Transcription of FactoryTalk Security System Configuration Guide
1 Quick Start Guide FactoryTalk Security System Configuration Guide rockwell automation Publication FTSEC-QS001N-EN-E 3 Table of contents Summary of changes .. 9 About this publication .. 9 Additional resources .. 10 Legal Notices .. 11 Chapter 1 FactoryTalk systems .. 15 FactoryTalk Directory types .. 17 Accounts and groups .. 18 Account types .. 20 Applications and areas .. 22 Security in a FactoryTalk System .. 22 Example: Two directories on one computer .. 24 Chapter 2 Install FactoryTalk Services Platform .. 27 Chapter 3 FactoryTalk Security .. 29 Security on a local directory.
2 31 Security on a network directory .. 31 How Security authenticates user accounts .. 32 Things you can secure .. 32 Best practices .. 34 Audit trails and regulatory compliance .. 36 Configure a computer to be the FactoryTalk Directory network server .. 38 Configure a computer to be the network directory server .. 39 Configure a network directory client computer .. 40 Check network directory server connection status .. 40 FactoryTalk Directory Server Location 41 Chapter 4 Manage users .. 43 Add a FactoryTalk user account .. 43 Add a Windows-linked user account .. 45 Add group memberships to a user account.
3 46 Remove group memberships from a user account .. 47 Delete a user account .. 48 Preface Legal Notices About FactoryTalk systems Install FactoryTalk Services Platform Getting started with FactoryTalk Security Manage users Table of contents 4 rockwell automation Publication FTSEC-QS001N-EN-E Chapter 5 Manage user 51 Add a FactoryTalk user group .. 51 Add a Windows-linked user group .. 53 Edit or view user group properties .. 55 Delete a user group .. 56 Add accounts to a FactoryTalk user group .. 57 Remove accounts from a FactoryTalk user 58 Chapter 6 Manage computers .. 59 Add a computer.
4 59 Delete a computer .. 60 Edit or view computer properties .. 61 Chapter 7 Add and remove user-computer pairs .. 63 Add a user-computer pair .. 63 Remove a user-computer pair .. 65 Edit or view user account properties .. 66 Chapter 8 Add and remove action groups .. 69 Add an action group .. 69 Delete an action group .. 70 Add an action to an action group .. 71 Remove an action from an action group .. 72 Chapter 9 Authorize an application to access the FactoryTalk Directory .. 74 FactoryTalk Service Application 75 FactoryTalk Service Application Authorization settings .. 76 Publisher Certificate Information.
5 78 Digitally signed FactoryTalk products .. 78 Assign user rights to make System policy changes .. 79 User rights assignment policies .. 80 User Rights Assignment Policy Properties .. 81 Configure Securable Action .. 82 Select a user or group .. 83 Change the default communications protocol .. 83 Manage user groups Manage computers Add and remove user-computer pairs Add and remove action groups Set System policies Table of contents rockwell automation Publication FTSEC-QS001N-EN-E 5 Default communications protocol settings .. 84 Live Data Policy Properties .. 85 Set network health monitoring policies.
6 86 Health Monitoring Policy Properties .. 86 Set audit policies .. 88 Audit policies .. 89 Audit Policy Properties .. 91 Monitor Security -related events .. 92 Example: Audit messages .. 93 Set System Security policies .. 93 Modify Account Policy Settings .. 94 Modify Computer Policy Settings .. 96 Modify Directory Protection Policy Settings .. 97 Modify Password Policy Settings .. 98 Enable single 100 Disable single sign-on .. 101 Account Policy Settings .. 101 Computer Policy Settings .. 103 Directory Protection Policy Settings .. 105 Cache expiration policies .. 106 Password Policy Settings.
7 107 Single Sign-On Policy Settings .. 110 When to disable single sign-on .. 110 Security Policy Properties .. 111 Navigate the Policy Properties windows .. 112 Export policies to XML .. 113 Chapter 10 Secure features of a single product .. 116 Secure multiple product 116 Feature Security for Product Policies .. 118 Feature Security Policies .. 119 Differences between securable actions and product policies .. 119 Chapter 11 Logical names .. 121 Add a logical name .. 123 Delete a logical name .. 123 Add a device to a logical name .. 124 Remove a device from a logical name .. 124 Assign a control device to a logical name.
8 125 Add a logical name to an area or application .. 126 Delete a logical name from an area or application .. 127 New Logical Name .. 127 Set product-specific policies Manage logical names Table of contents 6 rockwell automation Publication FTSEC-QS001N-EN-E Logical Name Properties .. 128 Device 129 Chapter 12 Resource groupings .. 131 Group hardware resources in an application or area .. 132 Move a resource between areas .. 133 Remove a device from a resource grouping .. 1 34 Resources Editor .. 135 Select Resources .. 135 Chapter 13 Secure resources .. 137 Permissions .. 138 Breaking the chain of inheritance.
9 140 Order of precedence .. 142 Actions .. 142 Set FactoryTalk Directory permissions .. 146 Set application permissions .. 148 Set area permissions .. 149 Set System folder permissions .. 151 Set action group permissions .. 153 Set database permissions .. 154 Set logical name permissions .. 155 Allow a resource to inherit permissions .. 157 Prevent a resource from inheriting permissions .. 157 View effective permissions .. 158 Effective permission icons .. 160 Chapter 14 Back up a FactoryTalk System .. 163 Back up a FactoryTalk Directory .. 164 Back up a System folder .. 166 Back up an application.
10 168 Back up a Security Authority identifier .. 171 Backup .. 172 Backup and restore options .. 173 Modify Security Authority Identifier .. 174 Restore a FactoryTalk System .. 175 Restore a FactoryTalk Directory .. 176 Restore a System folder .. 178 Restore an application .. 180 Restore a Security Authority identifier .. 182 Resource grouping Secure resources Disaster Recovery Table of contents rockwell automation Publication FTSEC-QS001N-EN-E 7 Verify Security settings after restoring a FactoryTalk System .. 183 Update computer accounts in the network directory .. 184 Recreate a Windows-linked user account.
