Before using the Security Synchronizer, you must create Windows groups for all iFIX application features, security areas, and security groups to be assigned to iFIX users. You can use the CreateWindowsGroup tool to create these groups. Refer to The CreateWindowsGroups Tool for more information on using this tool.
Once you create Windows groups, you can use the Windows User Manager or a similar Windows security configuration tool to grant individual membership in the groups to Windows user accounts.
The following subjects are discussed in this topic:
Configuration Strategy
You can reduce the number of Windows groups that must be created by grouping iFIX application features into iFIX security groups. Each iFIX security group can represent a set of application features that apply to a certain level of user, such as operators or supervisors.
You can then assign Windows users to the Windows group that represents the iFIX security group that represent their user level, such as "iFIX Security Group - Operators." Assigning users to groups in this manner:
- Eases the configuration process by grouping similar application features into a single security group.
- Helps you avoid assigning Windows users to every application feature privilege that they are to be granted.
Because iFIX security prevents an iFIX user from belonging to more than 12 security groups, you may still need to assign some application feature privileges individually. You should always assign security area privileges individually, since typically there are more application feature privileges than security areas.
Each Windows group name represents a single iFIX security privilege. An iFIX security privilege can be any of the following:
iFIX Application Feature Name – predefined in the iFIX security system.
Security Area Name – user-defined in the iFIX Security Configuration program. These names have default letter values of A through P when iFIX is installed.
Security Group Name – user-defined in the iFIX Security Configuration program.
Windows group names that represent each iFIX privilege are created by combining a prefix string indicating the type of iFIX privilege with the name of the iFIX privilege. There are long and short forms of the prefix string. The following table shows each type of iFIX privilege and its long and short prefix strings.
NOTE: You must use the correct syntax in prefix strings. Spaces before and after the dash are required in the long prefix string. Spaces before and after the dash are prohibited in the short prefix string.
The following table shows examples of iFIX privilege names and their corresponding Windows group names. It is assumed that an iFIX security area named "Plant Floor" and an iFIX security group named "Supervisors" has been configured in iFIX security for this example.
Limitations on Global Group Names
You must limit the size of each Windows global group name to 20 characters if you synchronize iFIX security with Windows security groups that exist on either of the following domains:
- A Windows NT 4.0 domain
- Windows 2000 domain controllers that are configured to support access by users on systems earlier than Windows 2000.
Because many iFIX application feature names exceed this limit, to successfully use Security Synchronizer in this situation, you must do either of the following:
- Use aliases for iFIX application features that exceed 16 characters. Refer to Application Feature Name Aliases for a complete list of pre-defined Windows group name aliases for application feature names.
- Use the short prefix strings, described in the Windows Group Names table.
The 20-character limit on the size of the Windows global group name also affects user-defined iFIX security groups, which can be up to 30 characters long, and iFIX security area names, which can be up to 20 characters long. If you use the Windows NT 4.0 domain as the source of Windows security information, do not use more than 16 characters when naming iFIX security areas and iFIX security groups. This technique reserves four characters for the short prefix strings.
The 20-character limit does not apply to:
- Windows groups defined on a local computer (also referred to as local groups), since they can be up to 256 characters long.
- Windows XP domains or Windows 2000 domains with no access by users on systems earlier than Windows 2000, since global group names on these domains can be up to 64 characters long.
As an alternate solution to the global group name character limitation, you can also use Windows local groups to contain global groups. You can create local groups with the full application feature names and you can assign global groups with an arbitrary name to the appropriate local groups.
If you are a Windows user who belongs to the global group, you also belong to the local group that contains the global group. Therefore, you will be assigned the privilege associated with that local group name.
Since creating and maintaining local groups across multiple computers adds complexity to the configuration required to use the Security Synchronizer, you should use this alternate solution only when a single node is running the Security Synchronizer to synchronize a shared set of security files. If multiple nodes are running the Security Synchronizer to synchronize multiple copies of the iFIX security data, then you should use the application feature name aliases with global groups. Refer to Application Feature Name Aliases for a complete list of pre-defined Windows group name aliases for application feature names.
CAUTION: If you do not follow these procedures when using Windows NT 4.0 domain security with Security Synchronizer, an incorrect iFIX security configuration based on the Windows configuration may result.
