From version 10.97.1, it is possible, with the correct permissions, to perform common security administrative functions in GraphWorX64 displays or other runtime areas.
System designers can create their own interfaces to give security administrators the tools they need without having to open Workbench.
To display information about the current security configuration, use the datasets under Diagnostic > Configuration > Security. There are two datasets, one to show security groups and another to show security users:
SecRole - All – This dataset contains information about all groups in the security configuration.
Example tag name: cfg:entities/readall<SEC,SecRole>
SecUser - All – This dataset contains information about all users in the security configuration.
Example tag name: cfg:entities/readall<SEC,SecUser>
These datasets can be displayed in a GridWorX Viewer or table control. More advanced users can select individual cells of the dataset to display in a process point and leverage the clone dynamic in GraphWorX64 to create more customized views.
The datasets are secured using the same application actions that control whether a user can browse, edit, or delete security items. You can grant or revoke these privileges in the Application Actions section of a user or group under Workbench > Security.
The command Configure Security can perform several different functions, based on the value of the Action parameter:
CreateUser – Creates a new security user with the given username, group, policy, and password.
ChangePassword – Changes the password of the given security user. Note, this command is designed to be used by a security administrator to change the password of other users. It does not require the previous password. Users looking to change their own password should use the Change Password button in the security login dialog.
AddUser – Adds a security user to a group.
RemoveUser – Removes a security user from a group.
The Password parameter of the CreateUser and ChangePassword actions must take a hashed password. Plaintext passwords are not supported. To hash a password, the new Password and PasswordHashing properties of GraphWorX64 process points must be used.
The CreateUser, AddUser, and RemoveUser actions can only work with one group at a time. To add a user to multiple groups, use the Batch command and call the ConfigureSecurity command multiple times.
Follow these example steps to create an example display that allows a security administrator to add a new user:
Add these four labels (text) to a GraphWorX64 display:
Username
Group
Policy
Password
Next to each label, add a data entry process point. (There should be four process points in total.) Connect each process point's data source to these local variables:
Username: localsim::user:String
Group: localsim::group:String
Policy: localsim::policy:String
Password: localsim::password:String
If you are not already in Advanced Mode, go to View > Application Mode > Advanced Mode.
For the process point next to the Password label, set these properties:
Password to True
PasswordHashing to Password-Based Key Derivation Function 2
Add a button and label it, Create.
Configure the button's pick action with these properties:
Command to Configure Security
Action to CreateUser
UserName to {{localsim::user:String}}
Group to {{localsim::group:String}}
Policy to {{localsim::policy:String}}
Password to {{localsim::password:String}}
(Optional) DataEntryLostFocusWritesValue to True (This will allow the user to click away from the data entry field without losing the value. This setting is recommended for local variables only and not live values, especially not connected to equipment that may be damaged if an incomplete value is written by mistake.)
Add a GridWorX Viewer control.
Configure the GridWorX Viewer.
Select the Grid object.
Set the data tag to cfg:entities/readall<SEC,SecUser> (In the tag browser, this tag can be found at Diagnostic > Configuration > Entities > Security > SecUser – All.)
Close the GridWorX Viewer configuration.
Save the display.
For best results, confirm that your currently logged-in user has the proper permission to create users with this command:
Open Workbench.
Expand Security.
Expand Users and open the desired user or expand Groups and open a group that the desired user is a member of.
Find the Application Actions section,
Ensure that these items are enabled (they must be enabled directly on the user or on at least one of the groups the user is a member of)
Workbench > Security > Edit Items
Commands > Configure Security
(Optional) Workbench > Security > Browse Items (allows viewing users in the GridWorX Viewer, but does not affect creating users)
Apply any changes.
Log in as the desired user.
Return to GraphWorX64 and go into runtime.
The GridWorX Viewer should populate with the current users in your security configuration.
Enter values into the process points. Group and Policy must match existing group and policy names in your security configuration. Here are some example values:
Username: Test
Group: GroupA
Policy: Leave blank to use the default security policy.
Password: Ensure the password is consistent with the policy's password complexity rules.
Select Create.
Refresh the GridWorX Viewer. If the user was created successfully, it should now show in the list of users. You should also be able to see the user in Workbench, after refreshing the list.
The user executing the Configure Security command must have edit permission for the security configuration (configured on a user or group under Application Actions > Workbench > Security) and permission to execute the command, itself (configured via Application Actions > Commands > ConfigureSecurity).