Security RuntimeUsers (Reference): Dynamic user management during runtime, allowing user creation and authentication without modifying solution configuration.
RuntimeUsers provide:
- Dynamic user creation during runtime
- External database integration
- Active Directory/LDAP authentication
- Temporary or permanent user accounts
- Script-based user management
RuntimeUsers combined with SecurityUsers form the complete Solution Users.
Table of Contents maxLevel 2 minLevel 2 indent 10px exclude Steps style none
RuntimeUsers vs SecurityUsers
| Aspect | SecurityUsers | RuntimeUsers |
|---|---|---|
| Creation | Design-time only | Runtime only |
| Storage | Solution file | External database |
| Engineering Access | Yes | No |
| Modify Solution | Yes | No |
| Runtime Access | Yes | Yes |
| Source | Internal | External/Scripts |
Note: RuntimeUsers cannot access Engineering mode or modify solution configuration. They are application users only.
Configuration Sources
1. Script Creation
csharp
// Create user programmatically
@Security.CreateUser(
"john.doe",
"password123",
"Operator,Maintenance",
"Enhanced"
);2. External SQL Database
Configuration: Datasets → DBs → RuntimeUsers
- Default: SQLite database
- Supports: SQL Server, MySQL, PostgreSQL
- Auto-created table structure
3. AD/LDAP Integration
- Users validated against directory
- Created in memory only
- No database storage
RuntimeUsers Table Properties
Access: Security → RuntimeUsers (read-only view)
| Property | Description | Modifiable |
|---|---|---|
| Name | Unique username | Via script/DB |
| Password | Encrypted credential | Via script/DB |
| Permissions | Group assignments | Via script/DB |
| Policy | Security policy | Via script/DB |
| Blocked | Access denied flag | Via script/DB |
| Deleted | Soft delete marker | Via script/DB |
| InvalidAttempts | Failed login count | Auto-updated |
| ChangePasswordRequired | Force password change | Via script/DB |
| LastChangePasswordUTC_Ticks | Password change timestamp | Auto-updated |
| LastBlockedUserUTC_Ticks | Block timestamp | Auto-updated |
| Level | Hierarchical access | Via script/DB |
| Category | User classification | Via script/DB |
| ContactInfo | Email/phone | Via script/DB |
Database Configuration
Default SQLite Structure
Location: <SolutionPath>.dbRuntimeUsers
Table automatically created with:
- User authentication fields
- Permission assignments
- Policy enforcement
- Audit tracking
Custom Database
- Configure Datasets → DBs → RuntimeUsers
- Set connection string
- System creates table if missing
- Maintain schema compatibility
Script Management
Creating Users
csharp
public void CreateOperator(string username, string password)
{
bool success = @Security.CreateUser(
username,
password,
"Operator", // Permissions
"Default" // Policy
);
if (success)
{
@Info.Trace($"User {username} created");
}
}Modifying Users
csharp
// Change password
@Security.ChangePassword("john.doe", "newPassword");
// Update permissions
@Security.SetUserPermissions("john.doe", "Operator,Supervisor");
// Block user
@Security.BlockUser("john.doe");Deleting Users
csharp
// Soft delete (mark as deleted)
@Security.DeleteUser("john.doe", softDelete: true);
// Hard delete (remove from database)
@Security.DeleteUser("john.doe", softDelete: false);Windows AD / LDAP Integration
Windows AD Authentication
Automatic Availability when:
- Solution runs on Windows
- Domain connectivity exists
- Port 3102 (default) accessible
Configuration:
- Navigate to Runtime → Startup
- Enable Use WA checkbox
- Set PortWA: 3102 (or custom)
- Configure redundancy ports if needed
Connection Methods:
Rich Client:
Server: ServerName
Port: 3102 (AD port)
Windows Authentication: EnabledWeb Client URL:
http://server/fs-2024/TSmartClient.application?port1=3102&wa=trueLDAP Server Configuration
Setup:
- Navigate to Security → RuntimeUsers
- Enter LDAP server in AD/LDAP Server field:
ldap://company.local:389
ldaps://secure.company.local:636Connection String Examples:
Standard LDAP:
ldap://dc1.company.local:389Secure LDAP:
ldaps://dc1.company.local:636With Base DN:
ldap://dc1.company.local:389/DC=company,DC=localPermission Mapping
User Resolution Order:
- Check for exact username match in Security → Users
- Map Windows groups to permission groups
- Apply Guest permissions if no match
Group Mapping Example:
Windows Group: Domain\Engineers
Permission Group: Engineering
Result: User gets Engineering permissionsLDAP Attributes Mapping:
| LDAP Attribute | Solution Property |
|---|---|
| sAMAccountName | UserName |
| memberOf | Permissions (via groups) |
| displayName | Display name |
| ContactInfo | |
| department | UserGroup |
Runtime Behavior
User Validation Order
- Check SecurityUsers (internal)
- Query RuntimeUsers database
- Validate against AD/LDAP
- Apply Guest if no match
Authentication Flow
Client.LogOn(username, password)
↓
1. Check Engineering Users (SecurityUsers)
2. Check Runtime Users (Database)
3. Check LDAP Server (if configured)
4. First valid match logs inSession Management
csharp
// Get all active users
var users = @Security.GetActiveUsers();
// Check if RuntimeUser
bool isRuntimeUser = @Security.IsRuntimeUser(username);
// Get user source
string source = @Security.GetUserSource(username);
// Returns: "Internal", "Database", "AD"Security Configuration
Forcing AD-Only Access
- Enable Use WA in Runtime → Startup
- Disable standard authentication port
- Configure AD-only port
csharp
// Check if using Windows Authentication
if (@Client.IsWindowsAuthenticated)
{
string domain = @Client.WindowsDomain;
string user = @Client.WindowsUserName;
@Info.Trace($"AD User: {domain}\\{user}");
}Service Account Configuration
csharp
// Configure service account for LDAP queries
@Security.LDAPServiceAccount = "svc_scada";
@Security.LDAPServicePassword = GetSecurePassword();
@Security.LDAPSearchBase = "OU=Users,DC=company,DC=local";Best Practices Checklist
- Use appropriate source - AD for enterprise, DB for standalone
- Set permissions carefully - RuntimeUsers can't be admins
- Use secure LDAP - LDAPS on port 636 when possible
- Implement audit trail - Track user creation/modification
- Regular cleanup - Remove inactive RuntimeUsers
- Secure database - Protect RuntimeUsers table
- Document user sources - Clear origin tracking
- Test authentication paths - Verify all methods work
Common Configurations
Manufacturing Domain
AD Server: mfg.company.local
Port: 3102
Groups:
- MFG\Operators → Operator
- MFG\Engineers → Engineering
- MFG\Managers → SupervisorEnterprise LDAP
LDAP: ldaps://enterprise.local:636
Base DN: DC=enterprise,DC=local
Groups:
- CN=SCADA_Users → User
- CN=SCADA_Admin → AdministratorTroubleshooting
User not found:
- Check database connection
- Verify table exists
- Review AD connectivity
- Confirm username format
Cannot create user:
- Verify CreateUsers permission
- Check database write access
- Review policy restrictions
- Confirm unique username
AD/LDAP users not working:
- Test domain connectivity
- Verify group mappings
- Check authentication mode
- Review domain credentials
Wrong permissions:
- Check group name spelling (exact match required)
- Review permission mapping
- Test with known group
Slow authentication:
- Check domain controller load
- Review network latency
- Optimize LDAP queries
- Consider caching
See Also
- Security Module (Reference) - Complete security documentation
- Security & Compliance (Tutorial) - Setup guide
- Standards Compliance (How-to Guide) - Regulatory requirements
In this section...
| Page Tree | ||
|---|---|---|
|
The RuntimeUsers allows to extend the Users with authorization to access the Solution when it is running, dynamically extending the list of the solution's users.
The RuntimeUsers can be enabled from the following sources:
- Creating RuntimeUsers with Scripts, using the Security namespace
- From External SQL databases (As defined in the Dataset.DB.RuntimeUsers connections)
- Integration with AD or LDAP server
On this page:
| Table of Contents | ||||
|---|---|---|---|---|
|
Understanding RuntimeUsers
The combination of the Runtime Users and the ones defined at the SecurityUsers table are called Solution Users.
| Note |
|---|
The main difference between the two is that engineering users can access the software's engineering mode, allowing them to design and configure the project. In contrast, runtime users only can use the application, they cannot change the project configuration or design since they don't have access to the engineering mode. Another distinction is that the regular Users are defined within the Solution file itself, as the Runtime Users are defined in external Security Servers or databases. |
RuntimeUsers SQL Table
At Security / RuntimeUsers, you can access the contents of the RuntimeUsers defined on the external SQL database.
That database is defined by the configuration of the object Dataset.DB.RuntimeUsers.
When the solution is created, by default that table is created using a SQLite database.
This table is Read-Only for the Designer, to modify the list of Users, you must modify the source Database directly, or use the Script CreateUser methods.
Property | Description (Read-only) |
|---|---|
ID | Displays the unique identifier of the runtime user as defined in the system. |
Name | Displays the name of the runtime user as registered in the system. |
LockState | Displays the current lock state of the runtime user's account according to the system's security protocols. |
Permissions | Displays the list of permissions granted to the runtime user, as specified in the security permissions table. |
Password | Displays the runtime user's password in a secure, encrypted format. |
PasswordHint | Displays the hint associated with the runtime user's password, as set during account creation or update. |
Policy | Displays the security policy applied to the runtime user, as defined in the security policies table. |
Blocked | Displays whether the runtime user is currently blocked from accessing the system, based on security settings. |
Deleted | Displays if the runtime user's account has been marked for deletion in the system. |
DateModified | Displays the date and time when the runtime user's details were last modified in the system. |
DateCreated | Displays the date and time when the runtime user's account was created in the system. |
ContactInfo | Displays the runtime user's contact information as recorded in the system. |
Level | Displays the runtime user's level or rank, as designated in the user management system. |
Category | Displays the category of the runtime user, reflecting their role or type as defined in the system. |
Alias | Displays an alternate name or identifier for the runtime user, as set in the system. |
Company | Displays the company or organization linked to the runtime user, as recorded in the system. |
UserGroup | Displays the group or department to which the runtime user is assigned, as specified in the system. |
InvalidAttempts | Displays the count of invalid login attempts by the runtime user, as tracked by the system. |
LastChangePasswordUTC_Ticks | Displays the timestamp in UTC ticks of the last password change by the runtime user, as logged by the system. |
ChangePasswordRequired | Displays whether the runtime user is required to change their password at the next login, as per system policy. |
LastBlockedUserUTC_Ticks | Displays the timestamp in UTC ticks when the runtime user was last blocked, as logged in the system. |
RuntimeUsers from AD or LDAP
RuntimeUsers who access the Solution based on AD/LDAP validation will not appear in the RuntimeUsers Database. These users are created directly in memory while the Solution is running, as their usernames and permissions are managed by external security servers
For Information to use AD/LDAP go to Windows AD / LDAP Server.
In this section: