Security RuntimeUsers (Reference)
extend solution access dynamically: Dynamic user management during runtime, allowing user
managementcreation and authentication without modifying
thesolution configuration.
RuntimeUsers provide:
- Dynamic user creation during runtime
- External database integration
- Active Directory/LDAP authentication
- Temporary or permanent user accounts
- Script-based user management
RuntimeUsers combined with SecurityUsers form the complete Solution Users.
In this page:
Table of Contents maxLevel 2 minLevel 2 indent 10px exclude Steps style none
Security → Tutorial | Concept | How-to Guide | Standards Compliance | Reference
RuntimeUsers vs SecurityUsers
| Aspect | SecurityUsers | RuntimeUsers |
|---|---|---|
| Creation | Design-time only | Runtime only |
| Storage | Solution file | External database |
| Engineering Access | Yes | No |
| Modify Solution | Yes | No |
| Runtime Access | Yes | Yes |
| Source | Internal | External/Scripts |
<ac:structured-macro ac:name="note"> ac:rich-text-body Note: RuntimeUsers cannot access Engineering mode or modify solution configuration. They are application users only. </ac:rich-text-body> </ac:structured-macro>
Configuration Sources
1. Script Creation
csharp
// Create user programmatically
@Security.CreateUser(
"john.doe",
"password123",
"Operator,Maintenance",
"Enhanced"
);2. External SQL Database
Configure at Configuration: Datasets → DBs → RuntimeUsers
- Default: SQLite database
- Supports: SQL Server, MySQL, PostgreSQL
- Auto-created table structure
3. AD/LDAP Integration
- Users validated against directory
- Created in memory only
- No database storage
RuntimeUsers Table Properties
Access: Security → RuntimeUsers (read-only view at Security → RuntimeUsers:)
| Property | Description | Modifiable |
|---|---|---|
| Name | Unique username | Via script/DB |
| Password | Encrypted credential | Via script/DB |
| Permissions | Group assignments | Via script/DB |
| Policy | Security policy | Via script/DB |
| Blocked | Access denied flag | Via script/DB |
| Deleted | Soft delete marker | Via script/DB |
| InvalidAttempts | Failed login count | Auto-updated |
| ChangePasswordRequired | Force password change | Via script/DB |
| LastChangePasswordUTC_Ticks | Password change timestamp | Auto-updated |
| LastBlockedUserUTC_Ticks | Block timestamp | Auto-updated |
| Level | Hierarchical access | Via script/DB |
| Category | User classification | Via script/DB |
| ContactInfo | Email/phone | Via script/DB |
| Company | Organization | Via script/DB |
| UserGroup | Department | Via script/DB |
Database Configuration
Default SQLite Structure
Location: <SolutionPath>.dbRuntimeUsers
Table automatically created with:
- User authentication fields
- Permission assignments
- Policy enforcement
- Audit tracking
Custom Database
- Configure Datasets → DBs → RuntimeUsers
- Set connection string
- System creates table if missing
- Maintain schema compatibility
Script Management
Creating Users
csharp
public void CreateOperator(string username, string password)
{
bool success = @Security.CreateUser(
username,
password,
"Operator", // Permissions
"Default" // Policy
);
if (success)
{
@Info.Trace($"User {username} created");
}
}Modifying Users
csharp
// Change password
@Security.ChangePassword("john.doe", "newPassword");
// Update permissions
@Security.SetUserPermissions("john.doe", "Operator,Supervisor");
// Block user
@Security.BlockUser("john.doe");Deleting Users
csharp
// Soft delete (mark as deleted)
@Security.DeleteUser("john.doe", softDelete: true);
// Hard delete (remove from database)
@Security.DeleteUser("john.doe", softDelete: false);AD/LDAP Users
Characteristics
Configuration
csharp
// Enable AD authentication
@Security.AuthenticationMode = "WindowsAD";
@Security.ADDomain = "company.local";
// Map AD groups to permissions
@Security.ADGroupMapping["Domain Users"] = "Operator";
@Security.ADGroupMapping["Domain Admins"] = "Administrator";Runtime Behavior
User Validation Order
- Check SecurityUsers (internal)
- Query RuntimeUsers database
- Validate against AD/LDAP
- Apply Guest if no match
Session Management
csharp
// Get all active users
var users = @Security.GetActiveUsers();
// Check if RuntimeUser
bool isRuntimeUser = @Security.IsRuntimeUser(username);
// Get user source
string source = @Security.GetUserSource(username);
// Returns: "Internal", "Database", "AD"Best Practices
- Use appropriate source - AD for enterprise, DB for standalone
- Set permissions carefully - RuntimeUsers can't be admins
- Implement audit trail - Track user creation/modification
- Regular cleanup - Remove inactive RuntimeUsers
- Secure database - Protect RuntimeUsers table
- Document user sources - Clear origin tracking
- Test authentication - Verify all paths work
Troubleshooting
User not found:
- Check database connection
- Verify table exists
- Review AD connectivity
- Confirm username format
Cannot create user:
- Verify CreateUsers permission
- Check database write access
- Review policy restrictions
- Confirm unique username
AD users not working:
- Test domain connectivity
- Verify group mappings
- Check authentication mode
- Review domain credentials
Database errors:
- Verify connection string
- Check table schema
- Review permissions
- Test database access
CONSOLIDATE:
Windows AD / LDAP Server (Reference)
Windows AD / LDAP Integration
Windows AD Authentication
Automatic Availability
Windows AD support is automatically enabled when:
- Solution runs on Windows
- Domain connectivity exists
- Port 3102 (default) accessible
Configuration:
- Navigate to Runtime → Startup
- Enable Use WA checkbox
- Set PortWA: 3102 (or custom)
- Configure redundancy ports if needed
Connection Methods:
Rich Client:
Server: ServerName
Port: 3102 (AD port)
Windows Authentication: EnabledWeb Client URL:
http://server/fs-2024/TSmartClient.application?port1=3102&wa=trueLDAP Server Configuration
Setup:
- Navigate to Runtime → Startup
- Enable Use WA checkbox
- Set PortWA: 3102 (or custom) Configure redundancy ports if needed
- Security → RuntimeUsers
- Enter LDAP server in AD/LDAP Server field:
ldap://company.local:389
ldaps://secure.company.local:636Connection String Examples:
Standard LDAP:
ldap://dc1.company.local:389Secure LDAP:
ldaps://dc1.company.local:636With Base DN:
ldap://dc1.company.local:389/DC=company,DC=localPermission Mapping
User Resolution Order:
- Check for exact username match in Security → Users
- Map Windows groups to permission groups
- Apply Guest permissions if no match
Group Mapping Example:
Windows Group: Domain\Engineers
Permission Group: Engineering
Result: User gets Engineering permissionsConfiguration Steps
- Create permission group matching AD group name
- Set desired permissions for group
- AD users automatically inherit permissions
LDAP Server Integration
Configuration
- Navigate to Security → RuntimeUsers
- Enter LDAP server in AD/LDAP Server field:
ldap://company.local:389
ldaps://secure.company.local:636Authentication Flow
LDAP Attributes Mapping:
| LDAP Attribute | Solution Property |
|---|---|
| sAMAccountName | UserName |
| memberOf | Permissions (via groups) |
| displayName | Display name |
| ContactInfo | |
| department | UserGroup |
Runtime Behavior
User Validation Order
- Check SecurityUsers (internal)
- Query RuntimeUsers database
- Validate against AD/LDAP
- Apply Guest if no match
Authentication Flow
csharpClient.LogOn(username, password)
↓
1. Check Engineering Users (SecurityUsers)
2. Check Runtime Users (Database)
3. Check LDAP Server (if configured)
4. First valid match logs inUser Identification
Domain Requirements
- Client user must exist on server domain
- Same domain group membership required
- Server validates client credentials
- Domain trust relationships honored
Username Formats
DOMAIN\username // NetBIOS format
username@domain.com // UPN format
username // Local/simple formatSession Management
csharp
// Get all active users
var users = @Security.GetActiveUsers();
// Check if RuntimeUser
bool isRuntimeUser = @Security.IsRuntimeUser(username);
// Get user source
string source = @Security.GetUserSource(username);
// Returns: "Internal", "Database", "AD"Security Configuration
Forcing AD-Only Access
Configuration
Disable solution users, accept only AD:- Enable Use WA in Runtime → Startup
- Disable standard authentication port
- Configure AD-only port
csharp
// Check if using Windows Authentication
if (@Client.IsWindowsAuthenticated)
{
string domain = @Client.WindowsDomain;
string user = @Client.WindowsUserName;
@Info.Trace($"AD User: {domain}\\{user}");
}LDAP Configuration Details
Connection String Examples
Standard LDAP:
ldap://dc1.company.local:389Secure LDAP:
ldaps://dc1.company.local:636With Base DN:
ldap://dc1.company.local:389/DC=company,DC=localLDAP Attributes Mapping
| LDAP Attribute | Solution Property |
|---|---|
| sAMAccountName | UserName |
| memberOf | Permissions (via groups) |
| displayName | Display name |
| ContactInfo | |
| department | UserGroup |
Redundancy Configuration
Primary/Backup ServersPrimary AD Port: 3102
Backup AD Port: 3103Command Line:
TServer.exe /port1:3102 /wa:true
TServer.exe /port1:3103 /wa:true /backupSecurity Considerations
Best Practices
- Use secure LDAP - LDAPS on port 636
- Limit service account - Minimal permissions
- Configure firewalls - Restrict AD ports
- Regular group audits - Review mappings
- Test failover - Verify redundancy
- Document mappings - Clear group relations
- Monitor authentication - Track failures
Service Account Configuration
csharp
// Configure service account for LDAP queries
@Security.LDAPServiceAccount = "svc_scada";
@Security.LDAPServicePassword = GetSecurePassword();
@Security.LDAPSearchBase = "OU=Users,DC=company,DC=local";Troubleshooting
Cannot authenticate:
- Verify domain connectivity
- Check port accessibility
- Confirm user exists in AD
- Review group memberships
Wrong permissions:
- Check group name spelling
- Verify exact match required
- Review permission mapping
- Test with known group
LDAP connection failed:
- Test LDAP server access
- Verify credentials
- Check SSL certificates
- Review firewall rules
Slow authentication:
Best Practices Checklist
- Use appropriate source - AD for enterprise, DB for standalone
- Set permissions carefully - RuntimeUsers can't be admins
- Use secure LDAP - LDAPS on port 636 when possible
- Implement audit trail - Track user creation/modification
- Regular cleanup - Remove inactive RuntimeUsers
- Secure database - Protect RuntimeUsers table
- Document user sources - Clear origin tracking
- Test authentication paths - Verify all methods work
Common Configurations
Manufacturing Domain
AD Server: mfg.company.local
Port: 3102
Groups:
- MFG\Operators → Operator
- MFG\Engineers → Engineering
- MFG\Managers → SupervisorEnterprise LDAP
LDAP: ldaps://enterprise.local:636
Base DN: DC=enterprise,DC=local
Groups:
- CN=SCADA_Users → User
- CN=SCADA_Admin → AdministratorTroubleshooting
User not found:
- Check database connection
- Verify table exists
- Review AD connectivity
- Confirm username format
Cannot create user:
- Verify CreateUsers permission
- Check database write access
- Review policy restrictions
- Confirm unique username
AD/LDAP users not working:
- Test domain connectivity
- Verify group mappings
- Check authentication mode
- Review domain credentials
Wrong permissions:
- Check group name spelling (exact match required)
- Review permission mapping
- Test with known group
Slow authentication:
- Check domain controller load
- Review network latency
- Optimize LDAP queries
- Consider caching
See Also
- Security Module (Reference) - Complete security documentation
- Security & Compliance (Tutorial) - Setup guide
- Standards Compliance (How-to Guide) - Regulatory requirements
In this section...
| Page Tree | |||
|---|---|---|---|
|
Overview
Content Tools
Tasks