Before running the Synchronizer, you should be aware of the following considerations and potential constraints:
- You may schedule the Synchronizer to run at routine intervals. Because you cannot always determine which user may be logged-in when the Synchronizer runs, you may want to consider creating a "special" security user that has the appropriate rights and permissions to the Synchronizer. iFIX Security's System Autologin User option can be used to "impersonate" a certain user when the Synchronizer runs. Refer to the Node-based Security section for information about using the Autologin feature with Security Synchronizer.
- To ensure that the correct information is accessed when you use domain security, you may want to consider locating all Windows users in the same domain. If you use domain security in your configuration, the current Windows user must log in to Windows and the appropriate domain for the Synchronizer to retrieve the necessary user account information. Inability to access the domain can result in incomplete configuration information.
- The Security Synchronizer application is not intended to run as a service.
- iFIX security file structure prevents iFIX security users from being members of more than 12 iFIX security groups at the same time.
- You can assign no more than 20 characters when naming global groups on domain controllers that are configured to support access by users on systems earlier than Windows 2000.
NOTE: You do not need access to the domain if you use local security.
This restriction affects users who use domain-based Windows security when synchronizing iFIX security privileges. Because several iFIX security privilege names exceed 20 characters, shorter aliases are provided for these application features. Refer to the section Application Feature Name Aliases for a complete list of aliases.
- Be aware that when configuring your Windows users in iFIX Security, the Domain Name entry needs to be your domain's NetBIOS name.
- When iFIX security is enabled, you must ensure that at least one iFIX user has access to the iFIX Security Configuration application feature. The system will not delete the last remaining account with Security Configuration privileges; a message is logged to the audit trail indicating this situation.
- The Security Synchronizer uses the Windows security configuration as the master or source of the security data when it runs. Manual changes to a user's security privileges through the iFIX Security Configuration utility are overwritten when Security Synchronizer runs if those changes do not match the Windows security configuration for that user.
Security Synchronizer does not change the domain name or Login Time-out values for existing user accounts in iFIX security; it does change the security privileges for security areas, application features, and iFIX groups assigned to the account.
NOTE: The Synchronizer may replace an existing iFIX account from one domain with a new account from another domain if the Windows user account has moved. In this case, the Synchronizer treats this as a new account, and not as a modification of an existing account. The Synchronizer deletes the original iFIX account and creates a new iFIX account with the appropriate domain and login time-out values.
