Windows and Security

Running iFIX

As a built-in Windows administrator, you have the rights you need to operate an iFIX SCADA node (start and stop iFIX).

To allow a non-administrator (standard user) to operate an iFIX SCADA node without access control, you need to add the "Create Global Objects" policy to the individual user or group to provide access. For Domain users, the Domain user account needs to be added to this policy on the local computer also.

If you enable access control, you need to make sure that all iFIX users are part of the iFIX secure group (the secure group was specified during install or with the ConfigureWizard.exe).

NOTE: When installing iFIX with access controls, the Windows Group name used from the domain or computer name provided (IFIXUSERS for example) must be different than any local group name configured on the machine with iFIX installed.

IMPORTANT: WorkSpace and other iFIX applications may become unstable when running with access controls in a Domain environment if the connection to the Active Directory server is lost.

Running iFIX as a Service

If iFIX was installed with access control, to run iFIX as a service, make sure the user is part of the secure group specified during install (by default, this is the IFIXUSERS group). If you are not sure what this group is, run the ConfigureWizard.exe tool which is found in the iFIX install folder (by default: C:\Program Files (x86)\Proficy\iFIX) to identify it.

If installed without access control, to allow a user to run iFIX as a service, you need to run the GrantUserFixServiceRights utility from the command line to grant access to the service for this user. You also need to add the "Create Global Objects" policy to the individual user or group, unless they are a member of the Administrators group.

For more information on access controls, see Access Controls in iFIX.

To add the Create Global Objects policy to a user:

  1. Log in as an Administrator.
  2. Click the Start button, and in the Search box, type secpol.msc and press Enter. The Local Security Policy window appears.
  3. In the tree, double-click Security Settings, and then Local Policies, to view the contents of the Local Policies folder.
  4. Click the User Rights Assignment item to view the policies.
  5. Double-click the Create Global Objects policy. The Create Global Object Properties dialog box appears.
  6. Click Add User or Group. The Select Users or Groups dialog box appears.
  7. Enter an individual user name, or group name, such as "iFIXUsers."
  8. Click OK to add the user.

To run the GrantUserFixServiceRights command for a user or group:

  1. Log in as an Administrator.
  2. Click the Start button, and in the Search box, type Command Prompt and press Enter. If the Command Prompt does not appear immediately, double-click the Command Prompt from the list of results.
  3. In the Command Prompt window, type:

    4. GrantUserFixServiceRights GRANT FIX USERNAME

    where FIX is the name of the service (iFIX) that you want to grant rights to, and USERNAME is the name of the user or group that you want to grant rights to.

To provide privileges to a Windows user with the ConfigureWizard.exe when access controls (secure mode) are enabled:

  1. Log in as an iFIX Administrator.

  2. Locate and run configure wizard (ConfigureWizard.exe) in the iFIX install folder. By default this path is: C:\Program Files (x86)\Proficy\iFIX\ConfigureWizard.exe. The Install Mode wizard appears.

  1. Select the "Assign a Windows User Account to iFIX services" option.

  2. Enter a user name. If on a domain, enter the fully qualified domain name along with the user account. For example, the previous illustration specified W2022\USER1 as the user account.

    NOTE: When installing iFIX with access controls, the Windows Group name used from the domain or computer name provided (IFIXUSERS in the previous illustration) must be different than any local group name configured on the machine with iFIX installed.

  3. Enter the password for this account.

  4. Click OK.

  5. Restart your computer.

  6. Start iFIX

  7. Configure the service option in the SCU, if you have not already done so. (From the SCU and select Configure > Local Startup and the select Set iFIX as a Service option, and (if applicable) the Set Service Type to Automatic option. See the topic for details.)

Running iFIX as a Service with Other Services

If you plan to run iFIX as a service along with other services such as the iFIX scheduler, the OPC A&E Server, and the OPC DA Server, make sure that your user has the rights to start/stop/pause all of those services. A user who is a member of the Administrators group usually has all these privileges. (This can be verified by opening the Windows service control panel and checking if the Start/Stop setting is enabled.) To grant a user who is a standard user rights to start/stop/pause these services, log in to Windows as an Administrator and run the following commands:

GrantUserFixServiceRights GRANT IFIXSCHEDULER username

GrantUserFixServiceRights GRANT IFIXOPCAESRV username

GrantUserFixServiceRights GRANT IFIXOPCDA username

Examples: Using GrantUserFixServiceRights

If you want to allow a user named QA1 to run iFIX as a service, type:

GrantUserFixServiceRights GRANT FIX QA1

If you want to allow all members of the group “iFIXUsers” to run iFIX as a service, type:

GrantUserFixServiceRights GRANT FIX "iFIXUsers"

If you later need to revoke the right to run iFIX as a service, use the following command:

GrantUserFixServiceRights REVOKE FIX USERNAME

where FIX is the name of the service that you want to revoke rights from, and USERNAME is the name of the user or group that you want to revoke rights from.