Windows Security Integration

You can choose to use Windows® security integration in place of, or in addition to, VTScada user accounts. The VTScada Security system has three basic elements: Accounts, Roles & Privileges. When using Windows Security Integration, accounts (users) are managed in Windows. The privileges that are related to VTScada functionality are managed within the VTScada Security Manager, via assignment to roles. Windows accounts are linked to VTScada roles using Active Directory Groups that are named for the VTScada roles.

Benefits and differences:

  • External account control.
  • Fewer passwords for users to remember.
  • Privilege sets are created only for roles, which are then assigned to accounts.
    It is not possible to assign privileges directly to Windows-based accounts.
  • Rule-Scope can be applied to privileges within a role, but not to roles assigned to accounts.
  • Limited control over domain account configuration within VTScada. Passwords cannot be changed and privileges cannot be granted

When Windows Security Integration (WSI) is in effect, VTScada managers (accounts with both the Manager privilege and the Administrator privilege) retain responsibility for granting privileges to roles. They may also disable individual accounts and can set the automatic log-out time for each account.

Alternative ID values, for the Alarm Notification system and other purposes, are still controlled within the VTScada interface.

Using Both Windows and VTScada Authentication

It is possible to have both VTScada accounts and Windows accounts. Accounts that existed prior to the enabling of WSI will continue to exist, but it is expected that many sites will prefer to disable or delete some or all of those accounts. If there are users who should have access to the SCADA system but not have an account on the domain, they should be given a VTScada account within the application. This feature might be used to send out application ChangeSets to someone who is trusted to work on the application, but who will not be given access to the corporate network.

A feature of WSI is that authorized users may logon with their full account name (myname@company.com) or with their user name (myname). If that user name matches a valid VTScada account name, then it will be assumed that the user intends to logon with the VTScada account. A dialog will open during the logon process to remind you of this.

While an application can use both Windows Authentication and a proximity card reader, it is NOT possible to use both methods for a single account. An account that uses Windows Authentication cannot also sign in using a proximity card reader, and an account that uses a proximity card reader cannot sign in using Windows Authentication.