FactoryTalk Security - Part 2
So now that you know you are using FactoryTalk Security.
What are your options?
I need to explain the different ways FactoryTalk Security can be set up so you can investigate it yourself and decide which way you want to go.
FactoryTalk Security is a component of FactoryTalk Services Platform (FTSP).
FTSP is made up of:
FactoryTalk Security (FTS) - Manages Security Services
FactoryTalk Administration Console (FTAC) - Configures Security Services
FactoryTalk Diagnostics (FTDS) - Provides Security Services Diagnostics Viewer
FactoryTalk Directory (FTD) - Manages Security Services Directory Locations
FTDS can be installed with FTSP, or FactoryTalk Activation (FTA). The FTDS Viewer is a very useful diagnostics tool for viewing logged FTS and FTA errors and events.
First we need to look at FactoryTalk Directory (FTD).
By default, FTD installs two Directory Locations, a Local Directory, and a Network Directory. Which one is used depends on the required Security setup.
1. FactoryTalk Local Directory
A single computer, usually, but not necessarily, in a stand-alone environment, is to be set up for independent Local Security. RSLinx Classic is installed and FactoryTalk Security is enabled using the Local Directory option. This computer is known as a FactoryTalk Security Server, as it manages and configures its own Security. Other Rockwell Software, required to be secured, are installed with the enable FactoryTalk Security option, and also set to use the Local Directory. The Local Directory stores all the Users/Permissions, Policy Settings and Project information related to Rockwell Software on the Local computer only. The Local Directory is only available to the Local computer, even if the computer resides on a network.
2. FactoryTalk Network Directory
Two, or more computers on a plant network are to be set up for Network Security. One computer is to be assigned as the FactoryTalk Network Server. It will usually have RSLinx Classic OEM, or Gateway installed. FactoryTalk Security is enabled using the Network Directory on the Server. All the other computers on the network are Client computers. RSLinx Classic is installed on the Client computers and FactoryTalk Security is enabled to also use the Network Directory. The Server computer administers Users/Privileges, Policy Settings and Project information for all the Secured Rockwell Software being used on the networked computers. The Client computers must have access to the Network Directory on the FactoryTalk Network Server in order to use the Secured Rockwell Software installed upon them.
Even though both a Local Directory and Network Directory exist on each computer that has FactoryTalk Security enabled, and both can be used interchangeably, the information stored in one Directory is completely separate from the other. If you setup a User in FTAC for a Local Directory, the User does not exist for the Network Directory. You would have to set up the User for both Directories separately.
Now we need to look at Users and User Groups:
Windows v FTS Users
When you login to Windows, you are using a Windows-Linked User Account. You have the option to add your Windows-Linked User Account to FTS in FTAC. Nearly all Rockwell Software requires a User to have Administrator Privileges to carry out most actions. So your Windows-Linked User Account should have Administrator Privileges. This then adds your Windows-Linked User Account to the Windows Administrators User Group, in Windows.
When you open FTAC, you are prompted to Select FactoryTalk Directory. Here you select Network, or Local. Again, you need to know from the above options which FactoryTalk Directory the computer you are working on is using. If you know it's definitely a stand-alone computer, select Local. If it's acting as a FactoryTalk Network Server, or Client, for the Maintenance computer network, then select Network.
If you expand Users and Groups=>User Groups you should see one or all of the following, Authenticated Users, Windows Administrators and Administrators.
Depending on which are there, if you look closely at the icons for Authenticated Users and Windows Administrators you'll see a small link symbol. This indicates that they are Windows-Linked User Groups.
Again, depending on whether or not it's there, If you look at the icon for Administrators you'll see there is no link symbol. That's because it's a FTS Administrator Group.
If the Windows-Linked Windows Administrators Group is there, double-click it to show its Members. Your Windows-Linked User Account, if it has Administrator Privileges, should already be listed here. If Windows Administrators is not there, right-click on User Groups=>New=>Windows-Linked User Group...=>Add... and type Windows Administrators in the text box. The OK button becomes available and when pressed, the previous window should now display Windows Administrators. Click OK again to add it to the User Groups. Then check its Members.
Go back to the FTS Administrators Group and double-click it to view its Members. The Windows-Linked Windows Administrators Group should be listed here. If not, press the Add... button and you get the Select User or Group window. Make sure Filter Users is set to Show groups only. Windows Administrators may already be listed here. If not, press Create New=>Windows-Linked User Group=>Add... and follow the same procedure as above to get the Windows Administrators Group into the FTS Administrators Group.
Once this is done in FTAC for the correct FactoryTalk Directory, your Windows-Linked User Account is now added to the Administrators Group of FactoryTalk Security.
In FTAC, again using the correct Directory, you need to check the Security Access Rights, for your Windows-Linked User Account, are all set to Allow for RSLinx Classic. As your Windows-Linked User Account is added at the Group level, this is done by selecting Administrators from the list.
I hope that makes sense.
G.
So now that you know you are using FactoryTalk Security.
What are your options?
I need to explain the different ways FactoryTalk Security can be set up so you can investigate it yourself and decide which way you want to go.
FactoryTalk Security is a component of FactoryTalk Services Platform (FTSP).
FTSP is made up of:
FactoryTalk Security (FTS) - Manages Security Services
FactoryTalk Administration Console (FTAC) - Configures Security Services
FactoryTalk Diagnostics (FTDS) - Provides Security Services Diagnostics Viewer
FactoryTalk Directory (FTD) - Manages Security Services Directory Locations
FTDS can be installed with FTSP, or FactoryTalk Activation (FTA). The FTDS Viewer is a very useful diagnostics tool for viewing logged FTS and FTA errors and events.
First we need to look at FactoryTalk Directory (FTD).
By default, FTD installs two Directory Locations, a Local Directory, and a Network Directory. Which one is used depends on the required Security setup.
1. FactoryTalk Local Directory
A single computer, usually, but not necessarily, in a stand-alone environment, is to be set up for independent Local Security. RSLinx Classic is installed and FactoryTalk Security is enabled using the Local Directory option. This computer is known as a FactoryTalk Security Server, as it manages and configures its own Security. Other Rockwell Software, required to be secured, are installed with the enable FactoryTalk Security option, and also set to use the Local Directory. The Local Directory stores all the Users/Permissions, Policy Settings and Project information related to Rockwell Software on the Local computer only. The Local Directory is only available to the Local computer, even if the computer resides on a network.
2. FactoryTalk Network Directory
Two, or more computers on a plant network are to be set up for Network Security. One computer is to be assigned as the FactoryTalk Network Server. It will usually have RSLinx Classic OEM, or Gateway installed. FactoryTalk Security is enabled using the Network Directory on the Server. All the other computers on the network are Client computers. RSLinx Classic is installed on the Client computers and FactoryTalk Security is enabled to also use the Network Directory. The Server computer administers Users/Privileges, Policy Settings and Project information for all the Secured Rockwell Software being used on the networked computers. The Client computers must have access to the Network Directory on the FactoryTalk Network Server in order to use the Secured Rockwell Software installed upon them.
Even though both a Local Directory and Network Directory exist on each computer that has FactoryTalk Security enabled, and both can be used interchangeably, the information stored in one Directory is completely separate from the other. If you setup a User in FTAC for a Local Directory, the User does not exist for the Network Directory. You would have to set up the User for both Directories separately.
Now we need to look at Users and User Groups:
Windows v FTS Users
When you login to Windows, you are using a Windows-Linked User Account. You have the option to add your Windows-Linked User Account to FTS in FTAC. Nearly all Rockwell Software requires a User to have Administrator Privileges to carry out most actions. So your Windows-Linked User Account should have Administrator Privileges. This then adds your Windows-Linked User Account to the Windows Administrators User Group, in Windows.
When you open FTAC, you are prompted to Select FactoryTalk Directory. Here you select Network, or Local. Again, you need to know from the above options which FactoryTalk Directory the computer you are working on is using. If you know it's definitely a stand-alone computer, select Local. If it's acting as a FactoryTalk Network Server, or Client, for the Maintenance computer network, then select Network.
If you expand Users and Groups=>User Groups you should see one or all of the following, Authenticated Users, Windows Administrators and Administrators.
Depending on which are there, if you look closely at the icons for Authenticated Users and Windows Administrators you'll see a small link symbol. This indicates that they are Windows-Linked User Groups.
Again, depending on whether or not it's there, If you look at the icon for Administrators you'll see there is no link symbol. That's because it's a FTS Administrator Group.
If the Windows-Linked Windows Administrators Group is there, double-click it to show its Members. Your Windows-Linked User Account, if it has Administrator Privileges, should already be listed here. If Windows Administrators is not there, right-click on User Groups=>New=>Windows-Linked User Group...=>Add... and type Windows Administrators in the text box. The OK button becomes available and when pressed, the previous window should now display Windows Administrators. Click OK again to add it to the User Groups. Then check its Members.
Go back to the FTS Administrators Group and double-click it to view its Members. The Windows-Linked Windows Administrators Group should be listed here. If not, press the Add... button and you get the Select User or Group window. Make sure Filter Users is set to Show groups only. Windows Administrators may already be listed here. If not, press Create New=>Windows-Linked User Group=>Add... and follow the same procedure as above to get the Windows Administrators Group into the FTS Administrators Group.
Once this is done in FTAC for the correct FactoryTalk Directory, your Windows-Linked User Account is now added to the Administrators Group of FactoryTalk Security.
In FTAC, again using the correct Directory, you need to check the Security Access Rights, for your Windows-Linked User Account, are all set to Allow for RSLinx Classic. As your Windows-Linked User Account is added at the Group level, this is done by selecting Administrators from the list.
I hope that makes sense.
G.
Last edited: