The Security Synchronizer maps Windows group names to iFIX security privileges. You assign iFIX security privileges to users who are members of the Windows groups that represent these privileges. iFIX security privileges are revoked from users who are not members of Windows groups that represent these privileges.
The Security Synchronizer performs the following steps to synchronize iFIX security users with their Windows user accounts, based on Windows group memberships:
- Reads the current iFIX security configuration to determine the currently-available security areas, application features, and iFIX group names. These names are used to determine the Windows group names that represent each iFIX privilege.
- Determines which Windows users belong to each of the Windows group names.
- Modifies the user account of the same name in iFIX security for each Windows user account that belongs to any of the valid group names.
Only iFIX user accounts configured to "Use Windows Security" are modified. The Security Synchronizer makes modifications by assigning the user those privileges that map to the Windows groups for which they are a member, and deleting privileges that map to Windows groups for which they are not a member.
- Creates a new iFIX security user account if the Windows user account name does not match an existing iFIX security user account. The appropriate iFIX security privileges are applied to the new account.
- Removes any iFIX user from the security configuration who is not a member of at least one of the mapped Windows groups that represent an iFIX privilege.
iFIX users not configured to "Use Windows Security" are removed in this manner only if the /R parameter is used in the Security Synchronizer command line. Refer to the Using the Command Line section for more information on the Security Synchronizer command line.
NOTE: The Autologin user accounts are never removed from the security configuration, regardless of whether they use Windows security or belong to any Windows groups. If security is enabled, the last user account to have the Security Configuration application feature assigned to it will not be deleted. Also, if a user account is currently logged in to iFIX it will not be deleted.
- Writes an audit trail message to the iFIX security log. The log message includes a record for each added and deleted iFIX user account, other account modifications, and errors encountered during processing.
- Writes analog and digital values to the iFIX database to indicate the success or failure of the synchronization. Writes are performed in this manner only if one or more of the Node.Tag.Field parameters are used in the command line. Refer to the Using the Command Line section for more information on the Security Synchronizer command line.
NOTE: These messages can also be sent to the iFIX alarm destinations as text messages. Refer to the Using the Command Line section for more information.
