Best practices

Use these tips when setting up the
FactoryTalk
 system to achieve efficient management of user authentication and authorization.
Administrator accounts
  • Always have more than one user account that is a member of the
    FactoryTalk
     Administrators group. If the password to one administrator account is lost, use a second administrator account to reset the password to the first one. A lost password to a user account is not recoverable. A second administrator account prevents being locked out of the
    FactoryTalk
     system if the first administrator password is lost.
  • Always have at least one
    Windows
    -linked user account that is a member of the
    FactoryTalk
     Administrators group. If the
    Windows
    -linked administrator account is locked out, for example because the user exceeds the maximum number of logon tries, the
    Windows
     domain administrator can reset the account. Alternatively, the user can wait until
    Windows
     automatically resets and frees the locked-out account. The wait time depends on the Account lockout duration policy in
    Windows
    .
Windows
-linked accounts
FactoryTalk does not cache credentials for Windows-linked users or groups. By default, however, the Windows operating system caches the Windows security token for each unique user’s ten most recent valid logons. For more information on cached security credentials, see Microsoft.com. This cached verifier allows Windows-linked user accounts to be authenticated even when the domain controller is not connected or able to provide authentication. Windows is responsible for encrypting this cached verifier. However, this caching does not apply to Windows-linked groups. Neither the FactoryTalk Directory system nor the Windows operating system caches Windows domain group information; there is no way for the FactoryTalk system to determine what domain accounts are members of a Windows-linked group when disconnected from the domain. If you want to use groups in the FactoryTalk system and you expect to be disconnected from the domain, it is suggested that you use FactoryTalk user groups that contain Windows-linked users.
Permissions
  • Assign permissions to groups rather than to users.
  • Assign permissions to user accounts only by exception. Maintaining user accounts directly is inefficient.
  • Wherever possible, remove
    Allow
     permissions instead of assigning explicit
    Deny
     permissions. The order of precedence of explicit permissions over inherited permissions makes administration simpler, and
    Deny
     permissions take precedence over
    Allow
     permissions.
  • Use
    Deny
     permissions to:
    • Exclude a subset of a group that has
      Allow
       permissions
    • Exclude one special permission when full control to a user or group is already granted
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal