The Users item allows configuring information referring to users who have access or not to an application. The available options in this item are described on the next table.
Available options on the Users item
Option |
Description |
|---|---|
New |
Creates a new user |
Edit |
Edits the properties of the selected user |
Delete |
Deletes the selected user |
When clicking New, the window on the next figure is displayed.
Add User window with Elipse E3 authentication
The available options on this window are described on the next table.
Available options on the Add User window
Option |
Description |
|---|---|
Name |
Name of this user |
Full name |
Full name of this user |
Authentication kind |
Indicates the type of authentication of this user. The available options are Elipse E3 Authentication: This user is created in the current Domain or Windows Authentication: Allows adding a user from a Windows network domain |
Password |
Password of this user. Please check the next note |
Confirm password |
Confirmation of the password of this user. Please check the next note |
When selecting the Windows Authentication option, the Add User window changes to allow selecting users from a Windows network domain, according to the next figure.
Add User window with Windows authentication
When selecting Browse, the window on the next figure is displayed, allowing a search for a Windows domain and then selecting a user from that domain.
Browse Windows Users window
When selecting a user and clicking Edit, the options to edit the selected user are displayed on the tabs of the next figures.
User Information tab
On the User Information tab, in addition to the options already described on the Add User window, users can indicate whether a user is an administrator by selecting the This user is an administrator option and change the current password by clicking Change Password. In this case, the window on the next figure is then opened.
Change User Password window
•In case of editing an existing user, changing the Password field implies in deleting the content of the Retype password field and vice versa, but only in the first time users edit any of these fields. •Whenever users change their password, a logout is performed from all sessions where these users were logged in, except from the session where this password change was performed. |
On the Groups tab, shown on the next figure, users can inform to which groups of users this user must belong. To do so, select a group on the Available groups list and click Add to move this group to the Belongs to list. To remove a group from that list, click Remove.
Groups tab
On the Security Properties tab, shown on the next table, users can specify several properties related to a user's security.
Security Properties tab
The available options on this tab are described on the next table.
NOTE |
The (Inherited) indication in the available options of this window means that the value of that option is inherited from the group that a user belongs to or inherited from the system. The (By default) indication means that the value is the default for that option. |
Available options on the Security Properties tab
Option |
Description |
|---|---|
Disallow password change |
Indicates that this user cannot change their password. This change can only be performed by an administrator |
Allow changing expired password |
Allows this user to immediately change their expired password |
Password expiration |
Indicates whether this user's password has an expiration time. Before this time is over, a dialog box is displayed indicating how many days are left for expiration and offering an option to change the password. After that period, the password expires and must be changed. Defining this value as 0 (zero) allows this user's password to expire at the end of the current day. NOTE: If this option is enabled, configure in the Days to expire item a time period for this password to expire and, if the configured value is equal to 0 (zero), it is advisable to disable the Minimum password age option |
Minimum password age |
Indicates whether there is a minimum time in days for this user's password be used before changing it. The value of the Minimum age in days item must be between 1 (one) and 730. Defining this value as 0 (zero) allows this user to change their password immediately. NOTE: If the Password expiration option is configured, the value of this option cannot exceed the value configured in the Days to expire item |
Minimum password length |
Indicates whether this user's password must have a minimum size of characters. If this option is enabled, configure in the Minimum characters item a minimum value of characters for a password |
Alphanumeric password |
Indicates whether this user's password must contain letters and numbers |
Minimum numeric characters in password |
Indicates whether this user's password must have a minimum number of numeric characters. If this option is enabled, configure in the Minimum numeric characters item a minimum value of numeric characters for a password |
Minimum letters in password |
Indicates whether this user's password must have a minimum number of letters. If this option is enabled, configure in the Minimum letters item a minimum number of letters for a password |
Minimum special characters in password |
Indicates whether this user's password must have a minimum number of special characters. If this option is enabled, configure in the Minimum special characters item a minimum number of special characters for a password |
Uppercase and lowercase characters |
Indicates whether this user's password must contain uppercase and lowercase characters |
Ignore case in passwords |
Indicates that the validation of this user's password is performed by not differentiating uppercase and lowercase letters. Enabling this option is not recommended |
Password history |
Indicates whether the last passwords of this user are stored and cannot be used. If this option is enabled, configure in the Number of passwords item how many passwords must be stored. After reaching the value indicated in this item, the oldest password is discarded and can be used again |
Account disabled |
Indicates whether this user's account is disabled |
Account blocked |
Indicates whether this user's account is blocked. This option is enabled automatically if the password expires or if this user types a wrong password several times |
Force password change |
Indicates that this user must change their password when executing the next login |
On the Permissions tab, shown on the next figure, users can specify the permissions of this user for Domains, Elipse E3 Viewers, Screens, and Alarms. A permission check consists on an information a user has about a command that acts upon a specific object.
Permissions tab
For each security item there is a series of permissions that can be configured for each user. The available options are described on the next tables.
NOTE |
Administrator users have all permissions enabled by default and this behavior cannot be changed. Therefore, the available options on the security items Domain, Viewer, Screens, and Alarms always show the Allow Command |
Available options for Domains
Option |
Description |
|---|---|
Run Domain |
Enables the execution of a Domain |
Stop Domain |
Stops a Domain |
Edit Domain |
Enables editing a Domain |
Run as a service |
Enables the execution a Domain as a service |
Allows configuring users and groups of users |
|
Remote Domain access |
Enables remote access to a Domain |
Remote Domain write access |
Enables remote writing access to a Domain |
Enables writing to the column of property values on the WatchWindow window at run time |
NOTE |
Starting with version 6.0, applications created with previous versions are opened in Elipse E3 Studio with the permission Write to runtime properties from Studio disabled by default. |
Available options for Viewers
Option |
Description |
Server write access |
Enables writing access to a server |
Available options for Screens
Option |
Description |
Open Screen |
Enables opening Screens |
Available options for Alarms
Option |
Description |
Alarm acknowledgment |
Enables acknowledging alarms |
Delete unbound alarms |
Enables removing alarms unbound to Alarm Sources |
Shelve/Unshelve alarms |
Enables shelving and unshelving alarms |
Each item on a list of permissions can be configured with one of the statuses on the next table.
Possible statuses for a list of permissions
Status |
Description |
|---|---|
Allow Command |
This option is allowed to the selected user or group, ignoring all groups to which they belong |
Deny Command |
This option is denied to the selected user or group, ignoring all groups to which they belong |
Command Allowed by this Group |
This option is allowed to the selected user or group, if it is allowed on groups to which the selected user or group belongs |
Command Denied by this Group |
This option is denied to the selected user or group, if it is denied to at least one of all groups to which the selected user or group belongs |
Not Informed |
The selected user or group uses the definitions from the groups to which they belong and there is nothing informed on those groups, therefore the option is allowed |
NOTE |
To configure all possible statuses for each security item on the permissions list, use the following options: •Right-click an item or use the shortcut key SHIFT + F10, which corresponds to the application or menu key •Double-click an item or use the space bar to toggle between Allow Command, Deny Command, or Not Informed statuses. |
For Screens, this configuration of permissions can be performed by Screen specifically. For Alarms, this configuration can be performed by Area.
NOTE |
In an application, all users have access to its initial Screen. In case users want that application to always start displaying a dialog box for user login, create a user with no specific permission for its initial Screen. Thus, every time this application starts, it asks for a user login, and after that it displays its initial Screen. |
As for anonymous user permissions, users must notice the following situations:
•If there are no users at all, a permission check is not enabled, or there is no user with restrictions for a certain operation, then a user identification is not required, that is, users can log in as anonymous
•If there are users in an application, a permission check is enabled, and at least one user cannot execute a certain operation, then this operation requires a user identification, that is, users cannot log in as anonymous
NOTE |
Name and description of these restriction options can be viewed using the Legend option. |
In case there is any restriction to execute, stop, edit a Domain, or to configure users or groups, users must be logged in Elipse E3. To do so, use the File - Login or File - Logout menus.
The Login option opens a dialog box for logging in Elipse E3 Studio. Users remain logged in until another login or logout is performed.
The Logout option executes a log out from Elipse E3 Studio. In case no user is logged in, this option is then disabled.
NOTES |
•It is not allowed to remove all administrator users from a Domain. •It is not possible to deselect the This is an administrator user option from all users of a Domain. •Administrators can always change their passwords, even after the end of the expiration time. •Administrators are not prevented from executing a login when their accounts are disabled or blocked. •If there is no administrator configured in a Domain, such as when opening an old application that has no registered administrator, editing users remains disabled until an administrator is added. •Non-administrator users do not have permission to edit administrator users or to promote themselves or other users to administrators. |
When performing a user's login, by using Viewer's Login method or by using the File - Login menu, the dialog box on the next figure is then opened.
Login window with Elipse E3 authentication
When selecting the Elipse E3 authentication mode, fill in information about a user and a password for an Elipse E3 Domain's user in the User name and Password fields, respectively.
When selecting the Windows authentication mode, the User name and Password fields are disabled and filled in with the name and password of the user currently logged in the network domain. To select another user belonging to a network domain, click Other user, according to the next figure.
Login window with Windows authentication
When the This user is an administrator option is enabled for a given user, this user can, at run time, change all configurations displayed on the Users tab.
These privileges can be configured via script using Viewer's UserAdministration method, which enables a user's dialog box at run time.
NOTE |
Only administrators and users with the Configure user/groups permission enabled have access to Viewer's UserAdministration method. |
When selecting a user and clicking Delete, the application shows a message box asking to confirm whether users want to delete that user or not.