Accounts and groups
Create accounts for users, computers, and groups of users and computers to define who can perform actions, and from where.
Security settings for accounts are stored in the
FactoryTalk Directory
and are
separate for FactoryTalk
network and local directories. As much as possible,
secure resources by defining security permissions for the group accounts. Add user and
computer accounts to the groups, and all individual accounts in the groups have the security
settings of those groups.User accounts and user group accounts
Accounts for users and user groups can link to accounts in a
Windows®
domain or workgroup or be separate from those in Windows
. If the
FactoryTalk
system security needs are the same as the security needs
of Windows
, Microsoft®
Entra ID, on-premise OIDC,
OKTA, MyRockwell, or LDAP domain server, using Windows
-linked user or
group, cloud-based authentication group, or LDAP-link user group accounts provides a
convenient way to add large numbers of existing user or group from Windows
, Microsoft Entra ID site, OIDC site, or LDAP domain server to the FactoryTalk
system. Account properties — for example, whether users can change passwords — are
inherited directly from the Windows
accounts and update automatically
when changed in Windows
. Separate account administration is not
required.
IMPORTANT:
Microsoft renamed Azure Active Directory (Azure AD) to Microsoft Entra ID.
FactoryTalk
user accounts or user group accounts provide secure access to the
FactoryTalk
system independently of the level of access users have in Windows
. If the security needs of the FactoryTalk
system are
different from those of the Windows
network, FactoryTalk Directory
user accounts provide the benefits and convenience of centralized administration, without
needing a Windows
domain. FactoryTalk
user group,
cloud-based authentication group, or LDAP-link user group accounts also retain their
security settings if the FactoryTalk Directory
moves to a new domain. Computer and computer group accounts
Sometimes, restricting access to resources based on a user's physical location is
necessary. Some critical operations require line-of-sight security to ensure that computers
are located within view of the equipment they are controlling. For example, a system
designer might determine that a piece of equipment is operated from one specific operator
workstation or group of workstations physically located within a clear view of the
machine.
Computer accounts and computer group accounts are not linked to
Windows
.
Accounts for computers that do not yet exist in Windows
can be created in
a local FactoryTalk Directory
. However, the name of a computer account must match the
Windows
computer name for the security settings associated with the
computer to take effect. Because a FactoryTalk
local directory runs on a
single computer, add computer accounts only to a FactoryTalk
local directory. Account status
By default, user accounts have active status, which means that the account can be used to
access resources. Other possible account statuses are:
- Disabled, prevents the user from accessing the account temporarily.
- Locked, the wrong password was entered more than a certain number of times.
- Deleted, prevents the user from accessing the account permanently.
- Unknown, information about the account could not be obtained from the network.
Provide Feedback