The Security Synchronizer is an application that allows you to assign iFIX security privileges to iFIX user accounts based on a Windows security configuration. This model enables you to use Windows security as a central source of configuration for both Windows and iFIX user accounts. This centralized security environment, consequently, assists you in compliance with FDA 21 CFR Part 11.
The Security Synchronizer supports Windows group membership at the local or domain level. Nested groups within a Windows domain are also supported, which allows for finding of users who are members of groups within the groups.
NOTE: Current iFIX software must be installed and running on the machine using the Security Synchronizer. The Security Synchronizer only synchronizes iFIX groups.
Operational Overview
First you create Windows groups for each iFIX privilege you want to assign. This includes iFIX security areas, application features, and groups. Then you assign Windows users to these Windows groups. The Synchronizer accesses this Windows account information, and then adds, modifies, and deletes iFIX security user accounts based on this information. The Synchronizer modifies only those iFIX security user accounts configured to use Windows security. However, you can configure the Synchronizer to delete non-Windows users from iFIX. Refer to the /R parameter in the Using the Command Line section for more information about deleting users.
You can periodically run the Synchronizer as a background task or you can manually run the Synchronizer. Refer to Scheduling Security Synchronizer for more details.
NOTE: You must assign the Security Synchronizer application feature to the iFIX user that runs or schedules the Security Synchronizer.
You run the Synchronizer in these security storage configurations:
- Windows user and group accounts configured on the local computer.
- Windows user and group accounts configured on a domain controller.
- A combination of these two configurations.
TIP: If you run the Security Synchronizer and you have Change Management enabled, be aware that the security files may be under someone else's source control and you cannot modify them. Check the alarm log file for Security Synchronizer results. If you installed iFIX to the default location, you can find this .log file in the C:\Program Files (x86)\Proficy\iFIX\ALM folder.
In addition to being able to run the Synchronizer in a number of configurations, Security Synchronizer also provides these features:
- Ability to run regardless of whether a user is logged into iFIX, or whether a logged-in user has sufficient iFIX security privileges.
- This feature depends on the system user having Automatic login privileges and the Security Synchronizer application feature assigned.
- If Change Management is enabled and you want to use the Security Synchronizer: there must be an iFIX logged-in user, and that logged in user must have sufficient security privileges to use Change Management.
- An audit trail that lists all changes made to the iFIX security configuration through the security log and optionally through alarm messages.
- Added security that prevents you from accidentally running the Synchronizer. This is accomplished by requiring command line parameters for the program to run, and by requiring the system user to have the Security Synchronizer application feature assigned.
- A robust set of parameters you can use to customize the command line that runs the Synchronizer. For example, you can supply a time-out value to any new iFIX user accounts created by the Synchronizer, and you can remove all iFIX user accounts not configured to use Windows security. Refer to Using the Command Line for more information on command line parameters.
- Ability to process nested groups, finding users who are members of groups within the groups.
NOTES:
