Differences between RSSecurity and FactoryTalk Security

Depending on which features of RSSecurity Server you are using, it might not be possible to migrate everything in your RSSecurity Server database to
FactoryTalk Security
. This is because of differences in the way that RSSecurity Server and
FactoryTalk
 work.
Support for resource groups and action groups
Action groups and resource groups are imported from RSSecurity into
FactoryTalk Directory
 in different ways, depending on whether you import them into a system running
FactoryTalk Automation Platform
 version 2.00 (CPR 7), or
FactoryTalk Services Platform
 version 2.10 (CPR 9) or later. To determine what version of the
FactoryTalk
 platform you are running, see
Add/Remove Programs
 in the Windows
Control Panel
.
  • FactoryTalk Automation Platform
     2.00 (CPR 7)
    . Action groups and resource grouping is not supported. Import the RSSecurity actions and resources held within groups as individual items.
  • FactoryTalk Services Platform
     2.10 (CPR 9) or later
    . If all of the computers in a
    FactoryTalk
     system have been upgraded to
    FactoryTalk Services Platform
     2.10 or later, you can retain RSSecurity group memberships. The import process prompts you to choose an application or area as a destination for the resources held in a group. Imported RSSecurity action groups appear under
    Action Groups
     in the
    FactoryTalk Directory
     System folder.
Unsupported features
Some RSSecurity Server features are not supported by
FactoryTalk Security
. These include:
  1. Changing the implicit behavior of Grant and Deny permissions
    RSSecurity Server allows you to configure security so that permissions are either granted or denied implicitly for resources that have no specific security settings defined.
    FactoryTalk Security
     always denies access if no security settings are defined for a resource and action. When importing an RSSecurity Server backup file, you can grant all users security access to actions and resources being imported wherever permissions are not specified in the RSSecurity Server database.
  2. Assigning resources to multiple resource groups
    RSSecurity Server allows you to assign resources to multiple resource groups, and then set the priority of the groups for evaluating access.
    FactoryTalk Security
     allows a resource to be assigned to only one application or area, not assigned to multiple groups. When importing an RSSecurity Server backup file that includes resource groups, the
    FactoryTalk Security
     Import tool cannot determine the order in which access checks should be performed, and therefore chooses an arbitrary order. If this happens, a message appears in the import log file. After the migration is complete, verify the security settings of the resource. Use
    FactoryTalk Administration Console
     or
    FactoryTalk View Studio
     to specify security settings for a resource.
  3. Setting the order in which Access Control Entries are evaluated
    RSSecurity Server provides the ability to set the order in which Access Control Entries are evaluated. For example, you can deny access to a group of users, but allow access to an individual user within the group. You can set the order of evaluation so that Allow access takes precedence over Deny access.
    FactoryTalk Security
     always evaluates Deny permissions before Allow permissions. In the example mentioned above, a user is always denied access if the group the user belongs to is denied access. You cannot change the priority with which permissions are evaluated. When importing an RSSecurity Server backup file, the
    FactoryTalk Security
     Import tool uses special logic to preserve the priority of Allow and Deny permissions in your RSSecurity Server database.
    However, because
    FactoryTalk Security
     does not support this capability, if you want to change the security settings associated with a resource that uses this special logic, you must remove all permissions associated with the resource, and then add the permissions again.
  4. Products supported by RSSecurity Server but not by
    FactoryTalk Security
    Some
    Rockwell Automation®
    software products that were integrated into RSSecurity cannot be migrated to
    FactoryTalk Security
    . These include
    RSLogix
     Frameworks, and the AI-3 and AI-5 programming product for
    PLC-3®
    and
    PLC-5®
    processors.
  5. Passwords for private users are not imported
    When importing an RSSecurity Server Standalone Edition database, the
    FactoryTalk Security
     Import tool creates a user account for each RSSecurity private user. However, the passwords for the RSSecurity private users cannot be imported. Instead,
    FactoryTalk Security
     creates a case-sensitive password identical to the user name, and forces the user to change the password when first logging on.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal