Académique Documents
Professionnel Documents
Culture Documents
August 2000
Contacting Technical Support Telephone1-440-646-7800 Rockwell Software Technical Support Fax1-440-646-7801 World Wide Webwww.software.rockwell.com Copyright Notice 1999, 2000 Rockwell Software Inc., a Rockwell Automation company. All rights reserved Printed in the United States of America Portions copyrighted by Allen-Bradley Company, LLC, a Rockwell Automation company. This manual and any accompanying Rockwell Software products are copyrighted by Rockwell Software Inc. Any reproduction and/or distribution without prior written consent from Rockwell Software Inc. is strictly prohibited. Please refer to the license agreement for details. Trademark Notices The Rockwell Software logo, RSAlarm, RSAnimator, RSAssistant, RSBatch, RSBreakerBox, RSButton, RSChart, RSCompare, RSControlRoom, RSData, RSDataPlayer, RSEventMaster, RSGauge, RSJunctionBox, RSLogix Emulate 5, RSLogix Emulate 500, RSGuardian, RSHarmony, RSKeys, RSLadder, RSLadder 5, RSLadder 500, RSLibrary Builder, RSLinx, RSLogix 5, RSLogix 500, RSLogix Frameworks, RSLogix SL5, RSMailman, RSNetworx for ControlNet, RSNetworx for DeviceNet, RSPortal, RSPower, RSPowerCFG, RSPowerRUN, RSPowerTools, RSRules, RSServer32, RSServer, RSServer OPC Toolkit, RSSidewinderX, RSSlider, RSSnapshot, RSSql, RSToolbox, RSToolPak I, RSToolPak II, RSTools, RSTrainer, RSTrend, RSTune, RSVessel, RSView32, RSView, RSVisualLogix, RSWheel, RSWire, RSWorkbench, RSWorkshop, SoftLogix 5, A.I. Series, Advanced Interface (A.I.) Series, AdvanceDDE, AutomationPak, ControlGuardian, ControlPak, ControlView, INTERCHANGE, Library Manager, Logic Wizard, Packed DDE, ProcessPak, View Wizard, WINtelligent, WINtelligent LINX, WINtelligent LOGIC 5, WINtelligent VIEW, WINtelligent RECIPE, WINtelligent VISION, and WINtelligent VISION2 are trademarks of Rockwell Software Inc., a Rockwell Automation company. Data Highway Plus, DH+, DHII, DTL, MicroLogix, Network DTL, PLC, PLC-2, PLC-3, PLC-5, PowerText, Pyramid Integrator, PanelBuilder, PanelView, PLC-5/250, PLC-5/20E, PLC-5/40E, PLC-5/80E, SLC, SLC 5/01, SLC 5/02, SLC 5/03, SLC 5/04, SLC 5/05, and SLC 500 are trademarks of the Allen-Bradley Company, LLC, a Rockwell Automation company. Microsoft, MS-DOS, Windows, and Visual Basic are registered trademarks, and Windows NT, Windows 98, Microsoft Access, and Visual SourceSafe are trademarks of the Microsoft Corporation. ControlNet is a trademark of ControlNet International. DeviceNet is a trademark of the Open DeviceNet Vendors Association. Ethernet is a registered trademark of Digital Equipment Corporation, Intel, and Xerox Corporation. Pentium is a registered trademark of the Intel Corporation. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. IBM is a registered trademark of International Business Machines Corporation. AIX, PowerPC, Power Series, RISC System/6000 are trademarks of International Business Machines Corporation. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Limited. AutoCAD is a registered trademark of Autodesk, Inc. Warranty This Rockwell Software product is warranted in accord with the product license. The product's performance will be affected by system configuration, the application being performed, operator control and other related factors. The product's implementation may vary among users. This manual is as up-to-date as possible at the time of printing; however, the accompanying software may have changed since that time. Rockwell Software reserves the right to change any information contained in this manual or the software at anytime without prior notice. The instructions in this manual do not claim to cover all the details or variations in the equipment, procedure, or process described, nor to provide directions for meeting every possible contingency during installation, operation, or maintenance.
Preface
Purpose of this book
This getting results book provides you with information on how to install and use Rockwell Software's Security Server. It also explains how to access and navigate the online help.
Intended audience
We assume that you are a network engineer, and that you are familiar with: Windows NT Microsoft
Online help
The online help includes all overview, procedural, screen, and reference information for the product. The help contains four basic components: overview topics, quick start topics, step-by-step procedures, and screen element descriptions (for example, text boxes, drop-down lists, and option buttons). All of the help is context sensitive with the application and provides the user with immediate access to application tasks and screen element descriptions.
Preface i
Document conventions
The conventions used throughout this document for the user interface comply with those recommended by Microsoft Corporation. If you are not familiar with the Microsoft Windows user interface, we recommend that you read the documentation supplied with the operating system you are using before attempting to use this software.
Feedback
Please use the feedback form, which you will find packaged with your software, to report errors and/or let us know what information you would like to see added in future editions of this document.
Contents
Preface ....................................................................................... i
Purpose of this book .................................................................................................................. i Intended audience ....................................................................................................................... i How does it fit in with other Rockwell Software product documentation? ...................... i Document conventions.............................................................................................................ii Feedback......................................................................................................................................ii Chapter 1
Adding user groups to the system ...................................................................................... 25 Importing actions for Rockwell Software applications...................................................... 26 Adding a single user to a group ............................................................................................. 26 Adding workstation groups to the system ........................................................................... 27 Creating a resource .................................................................................................................. 28 Grouping resources ................................................................................................................. 29 Grouping actions ..................................................................................................................... 29 Assigning access to individuals and groups ......................................................................... 30 Finding users, workstations, actions, or groups.................................................................. 32 Viewing and changing the server properties ....................................................................... 32 Refreshing access control lists ............................................................................................... 36 Using admin accounts to control access to the Security Server's Configuration Explorer ............................................................................ 36 Roaming security ..................................................................................................................... 37 Chapter 4
Table of Contents v
1
Chapter
A Standalone Edition, which gives you local control over security functions on the machine where you install the Security Server.
These two forms operate in much the same way, except that the Network Edition has some features the standalone edition does not have.
What is a resource?
A resource is an application, processor, or computer that Security Server can restrict access to. Resources contain actions, functions that can be controlled.
Resources contain rules for access to actions, called access control lists (ACLs). These rules define who can access the resources actions, and the circumstances under which a user can access those actions.
Workstation, which is the physical location of the user (Network Edition only)
Action, which is an operation performed on an resource Deny/Grant, which defines whether the user can or cannot use the function
Of course, many facilities will have hundreds of potential users, workstations, and actions available. The Security Server permits you to group users, workstations, and actions to make the process of creating ACLs more efficient. (Workstations are part of ACLs only in the Network Edition of the Security Server.) For example, if you have a group of electricians, all of whom can perform certain actions from certain workstations, you can create a group called Electricians and place all of your electricians in that group. You can then create a group of workstations called Electrician Workstations and place all of the workstations the electricians use into that group. You can then create a group of actions called Electrician Actions and place all of the actions electricians can perform in that group. You could then create an ACE that says: Electricians at Electrician Workstations are granted Electrician Actions.
These electricians
Bob Hans Sue Ray Hilda Maria
at these workstations
Machine 1 Machine 2 Machine 3 Machine 4 Machine 5 Machine 6
can be grouped
"Electricians" group
"Electricians"
at "Electrician Workstations"
You can create groups based on however your facility is organized: by job function, by area, by whatever means you like. However you do it, you'll want to plan how you are going to organize people, workstations, and actions before you begin using the Security Server.
What is an action?
An action is a software function. The Security Server controls access to actions through Access Control Lists (ACLs). For example, online programming is a software function that is an action for PLC-5 A.I. Series software. With the Security Server, you can control who can program online and from which workstations a given person can program online. Applications provide a list of their actions to the Security Server. See your application's documentation for information about how it sends its list of actions to the Security Server.
4 Getting Results with Rockwell Softwares Security Server (Network Edition)
Chapter
Introduction
After installing the software, we recommend that you read the release note located in the online help. The release note may contain more up-to-date information than was available when this document was published. To view the release note, click Start > Rockwell Software > Security Server Network Edition > Release Notes.
System requirements
The Network Edition of the Security Server installs in two phases: A server installation, which takes place on the computer on which you want to run the server.
A client installation, which takes place on the client workstations. The server installation places the software for installing the client in a directory you can share with the workstations that will install the client for the Security Server. This saves you from having to carry disks to the client workstations, and provides a centralized point for updating the client.
The Security Server requires: A computer running one of the following operating systems:
Microsoft Windows NT Workstation or Windows NT Server, version 4.0 (with service pack 4 or higher.) Additional computers are required if you want backup security servers. See page 9 for information about whether to run the Security Server on Windows NT Workstation or Windows NT Server. Microsoft Windows 2000 Workstation or Windows 2000 Server. Additional computers are required if you want backup security servers. See Should you run the Security Server on a Workstation or Server? on page 9 for information about whether to run the Security Server on Windows 2000 Workstation or Windows 2000 Server.
Connection to a network supporting Microsoft Networking with a Windows NT 4.0 Server acting as a primary domain controller. Note that the Security Server will not work in Windows 2000 native (Active Directory) environments. It will work in mixed domain environments (without Active Directory).
The client for the Security Server requires: A computer running one of the following operating systems:
Microsoft Windows NT Workstation or Windows NT Server, version 4.0 (with service pack 4) or higher Microsoft Windows 2000 Workstation or Windows 2000 Server Microsoft Windows Me Microsoft Windows 98 Microsoft Windows 95 with the DCOM patch (see Microsofts Web site for this patch: www.microsoft.com)
Connection to a network supporting Microsoft Networking with a Windows NT 4.0 Server acting as a primary domain controller. Note that the Security Server will not work in Windows 2000 native (Active Directory) environments. It will work in Windows 2000 forest/domains configured as mixed mode.
Act as part of the operating system Generate security audits Log on as a service Manage auditing and security log
1.
On the machine on which you want to install the Security Server, insert the Security Server CD-ROM into the CD-ROM drive.
If autorun is: Then:
enabled
The Setup program starts automatically and the Welcome dialog box appears. Proceed to step 2.
disabled
Click Start, then click Run. The Run dialog box appears. In the Open field, type x:\setup, where x is the letter of the drive containing the Security Server CD-ROM. Click OK. The Welcome dialog box appears.
2.
Read the entire Software License Agreement. Click Yes to accept and continue installation, or click No to decline and exit the installation.
c.
Type your name, the name of your company, the support ID number of your software, and then click Next.
You can find the support ID number on the product box label.
Tip
d.
A dialog box appears, indicating that a Security Server subdirectory will be created in the specified destination directory. Click Yes to confirm, or No to exit.
e. On the Select Components dialog box -
Select installation options. In the Product (left) pane, select the Security Server product(s) that you want to install. In the Product Options (right) pane, select the component(s) of each product that you want to install. If you want to create a centralized location for the workstation client software, make sure Client Install is checked. Click Next.
If you have a number of computers that will be clients for the Security Server, you can automate the process of selecting servers for the clients. See page 20 for more information.
Tip
f.
Accept the default program folder, or type the name of the program folder in which you want the Security Server application icons to appear. Click Next. A dialog box appears, indicating the specified location of the Security Server icons in the Start menu. Click Yes to confirm, or No to exit.
g.
On the Security Server Network Edition dialog box - Confirm your previous selections, and then click Next. The Setup dialog box appears while files are being copied to the hard disk drive. On the Rockwell Softwares Security Service Installer dialog box -
h.
set the parameters for running the Security Server. These parameters are described on page 13.
i. On the Rockwell Softwares Security Service Installer dialog box -
read and follow the instructions. You can also refer to the instructions starting on page 14 for information regarding setting up DCOM for the server.
j. On the Setup Complete dialog box -
viewing options and click Finish. To begin activation, insert the Master disk into the 3.5-inch disk drive.
k. l. 3.
Follow the instructions that appear on the screen to activate the Security Server software.
On the EVMOVE dialog box On the Restart Windows dialog box -
Specify the restart option for your operating system and click Finish. The installation is complete.
When you are finished installing the software, remove the Security Server CD-ROM from the CD-ROM drive and the Security Server Master disk from the disk drive. Store them in a safe place.
Domain
The domain of the user account in which the Security Server will run. The user account under which the Security Server will run. By default, this field shows the account you are currently using. If this is not the account you want to run the Security Server, enter the correct account name. The password for the account under which the Security Server will run. The field is blank by default. You must enter the password for the account. The Security Server runs as a service. You can have the service start when Windows starts or you can choose to start the service manually. Manual: The Security Server starts when an application requests it. This is the default setting. Automatic: The Security Server starts when the machine boots. Most likely, you'll want the service to start manually. That way, the server does not run until an application requests it, taking the minimum amount of resources. However, for large networks, you probably will want the service to start automatically.
Account
Password
Startup Mode
The Security Server runs as a service whether it starts automatically at machine startup, or manually when a client requests it to start, or through the Services applet. (See your Windows NT or Windows 2000 documentation for information about running the Services applet.) If the server starts manually through DCOM (when a client requests it to start), it will stop when the last client disconnects from it.
There are two layers to DCOM configuration. There is a default layer, which applies to all DCOM-enabled applications. There is also an application-specific layer, which applies only to the application being accessed (in this case, the Security Server database). Users must have rights to both layers; if they are denied access to the default layer, they cannot access the application-specific layer.
Tip DCOM connections are cached by the server. If a user attempts a connection and the connection fails because the user does not have rights to make the connection, the server will continue to deny that user access until the server is rebooted. The same thing applies to made connections; once a user can make a connection, that user will be able to make that connection until the computer running the Security Server is rebooted. Therefore, when you make changes to the DCOM configuration, it is a good idea to reboot the computer running Security Server.
To start DCOMCNFG, click Start > Run. Type DCOMCNFG, then click OK. This opens the Distributed COM Configuration Properties window.
Set the default properties
In the Distributed COM Configuration Properties window, click the Default Properties tab. Set the default DCOM properties as shown.
Make sure this box is checked!
In the Distributed COM Configuration Properties window, click the Default Security tab.
Set the default launch permissions
In the Default Launch Permissions section, click the Edit Default button. Add the Security Server users group to the list of who can launch a DCOM application. Make sure Type of Access is set to Allow Launch. If the SYSTEM account is not added with Allow Launch access, DCOM cannot start (the System Control Manager, which runs DCOM, runs in the SYSTEM account). Make sure the SYSTEM account is in the default launch permissions list with Allow Launch access. It is also a very good idea to have the INTERACTIVE user in this list as well. Otherwise, someone using the Security Server on the server machine may not be able to start it.
Set the application-specific DCOM properties
In the Distributed COM Configuration Properties window, click the Applications tab. Click the Sentinel.Database application, then click Properties. This displays the Sentinel.Database properties window. In the Sentinel.Database properties window, click the Security tab.
For the access permissions section, click Use custom access permissions. Click Edit and add the Security Server user group. Make sure Type of Access is set to Allow Access. For the launch permissions section, click Use custom launch permissions. Click Edit and add the Security Server user group. Make sure Type of Access is set to Allow Launch.
To install the client for computers running A.I. Series software (or to place the Configuration Explorer on a client machine): 1. From the computer running the Security Server, give read access for the ClientSetup directory (by default, C:\Program Files\Rockwell Software\Security Server\ClientSetup) to the client workstations.
2.
From the client workstations, install the client software from the ClientSetup directory on the server. (The client is already installed on the computer running the Security Server.)
Important
If you are configuring a backup Security Server, make sure its server list matches the primary Security Servers list.
To define a server: 1. Click Browse to display a Network Neighborhood view of computers on your workstations domain.
2. 3.
In the list of machines that appears, click the name of the machine that is running the Security Server, then click OK. To add backup Security Servers into the list, click New, select a server, then click OK.
4.
You can adjust the priority of machines (the order in which the client will look at servers) by clicking on a server then clicking the arrow buttons next to the server list. Servers toward the top of the list have higher priority. Click the OK button. You have now configured the client to use Security Servers. If the client is unable to connect to the primary Security Server, it will try to connect to backup servers in the order set in step 4.
5.
Click Start > Run. Type DCOMCNFG, then click OK. This opens the Distributed COM Configuration Properties window.
Click the Default Security tab. Check the Enable Remote Connection checkbox.
Note that the primary server is defined for you. When the Security Server is installed, the primary server is defined as being the computer on which the server was installed. In the example shown above, the computer called SECURITY_SERVER is the primary Security Server. You can define backup servers as shown in the following example:
[ServerNames] Primary = SECURITY_SERVER Backup#1 = MAIL_SERVER Backup#2 = ACCOUNT_SERVER Backup#3 = BACKUP_SERVER
Once the SERVER.INI file is changed, you will find those four servers defined without having to run the Security Server Definition application, saving some time in selecting and arranging those servers.
Chapter
For example, you may want certain users to be able to monitor a specific PLC5 processor from any workstation. You may want these same users to be able to modify that processor's program while online with that processor, but only from workstations in line-of-sight of that processor. You can create rules (ACLs) to do this with the Security Server.
About resources
In the Security Server, there are two types of resources: global or application. Global resources control access to actions (functions) in a software product. Application resources control access to specific applications of a software product. For example, in PLC-5 A.I. Series software, there is an global resource called AI5GLOBALRIGHTS. With this global resource, you can control actions in the software globally, without respect to the processors being used. However, PLC-5 A.I. Series software also allows you to define application resources for your processors. By using these application resources, you can control the actions in PLC-5 A.I. Series software based on what processors are being used. A computer can also be a resource. RSLinx, for example, uses the computer running RSLinx as a resource. To use the Security Server with RSLinx, you create a resource with the name of the computer running RSLinx, then grant or deny RSLinx actions to users for that computer. Precicely what an application resource is varies depending on the software you use with the Security Server. For example, for PLC-5 A.I. Series software, an application resource is a processor. When rules of access are applied to functions associated with one of these application resources, software functions are controlled with respect to that processor. For RSLinx software, an application resource is the computer running RSLinx.
Resource names and IDs
Resources have a name, an ID, and a description. The description helps let users of the resource understand what the resource is for. The name and ID are used by the client application to identify the resource.
Tip You can change whether the server grants or denies actions by default through the Security Server's Configuration Explorer Properties function (see page 32).
Type a name for this group in the Name field. You can add a description for the group in the Description field. The name can contain any characters except: comma (,), pipe (|), or slash (/) Click the Group Members tab. Click the Add button. The software displays a browser window, which allows you to browse through your Windows network to find users. Once you find the user you want to add, click the user name, and then click OK. Repeat steps 4 and 5 for all of the users you want to add to the group.
Tip As a convenience, once you add a user or workstation to a group in Configuration Explorer, that user or workstation becomes available in the _Security Server domain in Configuration Explorer. You can use the Security Server domain as a shortcut to the users or workstations you have previously added.
3. 4. 5. 6.
RSLogix 5 RSLogix 500 PLC-3 A.I. Series software PLC-5 A.I. Series software RSBatch RSLinx RSLogix Frameworks Diagram Developer Offline and Online
Consult the documentation for your specific application for more information about configuring it to use the Security Server.
Click the Group Members tab. Click the Add User button. The Enter user name dialog appears. Type the logon name of the user in the User Name field. If the user is in the same domain that you are currently logged onto, type just the users log on name (you can type the domain name too, but it is not necessary). If the user is in another domain, you need to type the domain and user name.
5.
To validate that the user is a member of the domain (or that you have the correct user), click Display. The Description and Full Name fields will show the users information from the account domain controller (if the information exists). To finish, click Add User. This also validates that the user exists on the account domain controller, and adds the user to the group.
6.
If you want to assign actions to groups of workstations, you need to assign workstations to a group. To add a group of workstations to the system: 1. Right-click the Workstations/Groups folder, then click New Group. The software displays the Workstation Group - New window.
2.
Type a name for this group in the Name field. You can add a description for the group in the Description field. The name can contain any characters except: comma (,), pipe (|), slash (/), or backslash (\) Click the Group Members tab. Click the Add button. The software displays a browser window, which allows you to browse through your Windows network to find workstations. Once you find the workstation you want to add, click the workstation name, and then click OK. Repeat steps 4 and 5 for all of the workstations you want to add to the group.
3. 4.
5. 6.
Creating a resource
To create a resource: 1. Right-click the Resources/Groups folder, then click New. The software displays the Resource - New window.
2.
If you are creating a resource for an application (a global resource), click the Global Resources (Application Name) drop-down list, and select the application for which you want to create a global resource. The fields fill in with the appropriate information.
Tip Do not change the name or resource ID of the global resource for an application. Applications use this information when communicating with the Security Server; if it is changed, user access will be denied.
If your application is not shown in the Global Resources (Application Name) drop-down list, consult the documentation for your application for information about the name and resource ID it requires.
3.
If you are creating an application resource, click the Application Resources drop-down list, then click the application for which you want to create a resource. Click the Browse button, then browse for the resource you want to create. Currently, there are two types of resource available by browsing. Depending on the application for which you are creating a resource, you can browse for a workstation (through a network browse window) or for a processor (through RSLinx Super Who). The type of browse window you will see depends on the application you select in the Application Resources list.
Tip If you are creating application resources for RSLogix 5 or RSLogix 500 (which consist of processors and the communication drivers used to communicate with them), you may want to consolidate those resources so they are not dependent on the computers from which they are being accessed. See Consolidating processor resources for RSLogix 5 and RSLogix 500 on page 53 for more information.
Grouping resources
You can group resources to efficiently create ACLs for them. For example, if you have a series of PLC-5 processors in one location, and those processor all have resources, you can group those resources to make assigning rights easier. To create a resource group: 1. Right-click the Resources/Groups folder, then click New Group. The software displays the Resource Group - New window.
2.
Type a name for this group in the Name field. You can add a description for the group in the Description field. The name can contain any characters except: comma (,), pipe (|), slash (/), or backslash (\) Click the Group Members tab. You'll see a list of the available resources in the security system. Select the actions you want in the group, then click the right arrow (>>) button. The selected actions move into the Member Items list. Click the OK button. The resource group is now ready to have users assigned to it.
3.
4.
Grouping actions
If your system is particularly complex, you may want to group actions as well. Grouping actions permits you to assign combinations of actions to individuals or groups. For example, you may want your maintenance employees to be able to monitor machines but not modify data values or program them. You could group all of the monitoring actions and assign them to your maintenance employees. (On top of that, you could group your maintenance employees, group the maintenance actions, and then assign the action group to the maintenance employee group). To create an action group: 1. Right-click the Actions/Groups folder, then click New Group. The software displays the Action Group - New window.
2.
Type a name for this group in the Name field. You can add a description for the group in the Description field. The name can contain any characters except: comma (,), pipe (|), slash (/), or backslash (\) Click the Group Members tab. You'll see a list of the available actions in the security system. Select the actions you want in the group, then click the right arrow (>>) button. The selected actions move into the Member Items list.
Managing your Security Server configuration 29
3.
4.
Click the OK button. The action group is now ready to have users assigned to it.
You can assign access to actions to individuals and groups through the resource. For example, if you want to assign the actions for an application, go to that application's resource. To assign actions to individuals or groups: 1. Click the resource containing actions you want to assign.
2. 3.
Click the Access Control List tab. The access control list, or ACL, is the list of who has rights to actions for that resource. In the Users/Groups field, type the name of the user or group of users you want to have rights to an action. If you want to browse for the name, click the button next to the Users/Groups field. If you want to limit the action to a particular workstation or group of workstations, type the name of the workstation or workstation group in the Workstations/Groups field. If you want to browse for the name, click the button next to the Workstations/Groups field. Select the actions you want to assign, then click the right arrow (>>) button. The selected actions move to the Selected Actions list. If you intend to grant access to these actions, click the Grant button. If you intend to deny access to these actions, click the Deny button. Click OK. The access control list fills with the actions you assigned.
4.
5. 6. 7.
ACE
Because Bob was granted the action in the first ACE, the second ACE is ignored.
Result
Let's say Bob is still at Workstation1, but we change the ACE order. Deny for */ Workstation1
ACE
ACE
Because everyone (*) at Workstation1 was denied the action in the first ACE, the second ACE has no effect. Even though the second ACE would allow Bob to perform the action, it is ignored because the first ACE has priority.
Result
General tab
The General tab shows general system information. This information may be useful for troubleshooting or if you require technical support with the Security Server.
Setup tab
This information: Means:
The name of the computer running the server. The version of the Security Server database (where the security information is stored) The number of workstation groups in your current database The number of workstations in your current database The number of resource groups in your current database The number of resources in your current database The number of action groups in your current database The number of actions in your current database The number of user groups in your current database The number of users in your current database
Workstation Groups
Workstations
Resource Groups
Users
The Setup tab allows you to control some of the behavior of the Security Server.
You can set the Security Server to grant or deny access to actions by default. (When you first install the Security Server, it denies access by default. If you have more actions you want to grant than deny, you may want to set up the Security Server to grant access by default then create denials in the access control lists for your resources).
Tip Resources must always be defined in the Security Server database whether default access is set to grant or deny. If a resource is not defined, access to it will be denied.
By default, the Security Server keeps three backup files of your security database. If the Security Server database becomes corrupt, you may be able to recover your database from one of these backup files. (See page 39 for more information.) You can select from zero to nine backup files.
Security Audit Events
Windows NT has an Application Log that allows you to see when certain actions take place. If you want to log client and Configuration Explorer events in the Application Log, check the appropriate boxes. (Security Server events, such as startup and shutdown of the server, are always logged.) You can access and view the Application Log through the Event Viewer application that comes with Windows NT or Windows 2000. See your Windows NT or Windows 2000 documentation for information regarding using Event Viewer.
Log Audit Events to Sentinelx.log
Check this box if you want to log Security Server events to a file rather than to the Windows NT/Windows 2000 Application Log. If you choose to log events to a file, the Security Server writes event log information to a comma-delimited ASCII file that can be imported into other applications (such as Microsoft Excel) for review.
Maximum Log Files
If you choose to log events to a file, the Maximum Log Files listbox becomes available. Use this box to set how many days of logging you want to retain. The Security Server will create a new Sentinelx.log file for each day on which an entry occurs (new files are created at midnight). The log files are stored in the System\log folder under the folder where the Security Server is installed.
The Default Account Domain and Default Account Domain Controller settings work in tandem. The Security Server will access the default account domain controller for user and group information if the domain of the user or group matches that of the default account domain. In large and geographically diverse networks, this may greatly speed network access. See Appendix B on page 49 for more information.
Network information refresh rate (minutes)
The refresh rate is the rate at which the Security Server checks its database. For example, when a user is removed from a group, the refresh removes any user groups to which the user belonged and no other user belonged. Another example is when a new user is added to a new domain network group. The Security Server will add this new user group to its database when it performs the check. At each refresh, the Security Server rewrites its database.
Client Connections to Server
These fields indicate the maximum number of client workstations that can connect to the Security Server at one time, the peak number of client workstations that have connected to the Security Server at one time, and the number currently connected. The peak number of client workstations indicates the number of licences required for your system. If it is at the maximum number, it is possible that you may need more licences. If you need to increase the number of client workstations that can connect to the Security Server, please contact your Rockwell Software sales representative.
The Default Account Domain and Default Account Domain Controller settings work in tandem. The Configuration Explorer gathers and presents network information for you to create user groups or resource ACLs. These two settings allow you to select a domain controller for a particular domain. The domain controller is then used for all Configuration Explorer browsing of the domain. Note these settings may be different for each instance of Configuration Explorer on your network.
Managing your Security Server configuration 35
When Display Full Names is checked, Configuration Explorer displays full names and descriptions (when available from the server) for members of Security Server groups. When domain groups are displayed, the full names and descriptions of users in those groups are also displayed. Displaying full names and descriptions can take time. Turning this function off (by clearing the Display Full Names checkbox) will speed up these network operations.
Using admin accounts to control access to the Security Server's Configuration Explorer
If you install the Configuration Explorer on a user's computer, you must define an administrator for the Configuration Explorer. Otherwise, anyone with access to the Configuration Explorer can change the configuration of your entire Security Server system. To define an administrator: 1. Click View > Admin Accounts. This displays the Administration Accounts window.
2. 3.
Click Add. This displays a browse window, allowing you to select a user to be an administrator for Configuration Explorer. Locate a user to be an administrator, click that user's logon name, and then click OK. If you want to search for a user, type the beginning of the user's logon name in the Search for field, then click Find.
Tip As a convenience, the _Security Server domain contains all users that are currently in the Security Server's database. To save time, you can choose administrators from this domain.
Roaming security
With the Network Edition of Security Server, it is possible to disconnect from your network and maintain access to secured functions. For example, a maintenance engineer may need to take a laptop with secured software off of his or her network to perform operations in a plant. This is accomplished through a process called roaming. Roaming operates by caching security information for a set number of days. A Security Server administrator decides whether roaming should be enabled, and for how many days. If Roaming is enabled, any user can cache security information to run while disconnected from the network. While roaming, access is checked for each resource using the logged-in user and workstation. The system creates a roaming database that remains in effect until a timeout occurs (the number of days roaming is permitted expires) or the Configuration Explorer terminates the roaming session. If a timeout occurs, the user will no longer be able to access secured Rockwell Software applications.
To enable roaming, click View > Set Roaming Security Timeout. By default, roaming is enabled. To disable roaming, check the Disable Roaming Security Caching checkbox. If you wish to enable roaming, set the number of days roaming should be enabled with the Roaming Security Timeout (days) listbox. You can set between 0 and 90 days. If you want to make roaming valid only during the current day, set the timeout to 0 days (the day ends at midnight).
Using roaming
To use roaming: 1. Start Configuration Explorer.
2.
3.
Since there is no network server available to validate users, you must provide a name and password to use with Security Server while roaming. Under the Alias User Information section of the Configure Roaming Security Information dialog, enter your user name in the User Name field. Do not use your network user name for this field. Enter a password to use with Security Server while roaming in the Password and Confirm Password fields.
Important Do not forget your user name and password! If you do, you will not be able to use roaming, and you will not be able to use software that is secured with Security Server.
4.
Roaming remains enabled until either the Configuration Explorer reattaches to the Security Server, or the timeout period elapses. If the roaming timeout period elapses, connect Configuration Explorer to the Security Server to restore operation.
4
Chapter
This function allows you to save a backup file. The backup file contains all of the information necessary to reconstruct your Security Server database either on your primary Security Server or on a backup Security Server.
To restore a previous version of your Security Server database, locate the directory containing the Security Server system. By default, the Security Server system is located in C:\Program Files\Rockwell Software\Security Server \System\db. In that directory, you'll find the files that make up a Security Server database. The following table describes these files:
This file: Does this:
Sentinel.sdb
The primary security database. Contains all of the database information necessary for the Security Server to provide security functions. The backup security database files. Contains previous versions of the security database. With each save of the security database, the Security Server copies the previously saved version to a backup file. For information about setting the number of security database backups maintained by the Security Server, see page 34.
Sentinel.sb1 .sbN
Important
Before overwriting a database file, make sure the Security Server is not running.
Delete the Sentinel.sdb file and replace it with one of the backup files. If you just made the change you need to correct, the backup file you need is Sentinel.sb1 (the number on the backup file is incremented with subsequent saves).
Tip If you are restoring a database that was backed up during a resource consolidation or unconsolidation, the backed-up database is located (by default) in C:\Rockwell Software\Security Server\System\SentinelResourcen.bak (where n is a sequence number indicating how many times the consolidation or unconsolidation has been done). For information about resource consolidation, see Consolidating processor resources for RSLogix 5 and RSLogix 500 on page 53.
5
Chapter
Because of these differences, access control lists and users created in Standalone Edition are not compatible with Network Edition. This information will be lost during an upgrade to Network Edition. It is possible to retain the resource/group and action/group definitions from Standalone Edition when upgrading to Network Edition. To upgrade a Standalone Edition database to a Network Edition database: 1. Export the Standalone Edition database.
2. 3.
Install Security Server Network Edition. Import the exported Standalone Edition database file into Network Edition. During the import, there will be warnings concerning importing the Standalone Edition database. Review the SentinelImport.log file for import errors. See Restoring a previously saved configuration on page 40 for more information.
4.
Appendix
There are two types of resource for A.I. Series software. There is a global resource called AI5GLOBALRIGHTS or AI3GLOBALRIGHTS, which controls access to functions in the software. You can also create resources for each processor being programmed (in case you want to vary the actions granted based on the processor being programmed).
In the Security Server's Configuration Explorer, create the global resource for PLC-5 A.I. Series software. See page 28 for information about creating the resource. If you are using the Network Edition of the Security Server, make sure the client for the Security Server is configured on the machine where you are using PLC-5 A.I. Series software. See page 18 for information about configuring the Security Server client. From the PLC-5 A.I. Series top menu, press [F9] Configure Program Parameters > [F5] Modify System Security Parameters. Enter the system master password (the password for access to the PLC-5 A.I. Series security setup). If you have not entered this password before, make sure you remember it! After you enter the master password, the Security System Setup menu appears. Press [F3] RSSecurity Server Tests.
Setting up A.I. Series software to use Security Server 45
2.
3.
4.
5. 6.
Press [F2], then type AI5GLOBALRIGHTS. Press [F4] to send the actions for PLC-5 A.I. Series to the Security Server. (Alternatively, you can import the actions from a backup database that comes with the Security Server software. See Importing actions for Rockwell Software applications on page 26 for more information.) You can now refresh the display in the Configuration Explorer by clicking View > Refresh. In the Actions/Groups list you'll find a group called AI5. You can open that group to see the actions for PLC-5 A.I. Series, and you can create ACLs based on those actions. In PLC-5 A.I. Series, you can check whether a user has the rights to actions by pressing [F1], typing the user's name, then typing [F3].
7.
8.
In the Security Server's Configuration Explorer, create the global resource for PLC-3 A.I. Series software. See page 28 for information about creating a resource. If you are using the Network Edition of the Security Server, make sure the Security Server client is configured on the machine where you are using PLC-3 A.I. Series software. See page 18 for information about configuring the client for the Security Server. From the PLC-3 A.I. Series top menu, press [F8] Configure Program Parameters > [F5] Modify System Security Parameters. Enter the system master password (the password for access to the PLC-3 A.I. Series security setup). If you have not entered this password before, make sure you remember it! After you enter the master password, the Security System Setup menu appears. Press [F3] RSSecurity Server Tests. Press [F2], then type AI3GLOBALRIGHTS. Press [F4] to send the actions for PLC-3 A.I. Series to the Security Server. (Alternatively, you can import the actions from a backup database that comes with the Security Server software. See Importing actions for Rockwell Software applications on page 26 for more information.) You can now refresh the display in the Configuration Explorer by clicking View > Refresh. In the Actions/Groups list you'll find a group called AI3. You can open that group to see the actions for PLC-3 A.I. Series, and you can create ACLs based on those actions. In PLC-3 A.I. Series, you can check whether a user has the rights to actions by pressing [F1], typing the user's name, then typing [F3].
2.
3.
4. 5. 6.
7.
8.
Click the Application Resources drop-down list, then click AI5. This sets up the correct type of application resource for PLC-5 A.I. Series software. Click the Browse button. This launches RSLinxs Super Who function, allowing you to choose a processor for the resource. Use the Super Who window to locate the processor for which you want to create a resource, then double-click it. In the Configuration Explorer, the resource Name field fills with a default name (the processor name followed by _AI5), the Description fields fills with Resource for AI5, and the Resource ID field fills with the communications link identifier for the processor. From the PLC-5 A.I. Series top menu, press [F9] Configure Program Parameters > [F5] Modify System Security Parameters. Enter the system master password (the password for access to the PLC-5 A.I. Series security setup). If you have not entered this password before, make sure you remember it! After you enter the master password, the Security System Setup menu appears. Press [F3] RSSecurity Server Tests. Press [F2], then type the name of the resource (the processor name followed by _AI5). Press [F4] to send the actions for PLC-5 A.I. Series to the Security Server. (Alternatively, you can import the actions from a backup database that comes with the Security Server software. See Importing actions for Rockwell Software applications on page 26 for more information.) You can now refresh the display in the Configuration Explorer by clicking View > Refresh. In the Actions/Groups list you'll find a group called AI5. You can open that group to see the actions for PLC-5 A.I. Series, and you can create ACLs based on those actions (see page 30). In PLC-5 A.I. Series, you can check whether a user has the rights to actions by pressing [F1], typing the user's name, then typing [F3].
3.
4.
5.
6. 7. 8.
9.
10.
Click the Application Resources drop-down list, then click AI3. This sets up the correct type of application resource for PLC-3 A.I. Series software. Click the Browse button. This launches RSLinxs Super Who function, allowing you to choose a processor for the resource. Use the Super Who window to locate the processor for which you want to create a resource, then double-click it. In the Configuration Explorer, a description is added and the Resource ID field fills with the communications link identifier for the processor. You must enter a name for the resource in the Name field. From the PLC-3 A.I. Series top menu, press [F9] Configure Program Parameters > [F5] Modify System Security Parameters. Enter the system master password (the password for access to the PLC-3 A.I. Series security setup). If you have not entered this password before, make sure you remember it! After you enter the master password, the Security System Setup menu appears. Press [F3] RSSecurity Server Tests. Press [F2], then type the name of the resource. Press [F4] to send the actions for PLC-3 A.I. Series to the Security Server. (Alternatively, you can import the actions from a backup database that comes with the Security Server software. See Importing actions for Rockwell Software applications on page 26 for more information.) You can now refresh the display in the Configuration Explorer by clicking View > Refresh. In the Actions/Groups list you'll find a group called AI5. You can open that group to see the actions for PLC-3 A.I. Series, and you can create ACLs based on those actions (see page 30). In PLC-3 A.I. Series, you can check whether a user has the rights to actions by pressing [F1], typing the user's name, then typing [F3].
3.
4.
5.
6. 7. 8.
9.
10.
Appendix
Background
PARIS, which is a resource domain with its primary domain controller (PARIS_PDC) in Paris. EUROPA, which is a resource domain with its primary domain controller in London.
In this example, a user of Configuration Explorer in the PARIS domain (at a workstation called CONFIG_EXPL) wants the most efficient way to browse users. To make this happen, this person would set Configuration Explorer to use the backup domain controller for EUROPA (EUROPA_BDC, located in Paris). However, this same user would want to set Configuration Explorer to use EUROPA_PDC for those actions that require data to go through the Security Server. Since the Security Server is physically located in London, the connection between it and EUROPA_PDC is faster than its connection to EUROPA_BDC.
Tip In general, you should use the primary or backup domain controller that is physically located nearest to the computer you are using.
Click the Server Information tab. Select the default domain you want to use for the Security Server from the Default Account Domain list. The Default Account Domain Controller list fills in with the account domain controllers available from the default account domain. Choose the default account domain controller you want to use for the Security Server from the Default Account Domain Controller list. Click the Configuration Explorer tab. Select the default domain you want to use for Configuration Explorer from the Default Account Domain list. The Default Account Domain Controller list fills in with the account domain controllers available from the default account domain. Choose the default account domain controller you want to use for Configuration Explorer from the Default Account Domain Controller list.
4. 5. 6.
7.
C
Appendix
the computer name (the exclamation point is where the computer name ends)
the RSLinx driver being used to communicate with the processor (the slash separates the driver name from the address) the address of the processor
MACHINE!AB_ETH1\130.151.175.25
This means that for every computer using a given processor, you would have to have a separate resource. This can be quite inefficient, especially in large installations. You can consolidate these machine-based resources into a single resource for each processor, making security easier to manage. For example, if two different machines had access to the same processor over the same network, the IDs for these unconsolidated resources would look something like this:
WORKSTATION1!\TCP-1\63 WORKSTATION2!\TCP-1\63
Each of these two resources would have their own, possibly different ACLs. Consolidating these two different resources into a single resource results in a resource called
TCP-1\63
This means that a singular ACL now applies where there were previously two ACLs.
The first resource keeps all of its ACEs and their order in its ACL. If an ACE from the second resource is different than all of the ACEs from the first resource, that ACE is added to the end of the consolidated resources ACL. If any ACE being added to the consolidated resource conflicts with an ACE in the consolidated resource, the software displays a warning and logs the warning in a file. By default, that file is at C:\Program Files\Rockwell Software\Security Server\System\SentinelConsolidate.log. Such conflicts should be flagged during the consolidation process, however, you should check your ACLs for potential conflicts after consolidation.
Tip After consolidation, it is a good idea to check the order of ACEs in the newly formed ACLs.
To consolidate processor resources: 1. Open Configuration Explorer (Start > Programs > Rockwell Software > Security Server Network Edition > Security Config Explorer).
2.
Click File > Consolidate Resources. The Consolidate Resources dialog appears. (You may see a dialog that tells you that the Resource Consolidation flag has been changed. This means that the consolidation procedure has been performed at some point. Check to see if the resources need consolidation. If they do, click OK on that dialog.)
Tip If you see Unconsolidate Resources on the file menu instead of Consolidate Resources, the resources are already consolidated. If you selected Unconsolidate Resources in error, click Cancel on the Consolidate Resources dialog to stop the procedure.
3.
On the Consolidate Resources dialog, click the Consolidate Resources checkbox, then click OK.
A dialog appears informing you that the database will be backed up. This is done so you can revert to the preconsolidated version of the database if you wish. Click OK. The database backs up, and the RSLogix 5 and RSLogix 500 processor resources are consolidated.
Tip The backed-up database is stored (by default) in C:\Program Files\Rockwell Software\Security Server\System directory. The backup file has a name like SentinelResourcen.bak, where n indicates which consolidate or unconsolidate operation created the backup. For example, if you are restoring the database backed up during the twelfth consolidate/unconsolidate, the file would be called SentinelResource12.bak. There are a maximum of twenty such files; the most recent always has the highest number. If there are twenty backup files, the SentinelResources20.bak file is overwritten during consolidate/ unconsolidate operations.
5.
Unconsolidation
Unconsolidating these resources means re-adding the machine name back into the ACLs. This is not the same as an undo. (There is no undo for the consolidation, but the pre-consolidation database is stored and is available for restoration. See Restoring a previously saved configuration on page 40 for information about restoring the database that is saved during the consolidation.) It is possible to unconsolidate after consolidating, but the result is not always the same as restoring the database to its pre-consolidation state. Here are a couple of examples:
Example 1: A set of resources
Consolidates to:
AB_ETH-1\130.151.175.25
The ACLs for the Machine2 and Machine3 resources are added to the ACL for the Machine1 resource to form the ACL for the consolidated resource. If this resource is unconsolidated, it becomes:
Machine1!AB_ETH-1\130.151.175.25
If there is only one resource, unconsolidating it results in the preconsolidated resource: This preconsolidated resource:
Machine1!AB_ETH-1\130.151.175.20
Consolidates to:
AB_ETH-1\130.151.175.20
The ACL for the consolidated resource is the same as for the preconsolidated resource. If this resource is unconsolidated, it becomes:
Machine1!AB_ETH-1\130.151.175.20
The ACL for the unconsolidated resource is the same as it was when it was consolidated (which is also the same as it was when it was preConsolidating processor resources for RSLogix 5 and RSLogix 500 57
consolidated).
Unconsolidating resources
To unconsolidate processor resources: 1. Open Configuration Explorer (Start > Programs > Rockwell Software > Security Server Network Edition > Security Config Explorer).
2.
Click File > Unconsolidate Resources. The software informs you that the Resource Consolidation flag has been changed, and asks if you want to continue. If you want to unconsolidate the resources, click OK.
Tip If you see Consolidate Resources on the file menu instead of Unconsolidate Resources, the resources are not consolidated. If you selected Consolidate Resources in error, click Cancel on the Consolidate Resources dialog to stop the procedure.
3. 4.
On the Consolidate Resources dialog, uncheck the Consolidate Resources checkbox, then click OK. A dialog appears informing you that the database will be backed up. This is done so you can revert to the consolidated version of the database if you wish. Click OK. The database backs up, and the RSLogix 5 and RSLogix 500 processor resources are unconsolidated.
5.
Glossary
This term: Means:
A list of rules for determining access to a resource. Each rule contains a user, workstation, action, and grant/deny properties. It defines who can perform a given set of functions, the objects on which those functions can be performed, and from where those functions can be performed. A rule assigned to a resource that determines who can perform an action from a given workstation to a resource. ACLs are built from ACEs. A domain that contains user accounts. The Security Server accesses user account information from the PDC (Primary Domain Controller) unless otherwise configured. A domain controller for an account domain. An account domain controller authenticates user accounts on logon. A function of an RSI client application that the application wishes to restrict. For example, RSLogix 500 actions include forcing functions, online monitoring, online programming, etc. A built-in feature of Windows NT and Windows 2000. The Application Log contains information about the activity of applications, and can give you information regarding changes made to your security setup. See your Windows NT or Windows 2000 documentation for information regarding viewing the Application Log. A server that receives a copy of the domains security database from the primary domain controller and shares the user login authentication load. The BDC can be configured to perform user authentication as well as be promoted to PDC if the PDC fails. A service provided by NT Servers and NT Workstations. The browser stores network information (such as domain users and workstations) and provides the information to NT workstations.
Application Log
Browse services
Glossary 59
Client
A client for the Security Server is any Rockwell Software application that is aware of the Security Server and uses it as a common security database. It adds actions to and performs access checks with the Security Server. PLC-5 A.I. Series software is an example of a client. (The Security Server Configuration Explorer is not a client.) Client connections refer to the connection between two machines. For example, if Machine 1 is running the Security Server and Machine 2 is running PLC-5 A.I. Series software and Frameworks software, and Machine 3 is running the Security Server Configuration Explorer, then only one license is required for the connection between Machine 1 and 2. PLC-5 A.I. Series software and RSLogix Frameworks software are clients. The Security Server Configuration Explorer is not a client. The license applies to the connection between the machine running the server and the machine running the client software. You can check the client connections to the server by viewing the Property Page - Network Information tab (File > Properties) in the Configuration Explorer. This displays the number of active client connections, the maximum number of clients that can be connected (based on the number of licences), and the peak number of clients that have connected at one time. Computer system architecture in which clients request a service and a server provides that service. Each machine can then be optimized for the task. A common example would be a client using a database server. In this case the entry and display of users' data are separated (often on separate machines) from the storage and retrieval of the data. The client may have a large color display with a graphical user interface. The server may have dual power supplies (in case one fails), fast duplicated hard disks (in case one fails and to increase the number of disk requests that can be serviced per second), and a built-in tape drive for fast backup. Process that reduces the number of RSLogix 5 and RSLogix 500 processor resources by removing workstation-specific information from the resources and combining access control list entries from the existing resources into a new, non-workstation specific resource. RSLinx driver configurations must be identical for all resources being consolidated. For the Security Server, the collection of information regarding users, workstations, groups, resources, actions, access control lists, and client and server properties. Distributed Component Object Model, a Microsoft standard protocol for applications to communicate over networks.
Client connections
Client-server
Consolidate resources
Database
DCOM
Domain
In Windows NT security, a domain is a collection of computers that are grouped for viewing and administrative purposes, and that share a common security database. This setting in Configuration Explorer shows the full name and description for users or workstations when they are being displayed in groups. A resource that does not apply to a particular processor. Global resources act on the actions associated with a particular software package. For example, if you set an ACL to deny a user the download action for PLC-5 A.I. Series software, that user cannot download. If you want to control actions based on individual processors, you could create resources for those processors and control actions through those resources. A collection of users, workstations, resources, or actions. The number of licenses determines the number of client connections available. (See also the definition of Client and Client Connections.) Line-of-sight refers to the rule in many industrial operations that an operator cannot change values or programs on a process that the operator cannot directly view. A repository of event information useful in documenting a process. Security Server can be configured to log entries into the Windows NT/2000 Application Log or to a file. A version of Security Server which provides security for Rockwell Software applications on a network-wide basis. A trust relationship where a domain (trusting domain) trusts another domain (trusted domain) to access its resources, but the trusted domain does not trust the trusting domain. A server that maintains the domain's security database and authenticates user logons. It also provides a copy of the domain's security database to backup domain controllers (BDCs), which share the user login authentication load. The length of time between the Security Servers validations of users and user groups with the account domain controller. A database of information concerning the configuration of Windows and applications running under Windows.
Full names
Global resource
Log
Network Edition
One-way trust
Refresh cycle
Registry
Glossary 61
Resource
For the Security Server, a resource is what an application wishes to protect. What a resource is varies depending on the application you use with the Security Server. For example, for PLC-5 A.I. Series software, a resource is a processor. For RSLinx, a resource is the name of the workstation running RSLinx. A domain which contains resources such as workstations and printers. The ability to cache security server information to allow secured operation of Rockwell Software applications on a computer that is disconnected from a Security Server. The Security Server is an application that provides central control and administration of the Security Server database, by acting as a DCOM server and running as an NT service. A program that performs a specific system function and often provides an interface for other programs to call. The Security Server is such a program, providing security services for Rockwell Software applications running on a network. A version of Security Server which provides security for Rockwell Software applications on a single workstation. The link between two domains that enables a user with an account in one domain to have access to resources on another domain. In the context of the Security Server, a computer running Windows 95, Windows 98, or Windows NT Workstation or Windows NT Server on the same network with the computer running the Security Server.
Server
Service
Index
Symbols .SB1, .SB2 ... files 41 .SDB file 41 A A.I. Series software setting up with the Security Server 45 Access control entries 5 defined 2, 59 editing 30 how they are applied 31 moving 32 order of 31 parts of 2 Access control lists 2 creating 30 defined 2, 59 refreshing 36 Account for the Security Server 13 required for the Security Server 9 System account 9 user account 9 Account domain 35 default 35 defined 59 Account domain controller 35 default 35 example of setting 50 setting which to use 49 ACE. See Access control entries ACL. See Access control lists Action groups creating 29 displaying number of 33 Actions adding A.I. 3 software 46 A.I. 5 software 45 applications provide lists of 4 come from applications 25 default permissions for 24, 34 defined 4, 59 displaying number of 33 grouping 29 importing for Rockwell Software products 26 Administrator accounts 36 Administrators group to install the Security Server 9 AI3GLOBALRIGHTS 45 AI5GLOBALRIGHTS 2, 24, 45 Application Log auditing Security Server events in 34 defined 59 Auditing Security Server events 34 Automatic mode for staring the Security Server 13 B Backup database 39 number of database backups 34 Backup domain controller defined 59 BDC. See Backup domain controller Browse services defined 59 C Client defined 60 Client connections to server 35 Configuration Explorer administrator accounts for 36 changing server properties with 32 controlling access to 36 defined 23 in which domain to run 23 installing with the Security Server client 18 properties 24 securing 36 Consolidating processor resources 53
Index 63
D Database backing up 39 backup files for 34 defined 60 exporting 39 importing 40 refresh rate 35 restoring from automatic backup 40 synchronizing 39 version of 33 DCOM caching 15 default launch permissions 17 defined 60 setting up for the Security Server 14, 16 DCOMCNFG application 16, 20 Default account domain 35 Default account domain controller 35 Default launch permissions 17 Default security access 34 Display full names 36 Domain defined 61 for the Security Server 13 in Security Server client configuration 19 E Event Viewer 34 Events auditing 34 logging 34 Export database 39 G Global resource A.I. 3 Series 46 A.I. 5 Series 45 Group defined 61 Grouping actions 29 example of 3 resources 29 users 25 workstations 27 H help i
I Import actions for Rockwell Software products 26 Import database 40 Installation before installing Security Server 9 location for Security Server 10 requirements for 7 Security Server 7 Security Server client 18, 20 L Launch permissions 17 Line-of-sight 24 defined 61 Logging Security Server events 34 Logon failure when trying to install the Security Server 14 M Manual mode for starting the Security Server 13 N Names of users displaying 36 Network Edition 1 described 5 installation requirements for 7 workstations part of ACLs in 3 Network information refresh rate 35 O One-way trust defined 61 online help i P Password for the Security Server 13 PDC. See Primary domain controller PLC-3 A.I. Series software setting up to use with the Security Server 46 PLC-5 A.I. Series software resource in 2, 24 setting up to use with the Security Server 45 Primary domain controller defined 61 Processor resources consolidating 53
R Refresh ACLs 36 Refresh rate 35 Registry defined 61 Resource application 2 consolidating 53 creating 28 creating for PLC-3 A.I. Series software 48 creating for PLC-5 A.I. Series software 47 defined 1, 24, 62 displaying number of 33 global 2, 24 grouping 29 ID 24 in PLC-5 A.I. Series software 2, 24 name 24 Security Server based on 23 user-defined 24 Resource domain defined 62 Resource groups creating 29 displaying number of 33 Restoring a database 40 Roaming defined 37, 62 enabling or disabling 37 RSI documentation set getting results book i online help i S Security Server access control entries and 5 account for 13 account required in which to run 9 before installing 9 changing parameters for 14 changing properties of 32 domain in which to run 13 installation 11 installation requirements 7 installing the software 7 logon failure when trying to install 14 must not run in System account 9
must run in user account 9 parameters for installing 13 password for 13 rights for account for 10 run on NT Workstation or NT Server 9 runs as Windows NT service 9 startup mode for 13 trust relationships for 10 where you should install 10 Security Server client automating installation of 20 configuring 19 installation requirements 8 installing 18 installing Configuration Explorer with 18 Security Server Definition 19 Security Server model 23 Security Server Service Installer 14 Server defined 62 Server machine name 33 SERVER.INI 20 Service defined 62 Security Server runs as 9 Standalone Edition described 5 workstations not part of ACLs in 3 Startup mode for the Security Server 13 System account must not run the Security Server in 9 T Trust relationships defined 62 for the Security Server 10 U User account must run the Security Server in 9 User groups creating for DCOM configuration 15 displaying number of 33 User Manager 15 User rights for the account in which the Security Server runs 10
Index 65
Users displaying full names of 36 displaying number of 33 grouping 25 W Workstation defined 62 displaying number of 33 displaying number of groups 33 grouping 27