchiver service starts, access to

Historian is denied to all users. Also when you have domain controller machines spread across a wide area network (WAN), you may find that logins are successful but slow.

With the Active Directory Support feature, you can configure the DataArchiver to use a different set of

Windows calls called Active Directory Services Interface (ADSI) when using Historian security. Configuring the DataArchiver to use Active Directory Services Interface (ADSI) allows you to:

1. Login to the Historian even if the DataArchiver is unable to enumerate any domain controllers during the DataArchiver startup.

2. Access a Backup Domain Controller if a Primary Domain Controller is not available temporarily or permanently.

You should configure the DataArchiver to use Active Directory Services Interface (ADSI) only when the

DataArchiver fails to enumerate domain controllers.

You can determine whether or not the DataArchiver is able to locate a domain controller by viewing the dataarchiver.shw log file. In the dataarchiver.shw log file If “Group Server #01: “is empty, then the

DataArchiver is unable to locate a domain controller.

Security Settings

=================

Group Mode : GLOBAL

Use Client Windows User for Logon : TRUE

Security Domain : <your domain>

Group Server #01 :

NOTE: You must run the DataArchiver under an account with domain administrator privileges to use Active

Directory Services Interface either temporarily or permanently.

The following procedures provide guidelines for configuring the DataArchiver to use Active Directory Services

Interface (ADSI) calls.

66

Getting Started with Historian

Creating a registry key and turning on the UseADSICalls

1. On the Start menu, click Run. (For Windows Vista, Windows Server 2008, and Windows 7, click the

Windows Start button and click inside the Start Search field)

2. Type Regedit and click OK. The Registry Editor dialog box opens.

3. Open the following key folder HKEY_LOCAL_MACHINE\SOFTWARE\Intellution,

Inc.\Historian\Services\DataArchiver\

4. Add a new DWORD value. Enter the name “UseADSICalls”, and select Base as Decimal.

5. In the Value data field, type 1.

6. Click OK.

7. Close the Registry Editor and configure the DataArchiver service to run as domain administrator.

Configuring the DataArchiver service to run as domain administrator

1. On the Start menu, click Run. (For Windows Vista, Windows Server 2008, and Windows 7, click the

Windows Start button and click inside the Start Search field).

2. Type services.msc and click OK. The Services dialog box opens.

3. Right-click the Historian DataArchiver service and select Properties.

4. Click the Log On tab, and then select the Log on as This account to log on special account.

5. Click the Browse button and select the user account.

6. In the Password and the Confirm password fields, enter the password for the user account, and then click OK.

Restart the DataArchiver service

1. On the Start menu, click Run. (For Windows Vista, Windows Server 2008, and Windows 7, click the

Windows Start button and click inside the Start Search field).

2. Type services.msc and click OK. The Services dialog box opens.

3. Right-click the Historian DataArchiver service and click Restart.

Reviewing the .SHW log file

The DataArchiver log file is used to examine the current configuration of a DataArchiver. The default path for

LOG and SHW files is C:\Proficy Historian Data\LogFiles.

If the DataArchiver is set correctly to use Active Directory Services Interface (ADSI), then you can find the

67

Proficy Historian Getting Started Guide

following text in the DataArchiver.SHW log file

Security Settings

=================

Group Mode : GLOBAL

Use Client Windows User for Logon : TRUE

Security Domain : <your domain>

Use ADSI calls : TRUE

Establishing Your Security Rights

Your security identity is established upon connecting to the server. This occurs through the following steps:

1. Specifying a username and password of an account.

Upon connection, the system checks to see if you have a valid Windows 2003 account. If you have supplied a username and password (through the Excel Add-In for example), security checks that user.

If username and password are not supplied and you are on a Windows 2003 or Windows 2008 machine or higher, security checks the currently logged in user.

NOTE: If you do not pass a domain name the account will be checked locally in the same way a mapped drive attempt happens. You have to specify a username and password that exists on the server.

2. Determining group membership of that account.

Once the account is validated, the server determines group membership. For more information on the process and hierarchy of the groups, refer to the Identifying the Security Checking Process section.

3. Caching membership profile.

Once the group and tag membership are determined, it is cached for the connection and not looked up again. If users are added to or deleted from a group, the cache is not updated.

NOTE: The cache information is per connection, and not per IP address. In other words, it is cached per application and not per system.

Identifying the Security Checking Process

The following figure details the security checking process.

68

Getting Started with Historian

Security Checking Process

69

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement

Table of contents