Rockwell Automation FactoryTalk Security System Quick Start Guide

Original Instructions

FactoryTalk Security System Configuration Guide

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 Supersedes Publication FTSEC-QS001P-EN-E - September 2020

Quick Start

FactoryTalk Security System Configuration Guide

personal injury or death, property damage, or economic loss.

Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

temperatures.

for Personal Protective Equipment (PPE).

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss.

Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash

will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and

2 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Preface

About FactoryTalk systems

Install FactoryTalk Services Platform

Getting started with Manage users

Summary of changes .................................................................................. 9

About this publication ................................................................................ 9

Additional resources ..................................................................................10

Legal Notices ...............................................................................................10

Chapter 1

FactoryTalk systems................................................................................... 13

FactoryTalk Directory types ................................................................ 15

Accounts and groups............................................................................ 16

Account types ....................................................................................... 18

Applications and areas ........................................................................ 20

Security in a FactoryTalk system ....................................................... 20

Example: Two directories on one computer ..................................... 22

Chapter 2

Install FactoryTalk Services Platform ..................................................... 25

Install FactoryTalk System Services and FactoryTalk Policy Manager . 26

FactoryTalk Security

Chapter 3

FactoryTalk Security ................................................................................. 29

Security on a local directory ................................................................ 31

Security on a network directory .......................................................... 31

How security authenticates user accounts ........................................32

Things you can secure ..........................................................................32

Best practices ........................................................................................ 34

Audit trails and regulatory compliance .............................................. 36

Configure a computer to be the FactoryTalk Directory network server 38

Configure a computer to be the network directory server ............... 39

Configure a network directory client computer ................................ 39

Check network directory server connection status .......................... 40

FactoryTalk Directory Server Location Utility ................................... 41

Chapter 4

Manage users ............................................................................................. 43

Add a FactoryTalk user account .......................................................... 43

Add a Windows-linked user account .................................................. 45

Add group memberships to a user account ...................................... 46

Remove group memberships from a user account ............................ 47

Delete a user account .......................................................................... 48

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 3

Table of Contents

Manage user groups

Manage computers

Add and remove user-computer pairs

Add and remove action groups

Set system policies

Chapter 5

Manage user groups .................................................................................. 51

Add a FactoryTalk user group ............................................................ 52

Add a Windows-linked user group ..................................................... 53

Edit or view user group properties ..................................................... 55

Delete a user group ..............................................................................56

Add accounts to a FactoryTalk user group .........................................56

Remove accounts from a FactoryTalk user group ............................. 57

Chapter 6

Manage computers ....................................................................................59

Add a computer ....................................................................................59

Delete a computer ............................................................................... 60

Edit or view computer properties ....................................................... 61

Chapter 7

Add and remove user-computer pairs ...................................................... 63

Add a user-computer pair .................................................................... 63

Remove a user-computer pair .............................................................65

Edit or view user account properties ..................................................65

Chapter 8

Add and remove action groups ................................................................. 67

Add an action group ............................................................................. 67

Delete an action group ........................................................................ 68

Add an action to an action group ....................................................... 69

Remove an action from an action group ........................................... 69

Chapter 9

Authorize an application to access the FactoryTalk Directory .............. 72

FactoryTalk Service Application Authorization ................................. 73

FactoryTalk Service Application Authorization settings .................. 73

Publisher Certificate Information ...................................................... 75

Digitally signed FactoryTalk products................................................ 76

Authorize a service to use FactoryTalk Badge Logon .............................. 76

FactoryTalk Badge Authorization ....................................................... 77

FactoryTalk Badge Authorization settings ......................................... 77

Assign user rights to make system policy changes ................................. 78

User rights assignment policies .......................................................... 79

User Rights Assignment Policy Properties ....................................... 80

Configure Securable Action ............................................................... 80

4 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Set product-specific policies

Manage logical names

Table of Contents

Select a user or group ........................................................................... 81

Change the default communications protocol ....................................... 82

Default communications protocol settings ...................................... 82

Live Data Policy Properties ................................................................. 83

Set network health monitoring policies .................................................. 84

Health Monitoring Policy Properties ................................................ 85

Set audit policies ....................................................................................... 86

Audit policies ....................................................................................... 87

Audit Policy Properties ....................................................................... 89

Monitor security-related events ......................................................... 90

Example: Audit messages .................................................................... 91

Set system security policies ....................................................................... 91

Modify Account Policy Settings ......................................................... 92

Modify Computer Policy Settings ....................................................... 93

Modify Directory Protection Policy Settings .....................................95

Modify Password Policy Settings ....................................................... 96

Modify Badge login policies ............................................................... 98

Enable single sign-on .......................................................................... 99

Disable single sign-on ....................................................................... 100

Account Policy Settings .................................................................... 100

Computer Policy Settings .................................................................. 102

Directory Protection Policy Settings ................................................ 103

Cache expiration policies .................................................................. 105

Password Policy Settings ................................................................... 106

Single Sign-On Policy Settings ......................................................... 109

When to disable single sign-on ......................................................... 110

Security Policy Properties .................................................................. 110

Navigate the Policy Properties windows ................................................. 111

Export policies to XML............................................................................. 112

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 5

Chapter 10

Secure features of a single product ........................................................ 114

Secure multiple product features ........................................................... 114

Feature Security for Product Policies ..................................................... 115

Feature Security Policies .......................................................................... 116

Differences between securable actions and product policies ............... 116

Chapter 11

Logical names ........................................................................................... 119

Add a logical name ................................................................................... 121

Delete a logical name ............................................................................... 122

Add a device to a logical name ................................................................. 122

Table of Contents

Resource grouping

Secure resources

Disaster Recovery

Remove a device from a logical name ..................................................... 122

Assign a control device to a logical name ............................................... 123

Add a logical name to an area or application ......................................... 124

Delete a logical name from an area or application ................................ 124

New Logical Name .................................................................................... 125

Logical Name Properties .......................................................................... 126

Device Properties ..................................................................................... 126

Chapter 12

Resource groupings ................................................................................. 129

Group hardware resources in an application or area............................ 130

Move a resource between areas ................................................................ 131

Remove a device from a resource grouping ............................................ 131

Resources Editor ...................................................................................... 132

Select Resources ....................................................................................... 133

Chapter 13

Secure resources ...................................................................................... 135

Permissions ........................................................................................ 135

Breaking the chain of inheritance .............................................. 138

Order of precedence .................................................................... 139

Actions .......................................................................................... 140

Set FactoryTalk Directory permissions ............................................ 144

Set application permissions .............................................................. 145

Set area permissions .......................................................................... 147

Set System folder permissions .......................................................... 148

Set action group permissions ........................................................... 149

Set database permissions .................................................................. 151

Set logical name permissions ............................................................ 152

Allow a resource to inherit permissions ........................................... 153

Prevent a resource from inheriting permissions ............................ 154

View effective permissions ................................................................ 154

Effective permission icons ................................................................ 156

6 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Chapter 14

Back up a FactoryTalk system ................................................................. 159

Back up a FactoryTalk Directory ....................................................... 160

Back up a System folder ..................................................................... 162

Back up an application....................................................................... 164

Back up a Security Authority identifier ............................................ 166

Backup FactoryTalk Linx configuration ........................................... 167

Backup ................................................................................................. 168

Table of Contents

Backup and restore options ............................................................... 170

Modify Security Authority Identifier .................................................171

Restore a FactoryTalk system .................................................................. 172

Restore a FactoryTalk Directory........................................................ 172

Restore a System folder ..................................................................... 175

Restore an application ....................................................................... 176

Restore a Security Authority identifier ............................................ 179

Restore FactoryTalk Linx configuration...........................................180

Verify security settings after restoring a FactoryTalk system ........ 181

Update computer accounts in the network directory ............... 181

Recreate a Windows-linked user account .................................. 182

Update Windows-linked user groups ........................................ 183

Update security settings for Networks and Devices ................. 183

Update security settings for the FactoryTalk Linx OPC UA

Connector ..................................................................................... 184

Restore database connections .................................................... 185

Restore an earlier system after upgrading FactoryTalk platform

software .............................................................................................. 185

Generate a Security Authority identifier .......................................... 187

Restore ................................................................................................ 188

Restore (FactoryTalk Directory) ........................................................ 189

Restore (System folder) ..................................................................... 190

Restore (Application) ......................................................................... 190

Restore (Security Authority Identifier) ............................................ 192

Restore Backup File ............................................................................ 193

Use commands to back up and restore ................................................... 193

FactoryTalk Directory Configuration Wizard........................................ 196

Select a FactoryTalk Directory to configure ..................................... 197

Configure FactoryTalk Network Directory ................................ 197

Network directory and the FactoryTalk Directory Configuration

Wizard .......................................................................................... 198

Configure FactoryTalk Local Directory ...................................... 199

Local directory and the FactoryTalk Directory Configuration

Wizard ......................................................................................... 200

Product support for network and local directories ................... 201

Enter an administrator user name and password ......................... 202

Reset an expired password ............................................................... 203

Change Password (local) ................................................................... 203

Change Password (network) ............................................................ 204

Summary ........................................................................................... 205

Default passwords ............................................................................. 206

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 7

Table of Contents

Upgrade FactoryTalk Services FactoryTalk Web Services

Introduction to FactoryTalk

System Services

Index

Platform

Policy Manager and FactoryTalk

Appendix A

Upgrade FactoryTalk Services Platform................................................ 209

Identify the installed FactoryTalk Services Platform version .............. 210

Appendix B

Install FactoryTalk Web Services ............................................................ 211

Add an HTTPS site binding for FactoryTalk Web Services .................. 212

Client computers unable to connect to FactoryTalk Web Services ...... 213

User cannot log into FactoryTalk Web Services ..................................... 214

Appendix C

FactoryTalk Policy Manager and FactoryTalk System Services ........... 215

Install FactoryTalk System Services and FactoryTalk Policy Manager 216

Start FactoryTalk System Services ......................................................... 217

Log on to FactoryTalk Policy Manager ................................................... 217

Navigate FactoryTalk Policy Manager .................................................... 218

FactoryTalk Policy Manager Global Settings .......................................... 219

FactoryTalk Policy Manager planning ................................................... 220

FactoryTalk Policy Manager component considerations ..................... 222

Authentication methods ..........................................................................223

Security Groups ........................................................................................223

Zones ........................................................................................................ 224

Add a zone .......................................................................................... 225

Conduits ................................................................................................... 225

Add a conduit..................................................................................... 226

Devices ......................................................................................................227

Discovery ............................................................................................227

Add a device to a zone ........................................................................227

FactoryTalk Linx devices .................................................................. 229

Ports ................................................................................................... 229

Add a port .................................................................................... 230

Replace a device ................................................................................. 230

Remove the security policy from a device ........................................ 231

Ranges .......................................................................................................232

Add a range .........................................................................................232

Deploy a security model ........................................................................... 233

Backup and restore security models ....................................................... 234

Backup FactoryTalk System Services................................................ 235

Restore FactoryTalk System Services ............................................... 235

8 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Topic Name

Reason

160

configurations.

189

configurations.

Summary of changes

About this publication

Preface

This manual includes new and updated information. Use these reference tables to locate changed information.

Grammatical and editorial style changes are not included in this summary.

Global changes

None in this release.

New or enhanced features

This table contains a list of topics changed in this version, the reason for the change, and a link to the topic that contains the changed information.

Account Policy Settings on page 100 The default value of the Account lockout threshold for the

Local Directory and Network Directory is changed from 0 invalid logon attempts to 3 invalid logon attempts.

Back up a FactoryTalk Directory on page

Back up an application on page 164 Enhanced to provide a backup step for FactoryTalk Linx

Back up a System folder on page 162 Enhanced to provide a backup step for FactoryTalk Linx

Restore a FactoryTalk Directory on page

Restore a System folder on page 190 Enhanced to provide a restore step for FactoryTalk Linx

Restore an application on page 176 Enhanced to provide a restore step for FactoryTalk Linx

Use command line to back up and restore

on page 193

Enhanced to provide a backup step for FactoryTalk Linx

Enhanced to provide a restore step for FactoryTalk Linx

New topic that introduces the command lines can be used to backup and restore FactoryTalk Directory, System folder, and applications.

This Quick Start Guide provides you with information on using FactoryTalk Services Platform with FactoryTalk Security.

Before using this guide, review the FactoryTalk Services Platform Release Notes for information about required software, hardware, and anomalies.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 9

After using this guide, you will be more familiar with how FactoryTalk Services Platform uses:

• FactoryTalk Directory types

• User accounts

• Computer accounts

• Local and network security options

Preface

Additional resources

Legal Notices

• Authentication methods

• Password management

• Security policies

For more information on system security download the

System Security

Design Guidelines (publication SECURE-RM001) from the Rockwell

Automation Literature Library.

For more information on the products and components discussed in this guide, the following manuals and Help files are available with the software:

• FactoryTalk® Help – Go to Rockwell Software > FactoryTalk Tools >

FactoryTalk Help

• FactoryTalk View Installation Guide or FactoryTalk View Help – Go to

Rockwell Software > FactoryTalk View > User Documentation and then select the appropriate Help or User Guide.

• FactoryTalk® Linx™ Help – Go to Rockwell Software > FactoryTalk

Linx > FactoryTalk Linx Online Reference.

• RSLinx® Classic Help – Go to Rockwell Software > RSLinx > RSLinx

Classic Online Reference.

• Studio 5000 Logix Designer® application Help – In Logix Designer,

select Help > Contents

• FactoryTalk Batch Administrator’s Guide – Go to Rockwell Software >

FactoryTalk Batch Suite > FactoryTalk Batch > Online Books > FactoryTalk Batch > Batch Administrator's Guide

• FactoryTalk® Transaction Manager Help

• FactoryTalk® AssetCentre Help

The Rockwell Automation® Literature Library also has related Getting Results Guides that can be viewed online or downloaded:

• FactoryTalk Linx Getting Results Guide -

Rockwell Automation

Publication LNXENT-GR001_-EN-E

• RSLinx Classic Getting Results Guide - Rockwell Automation

Publication LINX-GR001_-EN-E

• FactoryTalk Batch Getting Results Guide - Rockwell Automation

Publication BATCH-GR011_-EN-P

• FactoryTalk Policy Manager Getting Results Guide - Rockwell

Automation Publication FTALK-GR001_-EN-E

Rockwell Automation publishes legal notices, such as privacy policies, license agreements, trademark disclosures, and other terms and conditions on the

Legal Notices

page of the Rockwell Automation website.

End User License Agreement (EULA)

You can view the Rockwell Automation End User License Agreement (EULA) by opening the license.rtf file located in your product's install folder on your hard drive.

10 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Preface

The default location of this file is:

C:\Program Files (x86)\Common Files\Rockwell\license.rtf.

Open Source Software Licenses

The software included in this product contains copyrighted software that is licensed under one or more open source licenses.

You can view a full list of all open source software used in this product and their corresponding licenses by opening the index.html file located your product's OPENSOURCE folder on your hard drive.

The default location of this file is:

C:\Program Files (x86)\Common Files\Rockwell\Help\FactoryTalk Services Platform\Release Notes\OPENSOURCE\index.htm

You may obtain Corresponding Source code for open source packages included in this product from their respective project web site(s). Alternatively, you may obtain complete Corresponding Source code by contacting Rockwell Automation via the Contact form on the Rockwell Automation website:

us/contact/contact.page. Please include "Open Source" as part of the request

text.

http://www.rockwellautomation.com/global/about-

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 11

FactoryTalk systems

Chapter 1

About FactoryTalk systems

A FactoryTalk® system is composed of software products, services, and hardware devices participating together and sharing the same FactoryTalk

Directory and FactoryTalk services.

For example, a FactoryTalk system may be as simple as FactoryTalk® Services Platform, FactoryTalk View, RSLinx® Classic, and RSLogix™ 5 all installed on the same computer, communicating with a single programmable logic controller, and all participating in the same local application held in a local directory.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 13

Chapter 1 About FactoryTalk systems

A FactoryTalk system may be much more complex, with software products and hardware devices participating in multiple network applications distributed across a network, all sharing the same network directory.

A single computer can host both a local directory and a network directory. The two directories are completely separate and do not share any information. When using both directories, that single computer participates in two separate FactoryTalk systems.

In the network directory example above, the directory hosts two network applications: Waste Water and Water Distribution. All of the areas, data servers, HMI servers, device servers, and alarm and event servers organized within each application are specific to that application. None of the application-specific information is shared with any other application in the directory. However, all information and settings organized within the System folder, such as security settings, system policies, product policies, and user accounts apply to all applications held in the directory.

For example, modifying security settings in the Waste Water application does not affect the Water Distribution application. However, making a change to a security policy applies the change to both the Waste Water application and the Water Distribution application. The security policy settings also apply to any other new applications created in this same network directory.

See also

FactoryTalk Directory types on page 15

14 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

FactoryTalk Directory types

Chapter 1 About FactoryTalk systems

Accounts and groups on page 16

Applications and areas on page 20

Security in a FactoryTalk system on page 20

Example: Two directories on one computer on page 22

The FactoryTalk Directory is the centerpiece of the FactoryTalk Services

Platform. FactoryTalk Directory provides a central lookup service for all products participating in an application. Rather than a traditional system design with multiple, duplicated databases or a central, replicated database, FactoryTalk Directory references tags and other system elements from multiple data sources—and makes the information available to clients through a lookup service.

Tags are stored in their original environments, such as logic controllers. Graphic displays are stored in the HMI servers where they are created. This information is available, without duplication, to any FactoryTalk product participating in an application.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 15

For example, at workstation 1, a logic programmer programs PLC tags using RSLogix™ and saves the project. At workstation 2, an engineer using FactoryTalk View SE has immediate access to the tags created in the PLC program, without creating an HMI tag database. Tags are available for immediate use anywhere within the application, even before the logic program is downloaded to the controller. As the logic program is edited, most tag information is updated, and new tags are available immediately across the system.

With RSLogix 5000® controllers, tags reside within the hardware itself. With Allen-Bradley® PLC-5® and SLC™ 500 devices, and with third-party controllers, tags reside within data servers, such as RSLinx Classic and FactoryTalk® Linx™. Tags are not held within a common database, nor are they duplicated in multiple databases. Instead, the FactoryTalk Directory references tags from their source locations and passes the information on to the software products that need it, such as FactoryTalk View SE and FactoryTalk Transaction Manager.

Chapter 1 About FactoryTalk systems

Accounts and groups

A single computer can host two types of directories

The FactoryTalk Services Platform installs and configures two completely separate and independent directories: a local directory and a network directory. Each directory can hold multiple applications.

• In a local directory, all project information and security settings are

located on a single computer, and the FactoryTalk system cannot be shared across a network or from the network directory on the same computer. Products such as FactoryTalk View SE (Local) and FactoryTalk View ME use the local directory.

• A network directory organizes project information and security

settings from multiple FactoryTalk products across multiple computers on a network. Products such as FactoryTalk View SE and FactoryTalk Transaction Manager use the network directory.

Determining the appropriate directory depends upon the software products and whether the environment is stand-alone or networked.

See also

Example: Two directories on one computer on page 22

Configure a network directory client computer on page 39

FactoryTalk systems on page 13

Create accounts for users, computers, and groups of users and computers to

define who can perform actions, and from where.

Security settings for accounts are stored in FactoryTalk Directory, and are separate for FactoryTalk network and local directories. As much as possible, secure resources by defining security permissions for the group accounts. Add user and computer accounts to the groups, and all individual accounts in the groups have the security settings of those groups.

User accounts and user group accounts

Accounts for users and user groups can link to accounts in a Windows® domain or workgroup, or be separate from those in Windows.

16 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

If the FactoryTalk system security needs are the same as the Windows security needs, using Windows-linked user or group accounts provides a convenient way to add large numbers of existing Windows user or group accounts to the FactoryTalk system. Account properties — for example, whether users can change passwords — are inherited directly from the Windows accounts, and update automatically when changed in Windows. Separate account administration is not required.

Chapter 1 About FactoryTalk systems

FactoryTalk user accounts or user group accounts provide secure access to the FactoryTalk system independently of the level of access users have in Windows. If the security needs of the FactoryTalk system are different from those of the Windows network, FactoryTalk Directory user accounts provide the benefits and convenience of centralized administration, without needing a Windows domain. FactoryTalk user group accounts also retain their security settings if the FactoryTalk Directory moves to a new domain.

Computer and computer group accounts

Sometimes restricting access to resources based on a user's physical location is necessary. Some critical operations require line-of-sight security, to ensure that computers are located within view of the equipment they are controlling. For example, a system designer might determine that a piece of equipment is operated from one specific operator workstation or group of workstations physically located within a clear view of the machine.

Computer accounts and computer group accounts are not linked to Windows. Accounts for computers that do not yet exist in Windows can be created in a local FactoryTalk Directory. However, the name of a computer account must match the Windows computer name for the security settings associated with the computer to take effect. Because a FactoryTalk local directory runs on a single computer, add computer accounts only to a FactoryTalk local directory.

Account status

By default, user accounts and group accounts have active status, which means that the account can be used to access resources. Other possible account statuses are:

• Disabled, prevents the user from accessing the account temporarily.

• Locked, the wrong password was entered more than a certain number

of times.

• Deleted, prevents the user from accessing the account permanently.

• Unknown, information about the account could not be obtained from

the network.

See also

Account types on page 18

Manage users on page 43

Manage user groups on page 51

Manage computers on page 59

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 17

Chapter 1 About FactoryTalk systems

Account types

FactoryTalk supports these account types:

• FactoryTalk user accounts that are separate from Windows accounts.

• Windows-linked user accounts that are linked to existing user

accounts in a Windows domain or workgroup.

• Windows-linked user groups that determine access for all of the

Windows accounts in the group. To specify different permissions for some users in the Windows-linked group, add Windows-linked user accounts for those users.

Both Windows-linked accounts and FactoryTalk accounts can be in a FactoryTalk Directory. Example: A FactoryTalk administrator account that is unique to the FactoryTalk Directory and FactoryTalk user accounts that are linked to Windows user accounts.

When to use FactoryTalk user accounts

• For the convenience and benefits of centralized security

administration across the entire distributed system, without reliance on a Windows domain. This is often necessary when your organization's IT department controls administration of Windows users, and does not allow you to modify accounts in Windows.

• For central user authentication when using Windows workgroups in a

FactoryTalk network directory. For all FactoryTalk products, FactoryTalk Directory is the central authority for user authentication, allowing you administer user accounts centrally, rather than locally on each computer. You can use Windows-linked accounts with Windows workgroups in a local directory.

• When the security needs of the Windows network are different from

the security needs of the control network. For example:

18 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

• When all operators share the same Windows account to gain access

to the computer.

• When the computer is always logged on under a particular

Windows account, FactoryTalk accounts allow different operators to gain different levels of access to the control system, independently of their access to Windows.

• When the computer automatically logs on to the Windows network

after restarting (for example, after a power failure), so that it can run control programs automatically. FactoryTalk accounts allow operators to log on and off the control system independently of Windows.

When to use Windows-linked user accounts

• When the security needs of the Windows network are the same as the

security needs of the control system. For example:

Chapter 1 About FactoryTalk systems

• When the control system is located in its own domain, perhaps

separately from business systems, and user accounts and passwords can be shared between Windows and FactoryTalk software programs.

• When operators can log on and off computers with their own

Windows accounts, and the software programs they use start automatically.

When to use Windows-linked user group accounts

If you expect the need to move Windows accounts from one domain to another, use Windows-linked user group accounts. Windows-linked user group accounts, and the user accounts they contain, can be moved from one domain to another while keeping security permissions for the group accounts intact. Individual Windows-linked user accounts must be deleted and then recreated in the new domain, causing all security permissions for the user accounts to be lost.

Always have at least one Windows-linked user account that is a member of the FactoryTalk Administrators group. This prevents an inadvertent lock out of the FactoryTalk system. If the Windows-linked administrator account is locked out, for example because the user exceeds the maximum number of logon tries, the Windows domain administrator can reset the account. Alternatively, the user can wait until Windows automatically resets and frees the locked-out account. When this happens depends on the account lockout duration policy in Windows. For details, see Windows Help.

Rules for using FactoryTalk accounts and Windows-linked accounts

• FactoryTalk user accounts cannot be members of Windows-linked user

groups.

• Both of the Windows-linked user group and individual Windows-

linked user accounts can be members of FactoryTalk user groups. This allows you to use FactoryTalk user groups when setting permissions.

• A FactoryTalk user account or Windows-linked user account can be a

member of more than one FactoryTalk user group.

Note: If an action is set to Deny for the user in any one group, then the Deny takes precedence over any Allow setting in a different group of which the user is a member.

See also

How security authenticates user accounts on page 32

Accounts and groups on page 16

Manage users on page 43

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 19

Chapter 1 About FactoryTalk systems

Applications and areas

Security in a FactoryTalk

Manage user groups on page 51

Secure resources on page 135

In a FactoryTalk Directory, elements such as data servers, alarm and event

servers, device servers, HMI servers, and project information are organized into applications. A FactoryTalk Directory holds any number of applications, stores information about each application, and makes that information available to FactoryTalk products and services.

A FactoryTalk network directory can manage any number of separate network applications. Likewise, a FactoryTalk local directory can manager any number of separate local applications. When developing a FactoryTalk system, log on to either a network directory or a local directory, create an application, add device servers, data servers, and optional alarm and event servers.

Areas organize and subdivide applications in a network directory into logical or physical divisions. For example, separate areas might correspond with separate manufacturing lines in one facility, separate plants in different geographical locations, or different manufacturing processes.

system

HMI Servers are added and configured using FactoryTalk View Studio, but their status can be viewed in FactoryTalk Administration Console. The root of an application in a network directory can contain only one HMI server. Create a separate area for each HMI server added to an application. Areas cannot be created within a local application.

See also

FactoryTalk Directory types on page 15

FactoryTalk systems on page 13

FactoryTalk Security is intended to improve the security of an automation

system by limiting access to users with a legitimate need. Security in

FactoryTalk is accomplished through authentication and authorization.

Security services are managed separately in the FactoryTalk local directory and the FactoryTalk network directory.

Authentication

20 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

FactoryTalk authenticates the user's identities to access a FactoryTalk system against a defined set of user accounts held in the FactoryTalk Directory. FactoryTalk verifies a user’s identity and that a request for service actually originates with that user.

Chapter 1 About FactoryTalk systems

Authorization

FactoryTalk authorizes user requests to access resources in a FactoryTalk system against a set of defined access permissions held in the FactoryTalk Directory.

Securing resources

FactoryTalk Security addresses both authentication and authorization concerns by helping define the answer to this question:

"Who can carry out what actions upon which secured resources from which locations?"

• Who—refers to users and groups of users. Different users need

different access rights.

• Actions—refers to the operations to perform on a resource, such as

read, write, update, download, create, delete, edit, insert, and so on.

• Secured resources—refers to the objects for which actions are secured.

Each FactoryTalk product defines its own set of resources. For example, some products might allow configuring security on resources in an area, while others might allow configuring security for logic controllers and other devices.

• Locations—refers to the location of the authorized computers. For

example, allowing values to be downloaded to a controller only from workstations that are located within a clear line of sight to the plant floor machinery to adhere to safety requirements.

The principle of inheritance determines how access permissions are set. For example, when assigning security to an area in an application, all of the items in the area inherit the security settings of the area. Override this behavior by setting up security for one or more of the individual objects inside the area as well.

When a user attempts to log on to a FactoryTalk system, FactoryTalk Security verifies the user's identity. If the user is authenticated, FactoryTalk Security continues to check the user's level of access to the system, to authorize the actions the user performs on secured resources.

System-wide policies dictate some security settings. For example, setting up a policy that requires users to change their passwords once every 90 days.

See also

Permissions on page 135

Best practices on page 34

FactoryTalk systems on page 13

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 21

Chapter 1 About FactoryTalk systems

Example: Two directories

on one computer

Different software products have different requirements for the FactoryTalk

Directory. Both directories are installed and configured as part of installing

the FactoryTalk Services Platform. The directory needed depends upon which

software products are used and whether working in a stand-alone or a networked environment.

For example, if using FactoryTalk View SE or FactoryTalk Transaction Manager, use the network directory to create and manage network applications. If using FactoryTalk View ME, use the local directory to create and manage local applications. Other products, such as RSLogix 5, RSLogix 500, and FactoryTalk Linx, allow using either directory.

Even though a local directory and a network directory reside on the same computer, all of their project information and security settings remain completely separate and cannot be shared, including:

• User accounts, passwords, security permissions

• System-wide policy settings, including security and audit policies

• Project information, such as applications, areas, and their contents

The graphic below shows three computers. Each computer has both a local directory and a network directory configured. Each directory holds objects, which represent project information, such as applications, references to data servers, and security settings, including user accounts. In each local directory, access to these project objects is only by software products installed on that same local computer. The network directory, however, can share references to its objects across a network.

22 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

For example, suppose each colored icon above represents the project information and security settings that are part of a FactoryTalk system. The local directories on each computer hold completely separate sets of information (represented by the green, blue, and yellow icons). In the network directory case, all client computers that point to the same network directory server computer share the same set of information across the network (represented by the orange icons).

Chapter 1 About FactoryTalk systems

Run FactoryTalk Administration Console on Computer 3, log on to the network directory, and create a user account named "Terry" with the password "OpenSesame." The change is actually made in the network directory server, held on Computer 1, and immediately reflected on each network directory client computer. "Terry" can now log on to the network directory from any of the three computers.

Now create a user account named "Terry" with the password "OpenSesame" in each Local Directory on every computer. Even though the user name and password are the same, each user account is a separate object in each local directory.

When changing the password in the local directory on Computer 1, the change does not affect the user account held in the network directory server on the same computer, nor does it affect the user accounts held in the local directories on computers 2 and 3.

See also

Applications and areas on page 20

FactoryTalk Directory types on page 15

FactoryTalk systems on page 13

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 23

Install FactoryTalk Services

Platform

Chapter 2

Install FactoryTalk Services Platform

FactoryTalk Services Platform and FactoryTalk Security software are not

installed separately — FactoryTalk Security is an integrated part of the

FactoryTalk Services Platform.

FactoryTalk Services Platform is installed from either:

• A FactoryTalk product installation disc, such as FactoryTalk View

(FactoryTalk Services Platform software is included on the installation disc of every product that requires it); or,

• The Rockwell Automation Product Compatibility and Download

Center (PCDC) website. On the Compatibility & Downloads page, click Find Downloads. On the Find Downloads page, in the Search box, type "FTSP". FTSP-Download FT Services Platform appears in your download list.

To install FactoryTalk Services Platform, you must log on to Windows with a user account that is a member of the Windows Administrators group on the local computer.

Install FactoryTalk Services Platform on every computer where you plan to develop or run Network or Local applications. During installation several components are installed on the computer, if any prerequisite software components are not present on a computer, the installation program will attempt to install the software.

Platform components and services currently include:

• FactoryTalk Directory

• FactoryTalk Security

• FactoryTalk Diagnostics

• FactoryTalk Live Data

• FactoryTalk Administration Console – a stand-alone tool for

configuring, managing, and securing applications.

All of these components and services install together as a platform, integrated into the software install process for each FactoryTalk-enabled product.

FactoryTalk Web Services is not installed by default, and must be installed separately.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 25

Chapter 2 Install FactoryTalk Services Platform

Tip:

Install FactoryTalk System

Network security

For the latest network security considerations when using Rockwell Automation products, visit the Rockwell Automation Knowledgebase.

For information about:

• File extensions created by Rockwell Automation software, firewall

• TCP/UDP ports used by Rockwell Automation products, see

FactoryTalk Services Platform establishes a Network Directory server when installed, other computers on which FactoryTalk Services Platform is installed will be client computers. Determine which computer in the system is going to be used as the directory server and note this computer name. After FactoryTalk Services Platform is installed on the client computers, run the FactoryTalk Directory Server Location Utility and identify the computer name of the Network Directory server.

rules, and service dependences, see Knowledgebase Document ID:

PN826 - Security considerations when using Rockwell Automation Software Products.

Knowledgebase Document ID:

BF7490 - TCP/UDP Ports Used by

Rockwell Automation Products.

Services and FactoryTalk Policy Manager

See also

Product Compatibility and Download Center

FactoryTalk Web Services on page 211

Upgrade FactoryTalk Services Platform on page 209

FactoryTalk Services Platform version 6.11.00 includes two optional

components that are used to manage CIP Security; FactoryTalk System

Service and FactoryTalk Policy Manager.

FactoryTalk System Services provides these core security services:

• Authentication Service

Authenticates users and validates user resource requests. Validate user credentials against the FactoryTalk Directory and FactoryTalk security policy settings to obtain privileges associated with the user.

• Certificate Service

Issues and manages X.509v3 certificates for use within the FactoryTalk system.

• Deployment Service

26 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Translates the security policy model defined using FactoryTalk Policy Manager to CIP configurations that are delivered to endpoints.

• Diagnostics Service

Chapter 2 Install FactoryTalk Services Platform

Makes FactoryTalk audit and diagnostic logs available as a web service.

• Policy Service

Used to build and manage CIP network trust models and define security policy for the CIP endpoints.

Use FactoryTalk Policy Manager to configure, deploy, and view the FactoryTalk system security policy configuration.

FactoryTalk Policy Manager is dependent upon the FactoryTalk System Service and must be installed together on the network directory server. FactoryTalk Policy Manager is a web service, and does not need to be installed on additional computers.

On a new installation of FactoryTalk Services Platform 6.11.00 select Customize on the first page of the installation wizard to include these items in the installation process.

To install FactoryTalk System Service and FactoryTalk Policy

Manager when FactoryTalk Services Platform 6.10 is already

installed

1. Log in to FactoryTalk on the computer hosting the FactoryTalk

network directory,

2. Run FTUpdater to make sure you have the latest update of FactoryTalk

Services Platform.

3. Run FactoryTalk Services Platform setup.exe.

4. In the FactoryTalk Security installation wizard, select Modify.

5. Expand the item for FactoryTalk Services Platform v6.10.00.

6. Select FactoryTalk Policy Manager. FactoryTalk System Service is

automatically selected.

7. Select Modify.

8. The installation proceeds.

See also

FactoryTalk Policy Manager

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 27

FactoryTalk Security

Chapter 3

Getting started with FactoryTalk Security

This chapter introduces you to key parts of FactoryTalk Security, including:

• FactoryTalk Administration Console

• Action groups

• Policies

• Computers and groups

• Networks and devices

• Users and groups

• Single sign-on

• Tightening security

FactoryTalk Security improves the security of your automation system by

limiting access to those with a legitimate need. FactoryTalk Security authenticates the identities of users, and authorizes user requests to access a FactoryTalk system against a set of defined user accounts and access permissions held in the FactoryTalk local directory or FactoryTalk local directory.

Integrated security services for your FactoryTalk system

FactoryTalk Security provides security services integrated into both the FactoryTalk local directory and the FactoryTalk local directory. In a local directory, all project elements are located on a single computer, and the FactoryTalk Administration Console system cannot be shared across a network. A network directory organizes information about project elements from multiple FactoryTalk products across multiple computers on a network. Even though a local directory and a network directory are always present on the same computer, all of their project elements remain completely separate and cannot be shared.

Authentication and authorization

Using FactoryTalk Security with Rockwell Automation software for an integrated, cross-product solution to two universal security concerns: authentication and authorization.

• Authenticate—verify a user’s identity and verify that a request for

service actually originates with that user.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 29

Chapter 3 Getting started with FactoryTalk Security

• Authorize—verify a user’s request to access a software resource

against defined access permissions.

FactoryTalk Security addresses both authentication and authorization concerns and defines the answer to the question:

"Who can carry out what actions upon which secured resources from where?"

• Who—refers to users and groups of users. Different users need

different access rights.

• What actions—refers to the actions that can be performed on a

resource, such as read, write, update, download, create, delete, edit, insert, and so on.

• Which secured resources—refers to the objects for which actions are

secured. Each FactoryTalk product defines its own set of resources. For example, some products might allow security configuration on resources in an area, while others might allow security configuration for logic controllers and other devices.

• Where—allows security to differ based on machine location. It is

sometimes important to restrict certain actions to specific workstations. For example, for safety reasons, it might be necessary to allow downloading values to a controller only from workstations that are located within a clear line of sight to the plant floor machinery that are affected by the downloads.

The principle of inheritance determines how access permissions are set. For example, assigning security to an area in an application, all of the items in the area inherit the security settings of the area. Override this behavior by setting up security for one or more of the individual objects inside the area.

At runtime, when a user attempts to log on to a FactoryTalk system, FactoryTalk Security verifies the user's identity. If the user is authenticated, FactoryTalk Security continues to check the user's level of access to the system, in order to authorize the actions the user performs on secured resources.

System-wide policies dictate some security settings. For example, you can set up a policy that requires users to change their passwords once every 90 days.

See also

How security authenticates user accounts on page 32

Things you can secure on page 32

Best practices on page 34

Permissions on page 135

Secure resources on page 135

30 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Security on a local

See also

Delete a user group on page 56

Secure resources on page 135

By default, security is open in the FactoryTalk network directory. This means

that all users who are logged on to Windows with a user account that is a

member of the local Windows Administrators group on any computer

connected to the network directory have full access to the directory.

Key steps to tighten security in a distributed system on a network include:

• Create one or more FactoryTalk user accounts or Windows-linked user

accounts, then add those accounts to the FactoryTalk Administrators group. This retains administrative access to the FactoryTalk Directory after removing the Windows Administrators group in the next step.

• Remove the Windows-linked group named Authenticated Users. This

prevents all user accounts on any local computer connected to the network directory from automatically having access to the network directory.

• Remove the security settings that allow all users full access to the

FactoryTalk network directory.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 31

Chapter 3 Getting started with FactoryTalk Security

How security authenticates Things you can secure

• Modify security policies to secure the system.

See also

Delete a user group on page 56

Secure resources on page 135

When a user attempts an action that is secured, security authenticates user

names and passwords in this order:

user accounts

1. Against the list of FactoryTalk user accounts. If a match is found, the

2. Against the list of Windows-linked user accounts. If a match is found,

the user is allowed to proceed.

3. Against the list of accounts in a Windows-linked user group. If a match

is found for the user name and password in a Windows-linked user group, the user is allowed to proceed, even if no Windows-linked user account is present for that user.

user is allowed to proceed.

To prevent some users in a Windows-linked group from having access to the FactoryTalk system, create Windows-linked accounts for those users, and then set permissions to deny access to those user accounts.

See also

Permissions on page 135

Account types on page 18

FactoryTalk Security on page 29

Use Allow or Deny permissions to secure access to resources in the system.

Resources include:

• The FactoryTalk network directory or local directory

• The System folder and its contents

• Applications

• Areas

• Servers

• Control networks

• Hardware devices

32 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Chapter 3 Getting started with FactoryTalk Security

Security for resources is always tied to users, actions, and

computers

Security for resources is always tied to users or groups of users, the actions they are performing, for example, read or write, and the computers, or groups of computers where they are working.

This helps ensure that only authorized personnel can perform actions on the equipment and resources in the system from appropriate locations, for example, computers located within line of sight of equipment.

In a local FactoryTalk directory, a user can perform actions only from the local computer.

Set permissions to restrict actions to users, user groups, computers,

or computer groups

For each resource, for example, an application, or an area within it, restrict actions such as writing values, to particular users or groups of users. In a network directory, actions can be restricted to particular computers, or groups of computers.

Group actions together and assign security permissions to all actions in the group. For example, assign permissions to an area so that only operators working on computers located within the line of sight of heavy machinery can write values to the programmable controllers in that area.

Suppose that:

• The area is named "Punch Presses"

• The operators belong to a user group named "Operators"

• The computers within line of sight of the machinery belong to a

computer group named "Heavy Machinery"

First, clear Allow for All Users and All Computers in the Punch Presses area. Next, select Allow for the user group Operators and the computer group Heavy Machinery.

When setting permissions, Deny permissions are implied unless Allow permissions are specified explicitly. Clearing Allow ensures that all users are denied write access, except those explicitly allowed access.

Using the Security item

Right-click an item in the Explorer and select Security, to set up which users or user groups on which computers may access the selected resource.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 33

Chapter 3 Getting started with FactoryTalk Security

IMPORTANT

Best practices

Security settings are separate in the network and local directory

Security settings are completely separate in the network directory and local directory. Changes made to the security settings in the network directory do not affect the local directory and vice versa. If using both a network directory and a local directory, set up security in each directory separately.

Security settings apply to all FactoryTalk products

Security settings configured for resources apply to all FactoryTalk products in the system. For example, when denying a user Read access to an area from a particular computer, that user cannot see that area in any FactoryTalk product while working from that computer.

Right-clicking the System folder, Users and Computers folder, Users folder, or the Computers folder, and specifying security permissions sets security on that actual

folder. It does not limit users’ access to the system. To limit access to resources in the FactoryTalk system, right-click the resource to secure, select Security, and specify security permissions for the user and computer accounts allowed to access the resource.

See also

Permissions on page 135

Best practices on page 34

Actions on page 140

FactoryTalk Security on page 29

Use these tips when setting up the FactoryTalk system to achieve efficient

management of user authentication and authorization.

Administrator accounts

• Always have more than one user account that is a member of the

FactoryTalk Administrators group. If the password to one administrator account is lost, use a second administrator account to reset the password to the first one. A lost password to a user account is not recoverable. A second administrator account prevents being locked out of the FactoryTalk system if the first administrator password is lost.

• Always have at least one Windows-linked user account that is a

member of the FactoryTalk Administrators group. If the Windowslinked administrator account is locked out, for example because the

34 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Chapter 3 Getting started with FactoryTalk Security

user exceeds the maximum number of logon tries, the Windows domain administrator can reset the account. Alternatively, the user can wait until Windows automatically resets and frees the locked-out account. The wait time depends on the Account lockout duration policy in Windows.

Windows-linked accounts

If Windows accounts might move from one domain to another, avoid using individual, Windows-linked user accounts. Use Windows-linked user group accounts instead. Windows-linked user group accounts can move from one domain to another, while keeping security permissions for the group accounts intact. Windows-linked user accounts must be deleted and then recreated in the new domain, causing the loss of all security permissions for the user accounts. If this occurs all permissions for any individual Windows-linked user accounts must be recreated.

Permissions

• Assign permissions to groups rather than to users.

• Assign permissions to user accounts only by exception. Maintaining

user accounts directly is inefficient.

• Wherever possible, remove Allow permissions instead of assigning

explicit Deny permissions. The order of precedence of explicit permissions over inherited permissions makes administration simpler, and Deny permissions take precedence over Allow permissions.

• Use Deny permissions to:

• Exclude a subset of a group that has Allow permissions

• Exclude one special permission when full control to a user or group

is already granted

• Assign permissions at the highest level possible. This provides the

greatest breadth of effect with the least effort. Establish rights that are adequate for the majority of users. For example, assign security to areas rather than to objects within areas.

• Administrators should use an account with restrictive permissions to

perform routine, non-administrative tasks. Use an account with broader permissions only when performing specific administrative tasks.

See also

FactoryTalk Security on page 29

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 35

Chapter 3 Getting started with FactoryTalk Security

Audit trails and regulatory

Account types on page 18

Permissions on page 135

To achieve compliance in regulated industries, the plant might be required to

keep records that answer these questions:

compliance

• Who performed a particular operation on a specific resource?

• Where did the operation occur?

• When did the operation occur?

• Who approved the operation?

To answer these questions:

• Ensure that all users are uniquely identifiable in the system

• Keep a record of deleted users

• Log information about user and system activity to diagnostic log files

• Set up audit trails of successful or unsuccessful attempts at modifying

system values

Ensure that all users are uniquely identifiable in the system

When choosing user names, ensure that they are unique.

• A user should have the same user name on every computer. This is

mostly for convenience, both for the user and for the administrator.

• A particular user name should always refer to the same person. A

system in which the same user name refers to more than one person is never really secure.

Develop a scheme for identifying users uniquely. Keep in mind that user names are visible, and should not contain any private information, for example, social security numbers. User names are also typed frequently, and should be relatively easy to remember.

If the system is required to comply with governmental regulations, multiple names for the same user may be necessary. This may occur if a user leaves the company and their user account is deleted, then the user is rehired.

Keep a record of deleted users

36 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

To ensure that all user accounts remain unique, keep track of deleted accounts. This might also be an audit requirement, such as tracking a user's actions throughout the system, even after the user's account was deleted.

To ensure that only unique user accounts are created, enable the security policy Keep record of deleted accounts. To avoid a trial-and-error process of creating unique user accounts, make deleted accounts visible in lists of users by enabling the security policy Show deleted accounts in user list.

Chapter 3 Getting started with FactoryTalk Security

Log information about user and system activity to diagnostic log

files

Logging information consists of two steps:

1. Choose the information to log and then send the information to

FactoryTalk Diagnostics. For example, enable audit logging to record what changes were made to security policies or other objects, who made the changes, and when they were made. If the Audit configuration and control system changes policy is not enabled, FactoryTalk Diagnostics does not receive any audit messages, and cannot store the audit messages in log files.

2. Configure FactoryTalk Diagnostics to store the information in log files.

For example, configure FactoryTalk Diagnostics to store audit information for Operators in local log files. If this step is not completed, FactoryTalk Diagnostics receives the chosen information sent to it, but does not capture this information to store in log files.

To configure FactoryTalk Diagnostics routing and logging options, select FactoryTalk Diagnostics Setup from the Tools menu on each computer where the FactoryTalk Administration Console or FactoryTalk View is installed. To view diagnostic messages, from the Tools menu, select FactoryTalk Diagnostics > Viewer.

Set up audit trails of successful or unsuccessful attempts at

modifying system values

The most common type of auditing activity is recording failures. This helps trace failures, and isolate and correct their causes.

In some industries it is also common, or mandated by law, that certain types of successful user activity is audited. For example, when making pharmaceutical drugs, any changes or adjustments in recipes must be recorded. Recording this activity allows any problems that might occur to be traced to a specific batch of the product.

Auditing object access success or failure is controlled by system-wide audit policies. Enable these policies if the plant requires them. Audit information is sent to FactoryTalk Diagnostics. Use the FactoryTalk Diagnostics Viewer to monitor security-related events.

See also

Monitor security-related events on page 90

Audit policies on page 87

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 37

Chapter 3 Getting started with FactoryTalk Security

Configure a computer to be

FactoryTalk Services Platform configures both a network directory and a local

directory on every computer where it is installed.

the FactoryTalk Directory

Use a network directory to organize project information and security settings

network server

from multiple FactoryTalk products across multiple computers on a network.

After installing and activating FactoryTalk software, specify one of the computers on the network as the network directory server. All computers on the network to share FactoryTalk network directory services and resources.

Products such as FactoryTalk View SE and FactoryTalk Transaction Manager use the network directory.

Example: Network directory

Computer 1 serves as the network directory server.

38 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Client computers (Computer 2 and Computer 3) are configured to point to Computer 1 as the network directory server computer.

Configure a computer to be

the network directory

Configure a network

Chapter 3 Getting started with FactoryTalk Security

See also

Configure a computer to be the network directory server on page 39

Configure a network directory client computer on page 39

Check network directory server connection status on page 40

FactoryTalk Directory Server Location Utility on page 41

After installing and activating FactoryTalk software, specify one computer on

the network as the network directory server. All computers on the network

can share FactoryTalk network directory services and resources.

server

After configuring the network directory server, configure the client

computers to reference the network directory.

To configure a computer to be the network directory server

1. On the computer to use as the Network Directory Server, go to

Rockwell Software > FactoryTalk Tools and open Specify FactoryTalk Directory Location.

2. At the prompt, log on to the network directory with a Windows

Administrator account.

3. In FactoryTalk Directory Server Location Utility, select Browse.

4. In FactoryTalk Directory Server Configuration, select This computer

to use the network directory server installed on this computer, and select OK.

See also

Check network directory server connection status on page 40

directory client computer

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 39

Configure a network directory client computer on page 39

FactoryTalk Directory Server Location Utility on page 41

After specifying one of the computers on the network as the network

directory server, use the Specify FactoryTalk Directory Location utility to

point each computer in the network to the FactoryTalk Directory network

directory server.

To configure a network directory client computer

1. On each participating network directory client computer, go to

Rockwell Software > Specify FactoryTalk Directory Location.

2. At the prompt, log on to the network directory with a Windows

Administrator account.

3. In FactoryTalk Directory Server Location Utility, select Browse.

Chapter 3 Getting started with FactoryTalk Security

Check network directory

4. In FactoryTalk Directory Server Configuration, select Remote

computer, then specify the name of the computer to use as the

network directory server, and select OK.

5. When prompted, log on to the network directory.

If single sign-on is enabled on the computer when the location of the network directory server changes, the single sign-on session terminates. Log on to the new network directory server. The user name and password entered become the new single sign-on credentials for all participating FactoryTalk products on the computer.

See also

Configure a computer to be the network directory server on page 39

Check network directory server connection status on page 40

FactoryTalk Directory Server Location Utility on page 41

When a connection to the FactoryTalk network directory server is lost, the

system sends an error message to FactoryTalk Diagnostics. Likewise, when

server connection status

the connection is restored, the system sends an information message to

FactoryTalk Diagnostics. Run the FactoryTalk Diagnostics Viewer to check FactoryTalk Diagnostics for connection and error messages.

The network directory connection status is available from the FactoryTalk Directory Server Location Utility.

When opening a network application and a connection to the network directory server is not available, the information is based on the data held in a local cache. While disconnected, FactoryTalk Administration Console operates in read-only mode and does not allow most commands and operations.

To check network directory server connection status

1. In FactoryTalk Administration Console select Tools > FactoryTalk

Directory Server Options.

2. If a User Account Control prompt appears, select Yes.

3. In the FactoryTalk Directory Server Location Utility, next to

Computer hosting directory server, the current status of the active server is displayed. Either:

• (connected) — All FactoryTalk products and components

participating in a FactoryTalk system, located on the current computer, are connected to and communicating with the network directory server computer.

• (read-only) — The FactoryTalk system on the current computer is

disconnected from the network directory server and is retrieving information from a local cache.

40 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

FactoryTalk Directory

Chapter 3 Getting started with FactoryTalk Security

• (unknown) — The connection status is temporarily unknown

because the system is starting up, waiting to determine which server is active, or is unable to determine the current state.

See also

Configure a computer to be the FactoryTalk Directory network server

on page 38

FactoryTalk Directory Server Location Utility on page 41

How do I open the FactoryTalk Directory Server Location Utility?

Server Location Utility

Either:

• Go to Rockwell Software > Specify FactoryTalk Directory Location.

• From the FactoryTalk Administration Console, select Tools >

FactoryTalk Directory Server Options.

Use the FactoryTalk Directory Server Location Utility to:

• Specify the computer that is hosting the network directory server

• Point each computer on the network to the network directory server

computer

See also

Configure a computer to be the network directory server on page 39

Configure a network directory client computer on page 39

FactoryTalk Directory types on page 15

Check network directory server connection status on page 40

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 41

IMPORTANT

Manage users

Add a FactoryTalk user

Chapter 4

Manage users

Use FactoryTalk Administration Console to add and delete FactoryTalk

Directory and Windows-linked user accounts. User accounts exist only in the FactoryTalk Directory where the account was created.

Management of FactoryTalk user accounts includes:

• Adding group memberships to the user account

• Editing the user's name and description

• Associating an email address with the user's account

• Setting user password options

• Changing the user account password

• Enabling, disabling, or unlocking the user account

• Resetting the account password

account

Use Windows administrative tools to edit Windows-linked user accounts.

Managing users requires explicit permissions. To verify permissions, in FactoryTalk Administration Console Explorer, expand System, then right-click Users and Groups and select Security. Confirm the permissions listed in the prerequisites for the task are present with the logged in user account.

See also

Add a FactoryTalk user account on page 43

Add a Windows-linked user account on page 45

Add group memberships to a user account on page 46

Manage user groups on page 51

To create a user account that is separate from a user's Windows account, add

a FactoryTalk Directory account. FactoryTalk Directory accounts are managed

by the FactoryTalk Administrator and specify the account's identity, account

policy, and group membership independent of the Windows account settings.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 43

Prerequisites

Obtain these permissions for the Users folder in the Explorer window:

• Common > Create Children

• Common > List Children

Chapter 4 Manage users

35 characters. Characters not shown are still included in the password.

• Common > Read

To add a user account

1. In Explorer, expand System > Users.

2. Right-click the Users folder, point to New, and then select User.

3. In New FactoryTalk User, type a short name for the user in User

Name, and the full name of the user in Full name.

4. (optional) In Description, record information about the user, such as

the user's position or phone number.

5. (optional) In E-mail, add a single e-mail address. Some FactoryTalk

products may send messages to this e-mail address.

6. In Login method select how the user logs on to FactoryTalk.

• Password. The user types the user name and password to logon.

• Badge only. The user taps the badge on the card reader to logon.

• Password and Badge. The user taps the badge on the card reader

and types the username and password to logon.

Badge logon is not supported on remote clients connecting via Remote Desktop Services. To log on using an RFID badge, connect an rf IDEAS card reader to the computer hosting the FactoryTalk Services Platform.

7. If a password method was selected, in Password, type a password for

the user account. Password Policy Settings in Security Policy Properties determine the requirements for a valid password.

Tip: The maximum password length is 64 characters. However, the dialog box only displays

8. In Confirm, type the same password entered in the previous step.

9. (optional) If a password method was selected for login, select the user's

password validity settings:

• User must change password at next logon

• Select to force the user to change the account password at next

system log on.

• Clear to allow the user to keep the same password.

• User cannot change password

• Select to prevent the user from changing the account password.

• Clear to allow the user to change the account password.

44 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

• Password never expires

• Select to allow the user to continue using the same password

indefinitely.

• Clear to require that the user change the account password at

intervals specified by the security policy Password Policy Settings.

10. In Badge ID type the identification number of the badge assigned to

the user account.

Add a Windows-linked user

account

Chapter 4 Manage users

Select Scan and then tap the badge on the card reader to obtain the Badge ID value from the badge.

11. Select OK to add the user to the FactoryTalk Directory.

See also

Add a Windows-linked user account on page 45

Delete a user account on page 48

Password Policy Settings on page 106

Account types on page 18

Manage users on page 43

Add a Windows-linked user account when the security needs of the Windows

network are the same as the security needs of the FactoryTalk system. When

accessing FactoryTalk resources using a Windows-linked account, the

FactoryTalk Directory relies on Windows to determine whether the user's name and password are valid, and whether the account is enabled or locked out. Adding Windows-linked user accounts to FactoryTalk Security user groups allows the FactoryTalk Directory to determine a Windows-linked user's level of access to the FactoryTalk system independently of the user's level of access to a Windows domain.

Add user accounts to the FactoryTalk network directory or local directory from the list of users or groups in a Windows domain or workgroup. If the computer is disconnected from the Windows domain, reconnect to the domain before adding Windows-linked user accounts. Any users who previously logged on to the Windows domain from that computer can log on to FactoryTalk using their Windows-linked user account while the computer is disconnected from the Windows domain.

Prerequisites

Adding a Windows-linked user account requires these permissions:

• Common > Create Children

• Common > List Children

• Common > Read

To add a Windows-linked user account

1. In FactoryTalk Administration Console Explorer, expand System >

Users.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 45

Chapter 4 Manage users

Add group memberships to

2. Right-click the Users folder, point to New, and select Windows-Linked

User.

3. In New Windows-Linked User, select Add.

4. In Select Users, select the Windows user accounts to link to the

FactoryTalk system.

• If known, type the names of the user accounts to add in the text box.

For domain accounts, use the format DOMAIN\username, for workgroup accounts use the format COMPUTERNAME\username. To validate the user names, select Check Names. Correct any errors, and select OK.

• To search for user names, or to select multiple users, select

Advanced. In Select Users, select Locations, select the domain or workgroup from which to select users, and select OK.

Alternatively, use the Common Queries settings to search by name. Select Find Now. In the list of users, select the user accounts to add, and select OK.

5. When finished selecting Windows user accounts in Select Users, select

OK.

6. In New Windows-Linked User, review the list of users.

a user account

• To remove any users added unintentionally, select the users, and

select Remove.

• To add more users, repeat steps 3, 4, and 5.

7. Select OK.

See also

Add a FactoryTalk user account on page 43

Delete a user account on page 48

Add group memberships to a user account on page 46

Remove group memberships from a user account on page 47

Manage users on page 43

To quickly change the permissions for a user account to those of an existing

FactoryTalk user group, assign the user account to the user group. New group

memberships take effect only when the user logs off FactoryTalk and then

logs on again.

46 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Prerequisites

Changing the group memberships of a user account requires these permissions:

Remove group

• Common > List Children

• Common > Read

• Common > Write

Chapter 4 Manage users

To add group memberships to a user account

1. In FactoryTalk Administration Console Explorer, expand System >

Users, right-click the user account, and select Properties.

2. On the Group Membership tab, select Add.

3. In Select User Group, select the groups to which the user account

belongs, and then select OK.

4. In User Properties, select OK.

See also

Remove group memberships from a user account on page 47

Manage user groups on page 51

memberships from a user account

Permissions on page 135

FactoryTalk Security on page 29

Account types on page 18

When a user account belongs to a user group, the user account automatically

inherits all permissions assigned to the group, unless permissions are

specifically denied for the user account.

Delete a group from Group Membership User Properties to remove the link

between the permissions of the user account and the permissions assigned to that user group.

Changes to group memberships take effect only when the user logs off FactoryTalk and then logs on again.

To remove group memberships from a user account

1. In FactoryTalk Administration Console Explorer, expand System >

Users, right-click the user account containing the group memberships

to change, and select Properties.

2. Select the Group Membership tab.

3. In the list of groups, select the groups and select Remove.

4. In User Properties, select OK.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 47

Chapter 4 Manage users

Delete a user account

See also

Add group memberships to a user account on page 46

Manage user groups on page 51

Permissions on page 135

FactoryTalk Security on page 29

Account types on page 18

Delete a user account to permanently remove the account from the

FactoryTalk Directory. To prevent inadvertently locking an account out of the FactoryTalk Directory, do not delete the last user account that is a member of the Administrators group.

To delete a user account from both a network directory and a local directory, delete the account from one directory, log off that directory, log on to the second directory, and then delete the account in the second directory.

To temporarily prevent a user from logging on to FactoryTalk, disable the FactoryTalk user account.

Prerequisites

Deleting a user account that is a member of a user group requires these permissions:

• Common > Delete

• Common > List Children

• Common > Read

• Common > Write

Deleting a user account that is not a member of a user group requires these permissions:

• Common > Delete

• Common > List Children

• Common > Read

To delete a user account

• In FactoryTalk Administration Console Explorer, expand System >

Users, right-click the user account, and then select Delete.

Tip: You can only create an account using the name of a deleted account if the security policy Keep record of deleted accounts is disabled. You must still recreate the security settings of the user accounts.

48 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

See also

Add a FactoryTalk user account on page 43

Chapter 4 Manage users

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 49

Group Name

Description

FactoryTalk Directory. These permissions are defined by default.

sets.

IMPORTANT

user is a member.

Manage user groups

Chapter 5

Manage user groups

Use FactoryTalk Administration Console to add and delete FactoryTalk and

Windows-linked user group accounts. Add both FactoryTalk and Windowslinked user accounts to FactoryTalk user group accounts. Windows-linked user groups, and the user accounts they contain, can move from one domain to another while keeping security permissions for the group accounts intact.

FactoryTalk Services Platform includes these built-in user groups:

Administrators Add user accounts to the Administrators user group to grant those user

accounts full control of areas, applications, users, and groups in the

Engineers No users or permissions are defined by default in FactoryTalk Services

Platform. Other software may use this group to establish permission sets.

Maintenance No users or permissions are defined by default in FactoryTalk Services

Platform. Other software may use this group to establish permission

Key points about user groups:

• User group accounts exist only in the FactoryTalk Directory in which

created.

• FactoryTalk user accounts cannot be members of Windows-linked user

groups.

• Both of the Windows-linked user group and individual Windows-

linked user accounts can be members of FactoryTalk user groups. This allows use of FactoryTalk user groups when setting permissions.

• A FactoryTalk user account or Windows-linked user account can be a

member of more than one FactoryTalk user group.

• Managing user groups requires explicit permissions. To verify permissions,

in FactoryTalk Administration Console Explorer, expand System, then right-click Users and Groups and select Security. Confirm the permissions listed in the prerequisites for the task are present with the logged in user account.

• If an action is set to Deny for the user in any one group, then the Deny

takes precedence over any Allow setting in a different group of which the

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 51

See also

Add a FactoryTalk user group on page 52

Chapter 5 Manage user groups

Add a FactoryTalk user

group

Add a Windows-linked user group on page 53

Add accounts to a FactoryTalk user group on page 56

Accounts and groups on page 16

Account types on page 18

Create a new FactoryTalk user group to administer security permissions for

specified users as a group. Change the memberships of a user account to

quickly change the resources a user can access.

A FactoryTalk user group can contain:

• FactoryTalk user accounts

• Windows-linked user accounts

• FactoryTalk user group accounts

Use New User Group to add a FactoryTalk user group account to the FactoryTalk Directory that is separate from a Windows user group account. Then specify the group account's identity (for example, the name of the group) and the user accounts that are members of the group.

Prerequisites

Adding a FactoryTalk user group requires these permissions:

• Common > Create Children

• Common > List Children

• Common > Read

To add a user group account

1. In FactoryTalk Administration Console Explorer, expand System >

User Groups.

2. Right-click the User Groups folder, point to New, and select User

Group.

3. Type a name for the group in the Name box.

4. (optional) Enter any notes about the group in the Description box.

5. (optional) In the E-mail box, type only one email address or group

address to associate with this group account.

6. Select Add to add user accounts to the group. In Select User or Group,

select to select the users or groups to add to the new user group account. Under Filter Users, choose from the following:

52 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

• Show groups only

• Show users only

• Show all

• Create New

Add a Windows-linked user

group

Chapter 5 Manage user groups

7. Select OK to add the selected user or group to the Members List in

New User Group.

8. Select OK when finished creating the user group.

See also

Delete a user group on page 56

Manage user groups on page 51

To move Windows accounts from one domain to another, create Windows-

linked user group accounts instead of individual Windows-linked user

accounts. Windows-linked user group accounts, and the user accounts they

contain, can move from one domain to another while keeping security permissions for the group accounts intact.

Add user groups from a Windows domain or workgroup to the FactoryTalk system to allow the user accounts in the group to access the FactoryTalk system. To modify the properties of a Windows-linked user group, (for example the group's name, or which user accounts are group members), modify these properties in Windows.

When adding a Windows-linked user group account, all user accounts in the Windows user group have access to the FactoryTalk system. To prevent some users in a Windows-linked group from accessing the FactoryTalk system, create Windows-linked user accounts for those users, and set permissions to deny access to those user accounts.

Prerequisites

1. Connect the computer to the Windows domain containing the user

groups to add to the FactoryTalk Directory.

2. Obtain these permissions in the User Groups folder in FactoryTalk

Administration Console Explorer:

• Common > Create Children

• Common > List Children

• Common > Read

To add a Windows-linked user group account

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 53

1. In FactoryTalk Administration Console Explorer, expand System >

User Groups.

2. Right-click the User Groups folder, point to New, and select Windows-

Linked User Group.

3. In New Windows-Linked User Group, select Add.

4. In Select Groups, select the Windows groups, and select OK.

Chapter 5 Manage user groups

• If known, type the names of the user group accounts in the text box.

For domain accounts, use the format DOMAIN\groupname, for workgroup accounts use the format COMPUTERNAME\groupname. To validate the names, select Check Names. Correct any errors, and select OK.

• To search for group by name or description, or to select multiple

groups, select Advanced.

a. In Select Groups, select Locations and select the domain or workgroup

from which to select groups.

b. Under Common Queries, complete the information with which

to search the directory:

• Name: Choose whether to search for a name that starts with

the specified values or is an exact match to the specified value and then type the search string.

• Description: Choose whether to search for a description that

starts with the specified values or is an exact match to the specified value and then type the search string

• Disabled accounts: Select to include disabled accounts when

searching.

• Non expiring password: Select to include accounts that have

passwords that never expire when searching.

• Days since last logon: Specify to look for accounts based on

how long it has been since the account successfully logged on/

c. Select Find Now. d. In the list of groups, select the group accounts to add, and select

OK to close Advanced Select Groups.

e. The groups selected are listed under Enter the object name to

select. Select Check Names to verify the names and then select OK to close Select Groups.

5. In New Windows-Linked User Group, review the list of groups.

• To remove any groups added unintentionally, select the groups, and

select Remove.

• To add more groups, repeat steps 3 and 4.

6. Select OK.

Tip: Use a password for all Windows accounts in a Windows-linked group, otherwise intermittent security failures or an inability to log on may occur. To follow good security practice, do not use blank passwords with accounts. To avoid using a password for Windows-linked accounts, on the local computer disable the Windows local security policy

Accounts: Limit local account use of blank passwords to console logon only.

See also

Delete a user account on page 48

54 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Edit or view user group

properties

Chapter 5 Manage user groups

Add a Windows-linked user account on page 45

Account types on page 18

Manage user groups on page 51

Modify the properties of a FactoryTalk user group account that is not linked

to a Windows user group account. View the properties of a Windows-linked

user group account. The name of a user group cannot change.

Group memberships added to a user group account take effect only when the user logs off FactoryTalk and then logs on again.

Prerequisites

Editing or viewing user group properties requires these permissions:

• Common > List Children

• Common > Read

• Common > Write

To edit or view user group properties

1. In FactoryTalk Administration Console Explorer, expand System >

User Groups, right-click the user group account, and select Properties.

2. (optional) In the Description box, type a description of the user group.

For example, record information about where the group is located, what part of the system is relevant to the group, or contact information for the leader of the group.

3. (optional) In the E-mail box, type only one email address or group

address (for example cjenkins@yourcompany.com, or maintenance@yourcompany.com), to associate with this account. Ensure that the address you typed is a valid address, and that you typed the address correctly. Some FactoryTalk-enabled products can send messages or notifications to an email address. For details, see the documentation supplied with your FactoryTalk-enabled product.

4. (optional) To add accounts to the group, select Add. In Select User or

Group, select the users or user groups to add to the group, and select OK.

5. (optional) To remove user accounts, select the users or user groups to

remove from the group, and select Remove.

6. Select OK.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 55

See also

Add a FactoryTalk user group on page 52

Chapter 5 Manage user groups

Delete a user group

Add accounts to a

Add a Windows-linked user group on page 53

Account types on page 18

Manage user groups on page 51

Delete a user group when a particular group account is no longer needed to

manage a group of users. Before deleting the user group, view the properties of the user group account.

To help prevent inadvertent lock out of the FactoryTalk Directory, the Administrators group cannot be deleted.

Prerequisites

Deleting a user group account that has no members requires these permissions:

• Common > Delete

• Common > List Children

• Common > Read

FactoryTalk user group

Deleting a user group account that has members requires these permissions:

• Common > Delete

• Common > List Children

• Common > Read

• Common > Write

To delete a user group

• In FactoryTalk Administration Console Explorer, expand System >

User Groups, right-click the user group account, and then select Delete.

See also

Edit or view user group properties on page 55

Manage user groups on page 51

Any time after creating a FactoryTalk user group, add or remove the user

accounts that belong to the group. Members of a Windows-linked user group

cannot be added or removed. However, individual Windows-linked user

accounts can be added to FactoryTalk user groups.

56 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Tip: Alternatively, change the groups to which a user belongs. Use Group Membership User

Properties to add or remove user groups from a FactoryTalk or Windows-linked user account.

Properties to add or remove groups from either a FactoryTalk or Windows-linked user account.

Remove accounts from a

Chapter 5 Manage user groups

To add accounts to a FactoryTalk user group

1. In FactoryTalk Administration Console Explorer, expand System >

User Groups, right-click the user group account, and select Properties.

2. Select Add.

3. In Select User or Group, select each user or user group to add to the

user group account. Use the options under Filters to show only users, only user groups, or all accounts. Select OK when finished.

See also

Remove accounts from a FactoryTalk user group on page 57

Add a FactoryTalk user group on page 52

Delete a user group on page 56

Manage user groups on page 51

FactoryTalk user group

After creating a FactoryTalk user group, members can be added or removed at

any time. However, after a Windows-linked user group is added to the

FactoryTalk Directory, its members cannot be deleted or removed.

Tip: Alternatively, change the groups to which a user belongs. Use Group Membership User

To remove accounts from a FactoryTalk user group

1. In FactoryTalk Administration Console Explorer, expand System >

User Groups, right-click the user group account, and select Remove.

2. In Select User or Group, select each user or user group to remove from

the user group account. Use the options under Filters to show only users, only user groups, or all account.

3. Select OK when finished.

See also

Add accounts to a FactoryTalk user group on page 56

Add a FactoryTalk user group on page 52

Add a Windows-linked user group on page 53

Delete a user group on page 56

Manage user groups on page 51

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 57

IMPORTANT

Linx), OPC data servers, Tag Alarm and Event Servers, or HMI servers.

Manage computers

Add a computer

Chapter 6

Manage computers

Use FactoryTalk Administration Console to manage the computer accounts in

a FactoryTalk network directory. The FactoryTalk local directory does not make use of computer accounts because all activity on the directory is restricted to the local computer.

Tasks related to managing computers:

• Add a computer

• Delete a computer

• Add group memberships

• Remove group memberships

• Change the name of a client computer

• Change the name of a server computer

• Set the override directory cache policies

Managing computers requires explicit permissions. To verify permissions, in FactoryTalk Administration Console Explorer, expand System, then right-click Computers and Groups and select Security. Confirm the permissions listed in the prerequisites for the task are present with the logged in user account.

See also

Add a computer on page 59

Edit or view computer properties on page 61

To allow a computer to access the FactoryTalk system, add a computer to a

FactoryTalk network directory. After adding the computer account, specify security settings for the computer that allow or deny access to parts of the FactoryTalk system or add the computer to a group account, and then specify security settings for the group.

Even if the security policy Require computer accounts for all client machines is disabled, you must still create computer accounts for any computers hosting servers — for example, Terminal Servers, Rockwell Automation Device Servers (FactoryTalk

Prerequisites

Adding computer accounts requires these permissions:

• Common > Create Children

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 59

Chapter 6 Manage computers

Delete a computer

• Common > List Children

• Common > Read

To add a computer account

1. In FactoryTalk Administration Console Explorer, expand System >

Computers and Groups, right-click Computers, and then select New Computer.

2. In New Computer, in Computer name, type the name of the computer,

or select Browse (...) and then choose a computer name.

3. (optional) In Description, type descriptive information about the

computer (Example: Operator workstation for South Building production line 1, for maintenance contact maintenance@yourcompany.com).

4. Select OK.

See also

Delete a computer on page 60

Accounts and groups on page 16

Delete a computer from the FactoryTalk network directory to remove its

access to the FactoryTalk system.

Prerequisites

Deleting a computer account that is not a member of a computer group requires these permissions:

• Common > Delete

• Common > List Children

• Common > Read

Deleting a computer account that is a member of a computer group requires these permissions:

• Common > Delete

• Common > List Children

• Common > Read

• Common > Write

60 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Edit or view computer

properties

Chapter 6 Manage computers

To delete a computer

• In FactoryTalk Administration Console Explorer, expand System >

Computers and Groups > Computers, right-click the computer account, and then select Delete.

See also

Add a computer on page 59

Manage computers on page 59

Modify the name of a computer, its description, and the computer groups to

which it belongs in General Computer Properties.

Prerequisites

Editing or viewing computer properties requires these permissions:

• Common > List Children

• Common > Read

• Common > Write

To edit or view computer properties

1. In FactoryTalk Administration Console Explorer, expand System >

Computers and Groups > Computers, right-click the computer

account, and select Properties.

2. Edit these settings in General Computer Properties as appropriate:

• Computer name. Type the new Windows computer name for the

computer, or select Browse (...) to browse for the compute

• Description. Enter or edit a description of the computer, or other

data about the computer account, such as contact information.

• Add. Select to add this computer to one or more computer groups.

• Remove. Select to remove this computer from a group.

3. Select OK to apply the edits to the computer.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 61

See also

Add a computer on page 59

Change a computer name in the FactoryTalk network directory

Manage computers on page 59

Add and remove user-

computer pairs

Add a user-computer pair

Chapter 7

Add and remove user-computer pairs

Security for FactoryTalk resources is always tied to users or groups of users,

the actions the users perform, for example, read, write, and so on, and the

computers, or groups of computers where the users work.

This ensures that only authorized personnel can perform actions on the equipment and resources in the system from appropriate locations, for example, computers located within line of sight of equipment.

Available options are:

• Add a user-computer pair

• Remove a user-computer pair

See also

Add a user-computer pair on page 63

Remove a user-computer pair on page 65

How do I open Select User and Computer?

1. In the FactoryTalk Administration Console Explorer, right-click an

item and select Security.

2. On the Permissions tab, select Add.

-or-

1. In the FactoryTalk Administration Console Explorer, expand System >

Policies >Product Policies and open a Feature Security item.

2. From the Feature Security Properties Policy Setting tab, select

Configure Security.

3. In Configure Securable Action, select Add.

Use Select User and Computer to pair a group of users, or an individual user, with a group of computers, or an individual computer. Then, specify security settings for the pair. For example, set permissions for a resource that allow or deny access to the pair.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 63

Prerequisites

• Obtain the appropriate permissions to specify security settings on the

selected resource.

Chapter 7 Add and remove user-computer pairs

To add a user-computer pair

1. Navigate to Select User and Computer.

2. Under Filter Users, to limit the user accounts displayed in the Users

3. (optional) To create a new user or group account, select Create New,

4. In the Users list, select a user account or user group account.

5. Under Filter Computers, to limit the computer accounts displayed in

list and define the type of user accounts that can be created, select either:

• Show groups only

New user groups and Windows-linked groups can be created if needed

• Show users only

New FactoryTalk User and Windows-linked user accounts can be created if needed

• Show all

New accounts cannot be created when this option is selected.

choose the type of account to create, and then specify the account settings.

the Computers list and define the type of computer accounts that can be created, select either:

• Show groups only

New computer group accounts can be created if needed

• Show users only

New computer accounts can be created if needed

• Show all

New computer accounts cannot be created when this option is selected.

6. (optional) To create a new computer or computer group account, select

Create New, choose the type of account to create, and then specify the account settings.

7. In the Computers list, select a computer account or computer group

account.

8. Select OK.

The selected user-computer pair displays in the permissions list. Explicit permissions can now be configured for the pair.

See also

Remove a user-computer pair on page 65

64 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Remove a user-computer

How do I open Select User and Computer?

Chapter 7 Add and remove user-computer pairs

pair

1. In the FactoryTalk Administration Console Explorer, right-click an

item and select Security.

2. On the Permissions tab, select Add.

-or-

1. In the FactoryTalk Administration Console Explorer, expand System >

Policies >Product Policies and open a Feature Security item.

2. From the Feature Security Properties Policy Setting tab, select

Configure Security.

3. In Configure Securable Action, select Add.

Remove a user-computer pair when it is longer necessary to specify permissions on a resource for the pair.

Prerequisites

• Obtain the appropriate permissions to specify security settings on the

selected resource.

Edit or view user account properties

To remove a user-computer pair

1. Navigate to Select User and Computer, select the filter criteria to show

the list of the users and user groups, and computers or computer groups to delete.

2. In the Users list, select the user account or user group account that

belongs to the pair being deleted.

3. In the Computers list, select a computer account or computer group

account that belongs to the pair being deleted.

4. Select Remove.

5. Select OK.

See also

Add a user-computer pair on page 63

Use these steps to view and edit the general properties of a FactoryTalk user

account, such as user name and password, user description, user email

address, and user login method. These properties are only viewable for a

Windows-linked user account and cannot be edited. Use Windows to edit the general properties of a Windows-linked user account.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 65

Chapter 7 Add and remove user-computer pairs

Prerequisites

Obtain these permissions in the Users folder in FactoryTalk Administration Console Explorer:

• Common > List Children

• Common > Read

• Common > Write

To edit or view user account properties

1. In FactoryTalk Administration Console Explorer, expand the

2. Right-click the user account, and select Properties. Edit the General

3. Select OK.

FactoryTalk network or local directory tree. Expand the System >

Users and Groups folder to see the user account.

User Properties settings as needed.

Tip: Changing the properties of a FactoryTalk user account in one FactoryTalk directory does not modify the properties in the other, even if the account has the same name in both directories. Before editing the properties of a user account, log on the FactoryTalk directory that contains the user account.

See also

Add a FactoryTalk user account on page 43

Manage users on page 43

66 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Add and remove action

groups

Add an action group

Chapter 8

Add and remove action groups

To avoid setting permissions for individual actions, group actions together to

grant or deny permissions for a set of actions in one step.

When adding an action group, decide:

• The name of the action group

• What actions belong to that group

Use action groups to assign permissions based on any convenient grouping. For example:

• A person's role or job (operator, supervisor, maintenance engineer, and

so on)

• The equipment a person has access to (hoppers, mixers, ovens, and so

on)

When setting security using action groups:

• Add an action group

• Add actions to an action group

• Remove actions from an action group

• Delete an action group

See also

Add an action group on page 67

Delete an action group on page 69

Add an action to an action group on page 69

Group actions together to grant or deny permissions for a set of actions in

one step rather than having to set permissions for each action separately.

When adding an action group, decide:

• The name of the action group

• What actions belong to that group

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 67

Prerequisites

Obtain these security permissions for the Action Groups folder in Explorer:

• Common > Read

Chapter 8 Add and remove action groups

Delete an action group

• Common > List Children

• Common > Create Children

• Common > Write

To add an action group

• In FactoryTalk Administration Console Explorer, right-click the

Action Groups folder and select New Action Group.

See also

Delete an action group on page 68

Add and remove action groups on page 67

When an action group is deleted, any explicit permissions assigned to that

group are no longer in effect.

For example, suppose an action group named "Operators" was used to explicitly grant write access to an area named "Mixing" for a user account "Chris". If the "Operators" action group is deleted, "Chris" can no longer write to the "Mixing" area. Creating another "Operators" action group will not restore "Chris" the ability to write to "Mixing".

If an action group is inadvertently deleted and restoring the FactoryTalk Directory from a backup is not feasible, all security permissions assigned to the resources that were using the action group must be recreated.

Prerequisites

1. Before deleting an action group, back up the FactoryTalk Directory.

2. Deleting an acting group requires these security permissions for the

Action Groups folder:

• Common > Read

• Common > List Children

• Common > Delete

To delete an action group

1. In FactoryTalk Administration Console Explorer, expand the Action

Groups folder.

2. Right-click the action group and select Delete.

68 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Add an action to an action

group

Remove an action from an

Chapter 8 Add and remove action groups

See also

Add an action group on page 67

Add and remove action groups on page 67

To manage security settings for an action as part of an existing action group,

add the action to the action group.

Prerequisites

Adding an action to an action group requires these permissions for the Action Groups folder in FactoryTalk Administration Console Explorer:

• Common > Read

• Common > List Children

• Common > Create Children

• Common > Write

action group

To add an action to an action group

1. In FactoryTalk Administration Console Explorer, expand Action

Groups, then right-click the action group to edit, and select Properties.

2. In Properties, the action group appears on the right in the Selected

actions and action groups list.

3. In the Available Actions and Action Groups list, select the action to

add to the action group, and select >>.

4. Select OK.

See also

Add an action group on page 67

Add and remove action groups on page 67

To stop managing security settings for a particular action as part of an action

group, remove the action from the action group.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 69

Prerequisites

Removing an action from an action group requires these security permissions for the Action Groups folder in FactoryTalk Administration Console Explorer:

• Common > Read

• Common > List Children

• Common > Create Children

Chapter 8 Add and remove action groups

• Common > Write

To remove an action from an action group

1. In FactoryTalk Administration Console Explorer, expand Action

Groups, right-click the action group to edit, and select Properties.

2. In Properties, the action group appears on the right in the Selected

actions and action groups list.

3. In the Selected Actions and Action Groups list, select the action to

remove from the action group, and select << to remove it from the group.

4. Select OK.

See also

Add and remove action groups on page 67

70 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Chapter 9

Set system policies

Set system policies to manage settings that apply across the entire FactoryTalk system. Policy settings are separate in the network directory and the local directory.

Navigate to System > Policies > System Policies to view and edit the following:

• Application Authorization

Determines whether applications can access the FactoryTalk Directory.

• User Rights Assignment

Determines which users can perform system-wide actions, such as backing up and restoring the contents of the FactoryTalk Directory, changing the directory server computer, performing a manual switchover to a redundant server, and modifying the security authority identifier.

• Live Data Policy

Determines the default communications protocol for a distributed FactoryTalk system.

• Health Monitoring Policy

Defines the parameters that the health monitoring service uses when determining if a network error occurred and how long to wait before switching to a standby server.

• Audit Policy

Defines which activities generate an audit message.

• Security Policy

Defines the security policies applied to FactoryTalk account, divided into these categories: account policy, computer policy, directory protection policy, password policy, and single sign-on policy. These policies do not apply to Windows-linked accounts. Define policies for Windows-linked accounts in Windows.

See also

Authorize an application to access the FactoryTalk Directory on page 72

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 71

Chapter 9 Set system policies

a member of the FactoryTalk Administrators group.

Authorize an application to

access the FactoryTalk Directory

Assign user rights to make system policy changes on page 78

Set audit policies on page 86

Set system security policies on page 91

Set network health monitoring policies on page 84

Use FactoryTalk Service Application Authorization to authorize applications

to access the FactoryTalk Directory.

If the option to verify the publisher certificate information is enabled,

applications that are not signed by Rockwell Automation or Microsoft® are

not allowed access to the FactoryTalk Directory.

Tip: To configure the Application Authorization policy, log into FactoryTalk with an account that is

To authorize an application to access the FactoryTalk Directory

1. Log on to the FactoryTalk network directory or FactoryTalk local

directory.

2. In FactoryTalk Administration Console Explorer, expand the System >

Policies > System Policies folders.

3. Right-click Application Authorization and select Properties.

The Application Authorization policy controls access by monitoring information about each application that is requesting a service token from FactoryTalk.

4. In FactoryTalk Service Application Authorization, review the list of

the applications that can be authorized. To sort the application list by process name, computer name, or access allowed status, select the corresponding column header at the top of the window.

Some applications are required by FactoryTalk and cannot be removed or denied. These entries are displayed with gray text in the list.

5. (optional) To view the publisher certificate information for a process,

select the desired cell in the Publisher Info column.

6. Select a process, and scroll to the right to view its access status. Select

Access Allowed to provide access to the FactoryTalk Directory, or clear to deny access to the FactoryTalk Directory.

7. (optional) To automatically enable access to the FactoryTalk Directory

for any new process, select Enable Default Access.

8. (optional) To automatically block access to the FactoryTalk Directory

for any new process, clear Enable Default Access.

9. (optional) To verify publication information for all FactoryTalk

Services Platform processes, select Verify Publisher Info. If the verification process fails, the process is automatically denied access.

10. Select OK.

72 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

member of the FactoryTalk Administrators group.

FactoryTalk Service

Chapter 9 Set system policies

See also

FactoryTalk Service Application Authorization settings on page 73

Publisher Certificate Information on page 75

Digitally signed FactoryTalk products on page 76

How do I open FactoryTalk Service Application Authorization?

Application Authorization

1. Log on to the FactoryTalk Network Directory or FactoryTalk Local

Directory.

2. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

3. Right-click Application Authorization and then select Properties.

Use FactoryTalk Service Application Authorization to authorize the applications that have access to FactoryTalk Directory. By default FactoryTalk Services Platform processes are automatically allowed access.

If the Verify publisher information option is enabled, applications that are not signed by Rockwell Automation or Microsoft are not allowed access to FactoryTalk Directory.

Tip: To configure the Application Authorization policy, log into FactoryTalk with an account that is a

See also

Authorize an application to access the FactoryTalk Directory on page 72

Application Authorization settings

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 73

FactoryTalk Service Application Authorization settings on page 73

Use FactoryTalk Service Application Authorization settings to authorize the

applications that have access to FactoryTalk Directory.

If the Verify Publisher Info option is selected, applications that are not signed

by Rockwell Automation or Microsoft are not allowed access to FactoryTalk

Directory.

The Application Authorization policy controls access by monitoring the information of each application that is requesting a service token from FactoryTalk. To configure the Application Authorization policy, log into FactoryTalk with an account that is a member of the FactoryTalk Administrators group.

To sort the application list by process name, version number, computer name, publisher, or access allowed status, select the corresponding column header.

Chapter 9 Set system policies

Column

Description

allowed status, select the corresponding column header.

service token.

allowed status, select the corresponding column header.

desired cell in this column.

The

or denied. These entries are displayed with gray text in the list.

Setting

Description

can still configure your local computer to join the directory server.

The publisher information on these applications may fail verification.

Process Shows the process name of the application that is requesting a service

token. Some applications are required by FactoryTalk and cannot be removed or denied. These entries appear with gray text in the list. To sort the application list by process name, computer name, or access

Version Shows the version number of the application that is requesting a

Computer Shows the computer name where the application runs.

To sort the application list by process name, computer name, or access

Publisher Info Shows the publisher name of the application. If no certificate exists,

the cell displays with None. To view the detailed publisher certification information, select the

Access Allowed Shows whether the current process is allowed to access to FactoryTalk

Directory and determines whether an application is authorized to access the FactoryTalk Directory. To deny an application, clear the check box of the entry. If an application is denied access and fails the request for service token, a message is sent to FactoryTalk Diagnostics, for example,

View the messages using the FactoryTalk Diagnostics Viewer. Some applications are required by FactoryTalk and cannot be removed

Use these settings to specify how FactoryTalk allows access to the FactoryTalk Directory.

Enable Default Access Determines whether new applications are automatically allowed access

to FactoryTalk Directory. Default: Enabled To disable the default access, clear the check box. All new applications are automatically denied access. If the default access of a FactoryTalk Directory server is disabled, you

Verify Publisher Info Determines whether to verify the publisher certificate information of

FactoryTalk applications. If enabled, FactoryTalk Services Platform verifies whether the application requesting a service token is signed by Rockwell Automation or Microsoft. Any application not signed by them will fail to receive a service token. Default: Disabled To disable the publisher information verification, clear the check box. FactoryTalk Services Platform does not verify the publisher information. Applications are verified by the corresponding Access Allowed settings. Some earlier versions of Microsoft applications (for example, msiexec.exe) and FactoryTalk products were not signed when released.

74 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

displays indicating that the required entries are not removed.

will be lost when refreshing.

Process name

Description

FTDataUpdate.exe

FactoryTalk data update, which runs during FactoryTalk Directory configuration.

FTExportPolicy.exe

Controls FactoryTalk export of policy settings during backup.

FTSPVStudio.exe

FactoryTalk Administration Console

NmspHost.exe

FactoryTalk namespace services

RdcyHost.exe

Rockwell redundancy services

RnaDirMultiplexor.exe

Rockwell RNA directory multiplexer

RsvcHost.exe

Rockwell Automation services

SilentFTDCW.exe

FactoryTalk Directory Silent Configuration Wizard

Field

Description

Issued to

Shows the publisher name (or a portion of the name) of the entity to which the certificate is issued.

Issued by

Shows the name (or a portion of the name) of the issuer.

Status

Shows the status of the certificate, for example, valid, revoked, or expired.

Valid to

Shows the ending date of the period for which the certificate is valid.

Remove To remove one or more applications from the list, select the entries

and select Remove. Some applications are required by FactoryTalk and cannot be removed or denied. These entries appear with gray text in the list. When removing one or more of these required entries, a warning message

Refresh Manually refresh the list to show the latest application list. Select

Refresh. When refreshing the list, if a newer version of an existing application from the same computer is found, the entry is updated to reflect the new version or certificate information. Save the changes before refreshing. Any changes that are not saved

Chapter 9 Set system policies

Required FactoryTalk Processes

FTDConfigurationUtility.exe FactoryTalk Configuration wizard, which is only used in special cases to repair the FactoryTalk Directory.

FTSetDirSvr.exe Used to set the FactoryTalk Directory.

ImportExportTool.exe Used to import and export FactoryTalk information.

See also

Authorize an application to access the FactoryTalk Directory on page 72

Publisher Certificate Information on page 75

Digitally signed FactoryTalk products on page 76

Publisher Certificate

Use Publisher Certificate Information to view digital signature details and verify the identity and authenticity of software.

Information

Serial # Shows the unique serial number (or a portion of the serial number) of the certificate. Date signed Shows the date when the binary was signed. Valid from Shows the beginning date of the period for which the certificate is valid.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 75

Chapter 9 Set system policies

Products

Signed since version

FactoryTalk Administration Console

2.10.01

FactoryTalk Administration Console

2.31.00

eProcedure®

11.00

FactoryTalk Linx Gateway

3.02

FactoryTalk View ME

5.10

FactoryTalk View SE

5.10

Logix Designer

21.00

RSNetWorx

9.00

Digitally signed FactoryTalk

products

See also

Authorize an application to access the FactoryTalk Directory on page 72

FactoryTalk Service Application Authorization settings on page 73

Digitally signed FactoryTalk products on page 76

FactoryTalk Services Platform 2.51 or later provides the ability to verify whether an application requesting a service token is signed by Rockwell Automation. The access to FactoryTalk Directory is denied if the certification is not signed by Rockwell Automation.

Some earlier versions of FactoryTalk products were not signed when released. These products may fail to verify the publisher information.

This table shows which versions of FactoryTalk products are signed.

FactoryTalk Batch 11.00

FactoryTalk Linx 5.20

FactoryTalk Historian SE 3.0

FactoryTalk Metrics 9.10 FactoryTalk Transaction Manager 9.10

RSLinx Classic 2.54 RSLogix 5 7.40 RSLogix 500 8.10 RSLogix 5000 18.00

RSSecurity Emulator 2.10.01

See also

Authorize an application to access the FactoryTalk Directory on page 72

Authorize a service to use FactoryTalk Badge Logon

76 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Publisher Certificate Information on page 75

Use FactoryTalk Badge Authorization to authorize services to use the FactoryTalk Badge Logon function.

The service that requests access to use the FactoryTalk Badge Logon function

must be trusted by Rockwell Automation.

FactoryTalk Badge

Note: To configure the Badge Authorization policy, log on to FactoryTalk with an account that is a member of the FactoryTalk Administrators group.

Chapter 9 Set system policies

To authorize a service to use the FactoryTalk Badge Logon

1. Log on to the FactoryTalk network directory or FactoryTalk local

directory.

2. In FactoryTalk Administration Console Explorer, expand the System >

Policies > System Policies folders.

3. Right-click Badge Authorization and select Properties.

The Badge Authorization policy controls access by monitoring each service that is requesting the FactoryTalk Badge Logon function.

4. In FactoryTalk Badge Authorization, click Add to permit access to a

service that is requesting the FactoryTalk Badge Logon function.

5. Click OK.

See also

Authorization

FactoryTalk Badge Authorization on page 77

FactoryTalk Badge Authorization settings on page 77

How do I open FactoryTalk Badge Authorization?

1. Log on to the FactoryTalk Network Directory or FactoryTalk Local

Directory.

2. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

3. Right-click Badge Authorization and then select Properties.

Use FactoryTalk Badge Authorization to authorize services to use the FactoryTalk Badge Logon function.

The service that requests access to use the FactoryTalk Badge Logon function must be trusted by Rockwell Automation.

Note: To configure the Badge Authorization policy, log on to FactoryTalk with an account that is a member of the FactoryTalk Administrators group.

See also

Authorization settings

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 77

Authorize a service to use the FactoryTalk Badge Logon on page 76

FactoryTalk Badge Authorization settings on page 77

Use FactoryTalk Badge Authorization to authorize services to use the FactoryTalk Badge Logon function.

Chapter 9 Set system policies

Column

Description

The FactoryTalk services are not displayed in the list.

Assign user rights to make

Process Shows the process name of the service that is requesting the access to use the FactoryTalk Badge Logon

The service that requests access to use the FactoryTalk Badge Logon function must be trusted by Rockwell Automation.

Note: To configure the Badge Authorization policy, log on to FactoryTalk with an account that is a member of the FactoryTalk Administrators group.

To sort the service list by process name, select the column header.

function.

Use these settings to specify how FactoryTalk allow access to the services that are requesting to use the FactoryTalk Badge Logon function.

• Add. Used to open the Select Application dialog box to select a service

that is requesting the FactoryTalk Badge Logon function.

• Remove. Used to remove one or more services that is using the

FactoryTalk Badge Logon function.

system policy changes

See also

Authorize a service to use the FactoryTalk Badge Logon on page 76

FactoryTalk Badge Authorization on page 77

In User Rights Assignment Policy Properties, specify which users are permitted to:

• Back up or restore FactoryTalk Directory, the System folder, or

applications

• Change the FactoryTalk Directory server computer

• Switch between primary and secondary servers in a redundant pair

(for example, HMI servers, or data servers)

• Modify the security authority identifier

Policy settings are completely separate in the network directory and local directory. The network directory and local directory also have different default policy settings.

To assign user rights to system policy changes

78 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

1. Log into the FactoryTalk directory.

2. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

3. Right-click User Rights Assignment and select Properties.

4. In User Rights Assignment Policies, next to the policy to secure and to

the right of Configure Security, select Browse (...).

User rights assignment

Chapter 9 Set system policies

5. In Configure Securable Action, on the Policy Setting tab, select Add.

Select User or Group opens.

6. (optional) Use the filter options to restrict the accounts shown in the

lists.

7. Choose the user or group account, then select OK. The user or group is

added to the list on the Policy Setting tab.

• To allow the user permission to perform the action from the

specified computer or group, select Allow.

• To deny the user permissions to perform the action from the

specified computer or group, select Deny.

• To remove explicit Allow permissions, select the user and computer

and select Remove. If no permissions are specified, Deny is implied.

8. When finished, select OK to apply the policy changes.

See also

User rights assignment policies on page 79

policies

Permissions on page 135

In FactoryTalk, administrators control the rights that users have to access the system. Settings that apply to the entire FactoryTalk directory are especially important to secure. User rights assignment policies specify which users are permitted to perform:

• Back up or restore FactoryTalk Directory, the System folder, or

applications. The default setting allows all users to back up and restore

the directory and its contents. Securing backup and restore operations prevents an unauthorized user from:

• Copying applications or user account information in the

FactoryTalk system

• Intentionally or inadvertently overwriting the contents of

FactoryTalk Directory, including applications, user, computer, and group accounts, passwords, policy settings, and security settings

• Change the FactoryTalk Directory server computer.

The default setting allows administrators to change the directory server. The policy appears in only FactoryTalk network directory. Verify the permissions to change the directory on the current computer and the computer being switched to.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 79

• Switch between primary and secondary servers in a redundant pair.

In the FactoryTalk network directory, the default setting allows all users to switch between primary and secondary servers (such as HMI servers or data servers). Because redundancy is available in only the FactoryTalk network directory, this policy setting appears in only the FactoryTalk network directory.

Chapter 9 Set system policies

User Rights Assignment Configure Securable Action

• Modify the security authority identifier.

The default setting allows all users to modify the identifier.

Policy settings are completely separate in the network directory and local directory. The network directory and local directory also have different default policy settings.

See also

Assign user rights to make system policy changes on page 78

User Rights Assignment Policy Properties on page 80

How do I open User Rights Assignment Policy Properties?

Policy Properties

1. Start FactoryTalk Administration Console or FactoryTalk View Studio

and then log on to the FactoryTalk Network Directory or FactoryTalk Local Directory.

2. In Explorer, expand the FactoryTalk Network or Local Directory tree,

and then expand the System > Policies > System Policies folders.

3. Select User Rights Assignment.

In User Rights Assignment Policy Properties, specify which users are permitted to:

• Back up or restore FactoryTalk Directory, the System folder, or

applications

• Change the FactoryTalk Directory server computer

• Switch between primary and secondary servers in a redundant pair

(for example, HMI servers, or data servers)

• Modify the security authority identifier

Policy settings are completely separate in the network directory and local directory. The network directory and local directory also have different default policy settings.

80 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

See also

Assign user rights to make system policy changes on page 78

User rights assignment policies on page 79

Permissions on page 135

How do I open Configure Securable Action?

1. In FactoryTalk Administration Console Explorer, expand the System>

Policies > Product Policies.

Setting

Description

permissions.

to remove security settings, and select Remove.

Select a user or group

Chapter 9 Set system policies

2. Expand the product folder, then right-click Feature Security and select

Properties.

3. In Feature Security Properties, select the row containing the feature

category.

4. Next to Configure Security, select Browse(...).

Use Configure Securable Action to view or set the permissions that determine access to a single feature for a user or group of users working from a computer or group of computers connected to the FactoryTalk network directory. The product policy features that can be secured depend on what FactoryTalk products are installed.

Use this window to configure permissions for the actions in User Rights and Assignment Properties.

In a FactoryTalk local directory, all security settings apply to only the local computer.

Permissions list Shows the users and computers that have Allow or Deny permissions set for this

feature. To allow access to the feature, select Allow. To deny access to the feature, select Deny. If both Allow and Deny are cleared, the user is denied access to the feature.

Add Select to add users and computers to the permissions list to set explicit

Remove In the permissions list, select the combination of users and computers for which

See also

Secure features of a single product on page 114

Effective permission icons on page 156

Use Select User or Group to select a user account or FactoryTalk user group account. You can then specify security settings for the user or group.

Use the options under Filters to show only users, only user groups, or all accounts you may add to the group.

To select a user or group

1. Right-click the FactoryTalk user group account you wish to modify and

click Properties.

2. In User Group Properties, click Add.

3. At the bottom of Select User or Group, select the filter criteria that

show the users or groups you want to select.

4. Do one of the following:

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 81

Chapter 9 Set system policies

• In the list of users and groups, select a user account or user group

account.

• To create a new user account, click Create New and then click the

type of account you want to create.

5. When you are finished selecting a user or group account, click OK.

See also

Manage user groups on page 51

Accounts and groups on page 16

Account types on page 18

Change the default communications protocol

To change the default communications protocol for a distributed FactoryTalk system, use Live Data Policy Properties.

Change this setting only if necessary. For example, if the system experiences communications problems and troubleshooting requires switching to DCOM. Thoroughly test communications before deploying this change to a running production system. Keep in mind that many factors affect communications, including firewalls, closed ports, and differences in network architectures and configurations.

To change the default communications protocol

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Live Data Policy and select Properties.

3. From the list to the right of Default Protocol Setting, switch the

default communications protocol from TCP/IP to DCOM, or from DCOM to TCP/IP.

4. Select OK.

5. Shut down and restart all computers on the network.

See also

Live Data Policy Properties on page 83

Default communications protocol settings

82 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

In a FactoryTalk distributed system, the communications protocol affects

communications between client and server services and between the

FactoryTalk Directory and servers on the network. This setting is considered a

"default" because if the FactoryTalk Live Data service detects that some components on the network are not compatible with the selected policy setting, the service overrides the policy and uses whichever setting is most likely to ensure uninterrupted communications. For example, for third-party

that the value changed from False to True.

that the value changed from True to False.

Chapter 9 Set system policies

servers and RSLinx Classic, FactoryTalk Live Data does not attempt a TCP/IP connection and always uses DCOM.

Use the Policy Settings tab of Live Data Policy Properties to set the default protocol from TCP/IP to DCOM or vice versa.

The FactoryTalk Services Platform installation process evaluates the services and components on the network and sets the communication protocol appropriately. For example, if upgrading from an earlier version of the FactoryTalk platform to FactoryTalk Services Platform 2.10 (CPR 9) or later, the communications default is automatically set to DCOM. If installing FactoryTalk Services Platform 2.10 or later for the first time on a computer, the communications default is automatically set to TCP/IP. Typically, changing the default setting is not necessary or advisable

Default protocol setting Description

TCP/IP An open communications protocol that typically is more reliable and has better performance than the proprietary DCOM

protocol.

• Choose this option only if all or most of the clients and servers on the automation network are upgraded to use

FactoryTalk Services Platform v. 2.10 (CPR 9) or later.

• Do not choose this option if the automation network is using older versions of the FactoryTalk Automation Platform

v.2.00 (CPR 7) or earlier or if the system includes many third-party OPC servers and devices.

When this setting is changed from DCOM to TCP/IP, an audit message is logged to FactoryTalk Diagnostics indicating

DCOM A proprietary communications protocol owned and managed by Microsoft.

Choose this option if:

• Most of the clients and servers on the automation network are using older versions of FactoryTalk Automation Platform

(v. 2.00, CPR 7 or earlier)

• The system includes third-party OPC servers and devices

When this setting is changed from TCP/IP to DCOM, an audit message is logged to FactoryTalk Diagnostics indicating

See also

Change the default communications protocol on page 82

FactoryTalk Directory types on page 15

Live Data Policy Properties

How do I open Live Data Policy Properties?

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Live Data Policy and select Properties.

Use the Policy Settings tab of Live Data Policy Properties to select a default communications protocol for a distributed FactoryTalk system.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 83

This setting affects communications between client and server services and between the FactoryTalk Directory and servers on the network. This setting is considered a "default". If the FactoryTalk Live Data service detects that some

Chapter 9 Set system policies

IMPORTANT

computers on the network.

settings typically provide optimal efficiency for most networks.

Set network health

components on the network are not compatible with the selected policy setting, the service overrides the policy and uses whichever setting is most likely to ensure uninterrupted communications. For example, for third-party servers and RSLinx Classic, FactoryTalk Live Data does not attempt a TCP/IP connection and always uses DCOM.

Change this setting only if necessary, such as if the system is experiencing communications problems and it is necessary to switch to DCOM for troubleshooting purposes. Thoroughly test communications before deploying this change to a running production system. Many factors affect communications, including firewalls, closed ports, and differences in network architectures and configurations.

Changing this policy setting can have unexpected results. Do not change this setting in a running production system. For changes to take effect, shut down and restart all

See also

monitoring policies

Change the default communications protocol on page 82

Default communications protocol settings on page 82

FactoryTalk Directory types on page 15

Use Health Monitoring Policy Properties to fine tune the parameters that the

system uses when determining whether a network failure is occurring and

how long to wait before switching to a Standby server.

A network failure occurs when a server is temporarily unable to communicate with other computers because of network traffic and fluctuations. During a network failure, even though the computers in the redundant server pair cannot communicate, the active server remains active and the standby server remains on standby.

Tip: Changing health monitoring policy settings can have unexpected results. The preset default

To set network health monitoring policies

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Health Monitoring Policy and select Properties.

3. Under Rates, select the policy setting to edit. A description of the

policy appears at in the bottom pane of the window.

4. To the right of the current rate, select the down arrow to enter a new

number, or use the small up and down arrows to choose a higher or lower number.

5. Select OK.

84 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

IMPORTANT

Setting

Description

Rates

"Network failure detection" requests to the computer.

reached.

Health Monitoring Policy

Chapter 9 Set system policies

See also

Health Monitoring Policy Properties on page 85

How do I open Health Monitoring Policy Properties?

Properties

1. In Explorer, expand System > Policies > System Policies.

2. Right-click Health Monitoring Policy and select Properties.

Use Policy Settings in Health Monitoring Policy Properties to change parameters that determine whether a network failure is occurring and how long to wait before switching to a standby server.

Tip: To monitor system health messages, use the FactoryTalk Diagnostics Viewer.

A network failure occurs when a server is temporarily unable to communicate with other computers because of network traffic and fluctuations. During a network failure, even though the computers in a server pair cannot communicate, the active server remains active and the standby server remains on standby.

When these policy settings are applied, the changes affect all computers that are clients of the FactoryTalk network directory server. The changes take effect immediately, as soon as the network directory server notifies the client computers of the changes.

Changing health monitoring policy settings can have unexpected results. The preset default settings typically provide optimal efficiency for most networks.

The health monitoring service policies settings are:

Computer detection interval Sets the amount of time that the health monitoring service waits between

its attempts to detect the existence of a computer on the network. If the service does not receive a response, it continues its detection attempts at the specified intervals. Once a connection is made, the health monitoring service stops sending "Computer detection" requests and begins sending

Network failure detection interval Sets how often the health monitoring service attempts to verify the health

of the network connection to remote computers. The health monitoring service begins sending "Network failure detection" requests after establishing the existence of a computer on the network. This request expects a reply back from the remote computer within the amount of time specified. If a reply is received, then the network connection is considered to be healthy. If a reply is not received, the service continues sending "Network failure detection" requests at the specified intervals until the amount of time specified as the "Maximum network glitch" is

Maximum network glitch Sets the maximum duration of a network disruption before the health

monitoring service determines that communications failed. If a network disruption lasts longer than this amount of time, the health monitoring service generates a diagnostic message and begins sending "Machine detection" requests to verify the existence of the standby server.

• Default. 2 seconds

• Minimum. 1 second

• Maximum. 600 seconds

• Default. 2 seconds

• Minimum. 1 second

• Maximum. 600 seconds

• Default. 5 seconds

• Minimum. 1 second

• Maximum. 600 seconds

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 85

Chapter 9 Set system policies

clients finish connecting may be observed.

Set audit policies

Maximum delay before server is active Sets the maximum amount of time during a switch back that the server

becoming active waits for clients to be ready for the switch. The purpose of the delay is to allow clients to establish connections to the server that is ready to become active. When the switch back occurs, data is available to the clients as soon as possible. As soon as all clients successfully connect, the server switches over to active immediately, even if the maximum delay was not yet reached. If the maximum delay is too short, the active server may not be able to provide high-quality service to its clients. Poor client performance and a diagnostic message stating that the server switched to active before all

See also

Set network health monitoring policies on page 84

Use Audit Policy Properties to specify what security-related information is

recorded while the system is being used. Audit policies include whether access checks are audited, whether access grants, denies, or both are audited, and so on. Audit messages are sent to FactoryTalk Diagnostics, and are viewed using the FactoryTalk Diagnostics Viewer.

• Default. 2 minutes

• Minimum. 0 minutes (not

recommended)

• Maximum. 60 minutes

To set up audit policies

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Audit Policy and select Properties.

3. In Audit Policy Properties, for each policy setting listed choose either

Enabled or Disabled.

f. Audit changes to configuration and control system

• Enabled (default) - Generates audit messages when

configuration and control system changes occur across the FactoryTalk system.

• Disabled - Does not route audit messages to FactoryTalk

Diagnostics log files, even if logging destinations are configured for audit messages on the Message Routing tab in FactoryTalk Diagnostics Setup.

Any changes made to the value of the Audit changes to configuration and control system policy itself are always recorded, regardless of whether audit logging is enabled or disabled. If enabled, audit information is sent to FactoryTalk Diagnostics.

86 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

g. Audit security access failures

• Enabled - Generates audit messages when users fail to access

objects or features because of insufficient security permissions.

Audit policies

h. Audit security access successes

4. Select OK.

Chapter 9 Set system policies

• Disabled (default) - Does not generate audit messages when

users fail to access secured objects or features.

• Enabled - Generates audit messages when users succeed in

accessing objects or features because of sufficient security permissions.

• Disabled (default) - Does not generate audit messages when

users succeed in accessing objects or features because of sufficient security permissions.

When enabled, this policy might generate a large number of audit messages. Enable this policy only if there is a specific reason, for example, testing or troubleshooting whether users are able to access particular features or objects in the system. If enabled, audit information is sent to FactoryTalk Diagnostics.

See also

Audit policies on page 87

Audit trails and regulatory compliance on page 36

Example: Audit messages on page 91

Auditing user actions in a control system helps answer "who changed this

process variable, when, and why?"

In an industry that must comply with governmental regulations, such as U.S. Government 21 CFR Part 11, the plant must be able to answer this question. The answer is also important if the plant manufactures products with critical tolerances, or if unmanaged changes could negatively affect product quality or risk consumer safety.

An audit trail records:

• The specific, authenticated user who is authorized to access the

manufacturing system

• The action taken—typically an operation that affects the

manufacturing control system or that creates, modifies, or deletes some element of the manufacturing process

• The resource—an object such as a PLC-5®, application, tag, or

command, on which the user performs an action

• The computer from which the user performed the action

• The date and time when the user performed the action

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 87

Like other FactoryTalk policy settings, audit policies are managed separately in the network directory and the local directory.

Chapter 9 Set system policies

Auditing changes to the system configuration, and to the control

system

The FactoryTalk system generates and sends audit messages to FactoryTalk Diagnostics. A system-wide policy setting controls whether audit records are generated and logged. If the system policy is enabled, then FactoryTalk Diagnostics routes the audit messages to various logging destinations, including the FactoryTalk® Audit Log. If the system policy is disabled, then FactoryTalk Diagnostics ignores audit messages generated by FactoryTalk components and FactoryTalk products and does not route them for logging.

Each FactoryTalk product defines its own rules for auditing changes. This means that the messages that appear in the FactoryTalk Diagnostics Viewer vary, depending on what products are installed. If the setting Audit changes to configuration and control system is enabled, audit messages are generated when any configuration and control system changes occur across the FactoryTalk system.

Auditing security access failures and successes

Whenever a user attempts to access a secured resource, FactoryTalk Security can generate audit messages if the user was denied or granted access.

For example, suppose an area named Ingredients is secured so that only members of the OperatorsLine5 group can write to the area. If the Audit object access success policy is enabled, every time an operator is granted write access to this area, a message is logged to FactoryTalk Diagnostics. If Audit object access failure policy is enabled, every time an operator is refused Write access to this area, a message is logged to FactoryTalk Diagnostics.

Object access failures do not necessarily represent deliberate attempts to compromise the security of the system. For example, an object access failure message is logged if a user is denied Configure Security permission and right-clicks the Users and Groups folder.

Auditing security access success can consume large amounts of system resources. Enable this policy only when necessary, for example, while testing the system, or if required in industries that must comply with governmental regulations.

Examples of messages for auditing security access failures and successes:

• User NETWORK\JSMITH attempted to perform action

COMMON\WRITE from NETWORK\DOMAIN\COMPUTER5 on [OPC data server][RNA://$Global/Norms Bakery/Ingredients/RecipeDataServer] and was granted access

• User NETWORK\JSMITH attempted to perform action

COMMON\CONFIGURE SECURITY from

88 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Setting

Description

If enabled, audit information is sent to FactoryTalk Diagnostics.

Audit Policy Properties

Chapter 9 Set system policies

NETWORK\DOMAIN\COMPUTER5 on [directory][$System] and was denied access

See also

Set audit policies on page 86

Audit trails and regulatory compliance on page 36

Example: Audit messages on page 91

How do I open Audit Policy Properties?

1. StartFactoryTalk Administration Console or FactoryTalk View Studio

and log on to the FactoryTalk Network Directory or FactoryTalk Local Directory.

2. In Explorer, expand the System folder > Policies > System Policies.

3. Select Audit Policy.

Use Audit Policy Properties to specify what security-related information is recorded while the system is being used. Audit policies include whether access checks are audited, whether access grants, denies, or both are audited, and so on. Audit messages are sent to FactoryTalk Diagnostics, where they can be viewed using the FactoryTalk Diagnostics Viewer. Use these settings to specify what information is audited by the FactoryTalk system.

Audit changes to configuration and control system Determines whether to generate audit messages when configuration and control system

changes occur across the FactoryTalk system. Default: Enabled To disable audit logging, set this policy to Disabled. If this policy is disabled, audit messages are not routed to FactoryTalk Diagnostics log files, even if logging destinations are configured for audit messages on the Message Routing tab in Diagnostics Setup. Any changes made to the value of the Audit changes to configuration and control system policy itself are always recorded, regardless of whether audit logging is enabled or disabled.

Audit security access failures Determines whether to generate an audit message when a user attempts an action and is

denied access to the secured object or feature because of insufficient security permissions. Default: Disabled To record audit messages when users fail to access objects because of insufficient security permissions, set this policy to Enabled. If enabled, audit information is sent to FactoryTalk Diagnostics.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 89

Chapter 9 Set system policies

Monitor security-related

Audit security access successes Determines whether to generate an audit message when a user attempts an action and is

granted access to the secured object or feature because the user has the required security permissions. Default: Disabled To record audit messages when users succeed in accessing objects because of sufficient security permissions, set this policy to Enabled. When enabled, this policy might generate a large number of audit messages. Enable this policy only if there is a specific reason for doing so, for example, testing or troubleshooting whether users can access particular features or objects in the system. If enabled, audit information is sent to FactoryTalk Diagnostics.

See also

Set audit policies on page 86

Audit trails and regulatory compliance on page 36

Audit policies on page 87

Monitor security-related events to find out if changes are made to security

policies or other objects, who made the changes, and when they were made.

events

Monitor security-related events by setting up audit policies.

In a FactoryTalk automation system, Rockwell Automation software products monitor system activity and generate detailed diagnostic messages. Meanwhile, FactoryTalk Diagnostics collects these activity, warning, error, and audit messages from all participating products throughout a distributed system and routes them to Local Logs on each computer. Depending on the products installed and the configuration options set, FactoryTalk Diagnostics can also route these messages to other centralized logging destinations, such as an ODBC database or FactoryTalk® AssetCentre Audit Log.

To configure FactoryTalk Diagnostics routing and logging options, select FactoryTalk Diagnostics Setup from the Tools menu on each computer where the FactoryTalk Administration Console is installed.

90 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

To view diagnostic messages, from the Tools menu select FactoryTalk Diagnostics > Viewer.

Example: Audit messages

Set system security

Chapter 9 Set system policies

See also

Set audit policies on page 86

If the setting Audit changes to configuration and control system is enabled in

Audit Policy, audit messages are generated when any configuration and control system changes occur across the FactoryTalk system.

Examples of messages for adding and removing control system components:

• Added area [Line2] to application [Network/Paper Mill]

• Removed area [Line1b] from application [Network/PaperMill]

• Added graphic display [Overview] to area [Network/Paper Mill/Line2]

• Removed user [BBilly] from directory [Network/System]

• Downloaded project [PASTEURIZE] to processor

[/NetworkPath/Line1]

• Inserted rung [XIC B3/0 OTE B3/0] in processor [XYZ/File 2/Rung 10]

Examples of messages for modifying control system values:

• Modified properties of user [JSmith] in directory [Network/System]

• Modified properties of server [Line2HMI] in application

[Network/Paper Mill]

• Forced I/O [I1:2/15] in processor [TABLET10] from [OFF] to [ON]

• Changed security policy [Enforce password history] in directory

[Network/System] from [0] to [5]

• Changed value of tag [HighPressureLimit] in processor [TABLET10]

from [100] to [125]

• Changed value of tag [MaxFeederSpeed] in area [Network/Paper

Mill/Line1] from [200] to [300]

• Changed name of graphic display [Line1Overview] in area

[Network/Paper Mill/Line2] from [Line1Overview] to [Line2Overview]

policies

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 91

See also

Audit policies on page 87

Use Security Policy Properties to define general rules for implementing

security across all FactoryTalk products in the system.

• Account Policy Settings: Specify how FactoryTalk manages policies for

user, computer, and group accounts.

• Computer Policy Settings: Specify how computer accounts in the

FactoryTalk network directory can use remote access.

• Directory Protection Policy Settings: Specifies client computer

accounts usage of the FactoryTalk network directory.

• Password Policy Settings: Configures password requirements for

FactoryTalk user accounts.

Chapter 9 Set system policies

Modify Account Policy

• Single Sign-On Policy Settings: Controls whether users can log on

once to the FactoryTalk system, or must log on to each FactoryTalk product separately.

See also

Modify Account Policy Settings on page 92

Modify Computer Policy Settings on page 93

Modify Directory Protection Policy Settings on page 95

Modify Password Policy Settings on page 96

Enable single sign-on on page 99

Use Account Policy Settings to change these security policy properties:

Settings

• Logon session lease

• Account lockout threshold

• Account lockout auto reset

• Keep record of deleted accounts

• Show deleted accounts in user list

To modify Account Policy Settings

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Security Policy and select Properties.

3. In Security Policy Properties, select + to expand Account Policy

Settings.

4. To set the maximum number of hours that a user can remain logged

on before the system checks whether the user’s account is still valid, select Logon session lease, and type a value from 0-999. Setting this value to 0 allows the logon session to be used indefinitely, allowing users to have continuous access, even if their accounts are disabled or deleted.

5. To set the number of consecutive times a user can unsuccessfully

attempt to log on before the account is locked, double-click Account lockout threshold, and type a value from 0-999. If set to 0, accounts are never locked no matter how many consecutive times a user attempts to log on. An invalid logon attempt occurs if the user attempts to log on and specifies a correct user name but an incorrect password.

92 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

A locked account cannot be used until the Account lockout auto reset period expires, or until the account is reset by a FactoryTalk administrator. This helps prevent an unauthorized user from gaining access to the system by guessing a password through a process of elimination.

Modify Computer Policy

Chapter 9 Set system policies

6. To specify the amount of time that must expire before a locked account

is reset and the user can attempt access again, select Account lockout auto reset and type a value between 0 and 999 minutes.

7. To determine if the system maintains a record of deleted user

accounts, select Keep record of deleted accounts, and select one:

• Enabled—Accounts are permanently disabled, but remain flagged

in the system with a unique identifier. New accounts must have unique names. For security, audit tracking, and compliance requirements, it may be necessary to keep a record of deleted accounts.

• Disabled—Accounts are fully deleted from the system, allowing new

accounts to use the same name. However, the new accounts have different account identifiers and do not inherit the security settings of the account.

8. If deleted account records are kept, choose whether or not to list

deleted account records in the Users folder in the System tree. Select Show deleted accounts in user list, and select one:

• Enabled—Administrators can view details about these deleted user

accounts

• Disabled—Deleted accounts are not shown in the list of user

accounts

Settings

9. When finished modifying Account Policy Settings, select OK.

See also

Account Policy Settings on page 100

Audit trails and regulatory compliance on page 36

Enable single sign-on on page 99

Use Computer Policy Settings to change these security policy properties:

• Whether or not a user can connect to the FactoryTalk Directory from a

client computer that does not have a computer account in the network directory

• How client computers connect to the FactoryTalk Directory through

Remote Desktop Services, and how the computer name appears in the FactoryTalk Diagnostics log of actions.

These settings apply only to computers in the FactoryTalk network directory because the FactoryTalk local directory does not permit remote access.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 93

Chapter 9 Set system policies

To modify Computer Policy Settings

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Security Policy and select Properties.

3. In Security Policy Properties, select + to expand Computer Policy

Settings.

4. To change the requirements for connecting to the FactoryTalk

Directory from a computer that does not have a FactoryTalk computer account, select Require computer accounts for all client machines and select one:

• Enabled—allows users to log on to FactoryTalk only if they are

logging on from a client computer that has an account in the FactoryTalk Directory. Remote Desktop Services clients can still log on to FactoryTalk Directory without computer accounts if the

Identify terminal server clients using the name of policy is set to Server Computer. See step 4.

• Disabled—allows users to log on to FactoryTalk from any client

computer, even if that computer has no computer account in the FactoryTalk network directory.

5. To determine what computer name identifies clients connecting to the

FactoryTalk Directory through Remote Desktop Services, select Identify terminal server clients using the name of and select one:

• Terminal client—Client computers must have computer accounts

in the FactoryTalk Directory to access FactoryTalk applications, unless the Require computer accounts for all client machines policy is disabled. This combination of settings is useful for diagnostic logging because the name of the client computer where actions originate can be logged.

Terminal Client logs actions using the name of the client computer where the user is connecting to the Remote Desktop Connection (RDC) client computer. The computer name logged in FactoryTalk Diagnostics is different for each client connecting via Remote Desktop Services.

• Server computer—allows client computers to connect through

Remote Desktop Services without requiring accounts in the FactoryTalk Directory, even if the Require computer accounts for

all client machines policy is Enabled.

Server computer logs actions using the name of the Remote

Desktop Connection server computer. The computer name logged in FactoryTalk Diagnostics will be the same for all users connecting via Remote Desktop Services.

6. When finished modifying Account Policy Settings, select OK.

94 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

IMPORTANT

system.

Modify Directory Protection

Policy Settings

setting the Identify terminal server clients using the name of policy to Server Computer, disable single sign-on because the computer name is

saved as part of the single sign-on user's credentials, and might affect the level of access a Remote Desktop Services user has to the FactoryTalk

Chapter 9 Set system policies

See also

Computer Policy Settings on page 102

Enable single sign-on on page 99

Use Directory Protection Policy Settings to change the security policy

properties that determine:

• If computers with FactoryTalk versions less than 2.50, which are

considered non-secure, can access a directory server with FactoryTalk CPR 9 SR5 or later, and if so, whether or not an audit message is generated

• How long cache files remain available after a client computer

disconnects from the server, and if a warning message displays

These settings apply only to computers in the FactoryTalk network directory.

To modify Directory Protection Policy Settings

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Security Policy and select Properties.

3. In Security Policy Properties, expand Directory Protection Policy

Settings.

4. By default, FactoryTalk allows client computers with FactoryTalk

versions earlier than 2.50 to connect to and retrieve information from a directory server computer with FactoryTalk 2.50 or later. To change this policy, change the Support non-secure clients setting to Deny. Clients with FactoryTalk versions earlier than 2.50 are denied access and a Protocol version mismatch error occurs.

5. By default, an audit message is created when a client computer with a

FactoryTalk version earlier than 2.50 connects to a directory server computer with FactoryTalk 2.50 or later. If the message should not be created, change the Audit non-secure client connections setting to Disabled.

6. By default, cache files never expire. Instead, the cache files remain

available after the client computer is disconnected from the server. To set a time limit for when cache files should expire, change the Directory cache expiration setting by typing or selecting a number of hours between 1 and 9999. When the time limit is reached, the client computer must reconnect to the server to continue to access the files.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 95

Chapter 9 Set system policies

IMPORTANT

system.

Modify Password Policy

7. By default, no warnings appear prior to cache expiration, but

notifications can appear upon disconnection and cache expiration. To enable cache expiration warnings, change the Directory cache expiration warning setting by typing a number between 1 and 24. A warning notification appears this number of hours before cache expiration.

8. Configure the Security authorization policy to determine whether the

client computer is authorized with directory files from server or local client cache files.

• Require directory update from server before authorizing means

the client computer is authorized using directory files from the server.

• Use local client cache means the client computer is authorized

using local client cache files. The amount of time for the client computer to wait before transferring cache files is configured in Directory cache transfer waiting time.

9. Configure the Directory cache transfer waiting time policy to

determine how long the client computer waits before transferring cache files. Enter a number of seconds from 5 through 600. This policy only applies to when Security authorization policy is set to Use local client cache.

10. When finished modifying directory protection policy settings, select

OK.

If setting the Identify terminal server clients using the name of policy to Server Computer, disable single sign-on because the computer name is

saved as part of the single sign-on user's credentials, and might affect the level of access a Remote Desktop Services user has to the FactoryTalk

Settings

96 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

See also

Computer Policy Settings on page 102

Enable single sign-on on page 99

Use Password Policy Settings to set security policy properties that control the

conditions for a valid FactoryTalk password, such as minimum and maximum

password length, password encryption method, password complexity

requirements, and when a password expiration warning is given.

These policies do not apply to Windows-linked user accounts. Backing up the FactoryTalk system folder before making changes to Password Policy Settings is recommended.

IMPORTANT

greater than 6 is enforced.

Be aware of these items before modifying Password Policy Settings:

• Previous releases used the MD5 cryptographic hashing algorithm to encode

passwords. If compatibility with FactoryTalk Services Platform version 3.00 or earlier is required the MD5 password encryption method must be selected. MD5 is an older algorithm that has known security vulnerabilities. Using the SHA256 encryption method is recommended.

• If Passwords must meet complexity requirements is set to Enabled, the

minimum password length is 6 characters and cannot be decreased using the

Minimum password length setting. Setting Minimum password length to a value

Chapter 9 Set system policies

To modify Password Policy Settings

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Security Policy and select Properties.

3. In Security Policy Properties, select > to expand Password Policy

Settings.

4. In Password encryption method select the down arrow and select

SHA-256 or MD5.

Changing the password encryption method invalidates current user passwords.

5. Select Passwords must meet complexity requirements and select

Enabled to require users to create more secure passwords.

6. Select Minimum password length and type a number between 0 and

64 to define the number of character required in a user password. Set Minimum password length to 0 to create user accounts without passwords.

7. Select Previous passwords remembered and type a number between 1

and 24 to prevent users from keeping the same password indefinitely. By default, three new passwords must be created before reusing an old password. If Previous passwords remembered is set to 0, old passwords can be reused immediately.

8. Select Minimum password age and type a number between 1 and 999

to require users to wait at least one day before changing their password.

9. Select Maximum password age and type a number between 1 and 999

to set the maximum number of days before passwords expire. When set to 0, passwords never expire.

10. Select Password expiration warning and enter a value between 0 and

999 to change the number of days before the system begins prompting users to change their passwords. By default, users receive a warning 14 days before their passwords expire.

11. Select OK or Apply to apply the new settings.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 97

Chapter 9 Set system policies

User must change password at next logon

Enabled

Modify Badge login policies

12. If the password encryption method was changed, choose how to

process the change on all of the current FactoryTalk user accounts.

• Select Disable all FactoryTalk user accounts to review each user

account and select unique passwords for each.

• Select Reset all FactoryTalk user passwords immediately to set a

new password on all user accounts and require users to specify a new password the next time they logon.

This option updates these property settings on the FactoryTalk user accounts:

Policy Setting

User cannot change password Disabled

Password never expires Disabled

See also

Password Policy Settings on page 106

Add a FactoryTalk user account on page 43

Back up a System folder on page 162

Use Badge Login Policy Settings to specify how FactoryTalk user accounts

can login using an RFID badge. Badge login policies include whether login using a badge is enabled, whether facility codes are required, the badge provider, and the data format used by the badge. After this policy is enabled and configured login options are available in FactoryTalk user account properties and Badge IDs can be added to the FactoryTalk user account.

To set badge login policies

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Double click Security Policy and select Badge Policy.

3. In Badge Policy field, configure these policy settings:. i. Allow badge login

• Select Enabled to permit FactoryTalk user accounts to include an

associated badge ID to log on.

98 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

j. Number of bits in ID

• Specify the length of bits that will be extracted from the badge as

the Badge ID.

k. Number of trailing parity bits to strip

• Specify the length of bits that will be ignored when extracting the

data from the badge.

Enable single sign-on

l. Use Facility Code

m. Number of Facility Code

n. Facility code

4. Select OK.

See also

Security Policy Properties on page 110

Chapter 9 Set system policies

• Yes - Check the Facility Code in the badge identification number

first, when the login is processed.

• No - Ignored the Facility Code in the badge identification

number when the login is processed.

• Specify the length of bits that will be extracted from the badge as

the Facility Code.

• Type the facility code that embedded in the badge. The embedded

facility code is provided by the badge manufacturer.

Badge Login Policy Settings

User Properties settings

Set login options for a FactoryTalk user account

Use Single Sign-On Policy Settings to configure security policy properties to

enable single sign-on capability. When single sign-on is enabled, only one log on, per directory, on a given computer is allowed. Once logged on, all participating FactoryTalk products that run in that directory on that computer automatically use those same security credentials.

To enable single sign-on

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Security Policy and select Properties.

3. In Security Policy Properties, select > to expand Single Sign-On Policy

Settings.

4. To the right of Use single sign-on, select the down arrow.

5. Choose Enabled, then select OK.

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 99

If single sign-on still does not seem to be working properly, the FactoryTalk product in use may not support the single sign-on capability. Some FactoryTalk products always require users to log on, even if single sign-on is enabled.

Chapter 9 Set system policies

Default: 1 hour

Disable single sign-on

Account Policy Settings

See also

Disable single sign-on on page 100

Security Policy Properties on page 110

To require users to log into each FactoryTalk product separately, configure

Single Sign-On Policy Settings to disable single sign-on capability.

To disable single sign-on

1. In FactoryTalk Administration Console Explorer, expand System >

Policies > System Policies.

2. Right-click Security Policy and select Properties.

3. In Security Policy Properties, select > to expand Single Sign-On Policy

Settings.

4. To the right of Use single sign-on, select the down arrow.

5. Choose Disabled, then select OK.

See also

Enable single sign-on on page 99

Use Account Policy Settings to specify how FactoryTalk manages policies for

user, computer, and group accounts. Additional policy settings for computer accounts are managed in Computer Policy Settings.

Setting Description

Logon session lease Sets the maximum number of hours that a user can remain logged on

before the system checks whether the user’s account is still valid. Use this setting to prevent logged on users from retaining access indefinitely, even after their accounts are disabled or deleted. For example, if a user's account is disabled or its password changed, and the account name and password cannot be reauthenticated, the logon session becomes invalid. The user can no longer access secure system resources until the user logs on successfully again. Setting this value to 0 allows the logon session to be used indefinitely, allowing users to have continuous access, and preventing the system from automatically reauthenticating users. This means that the system does not check whether the user’s account is still valid.

Minimum: 0 hours Maximum: 999 hours

100 Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Rockwell Automation FactoryTalk Security System Quick Start Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

FactoryTalk Security System Configuration Guide

Important User Information

Table of Contents

Summary of changes

About this publication

Preface

Additional resources

Legal Notices

FactoryTalk systems

FactoryTalk Directory types

Accounts and groups

Account types

Applications and areas

Install FactoryTalk Services Platform

FactoryTalk Security

Best practices

Configure a computer to be the network directory server on page 39

Configure a network directory client computer on page 39

Check network directory server connection status on page 40

Use the FactoryTalk Directory Server Location Utility to:

Manage users

Add a FactoryTalk user account on page 43

Add a Windows-linked user account on page 45

Add group memberships to a user account on page 46

Remove group memberships from a user account on page 47

Delete a user account

Manage user groups

Delete a user group

Remove accounts from a FactoryTalk user group on page 57

Manage computers

Add a computer

Delete a computer

Add a user-computer pair

Add and remove user-computer pairs

Edit or view user account properties

Add an action group

Add and remove action groups

Delete an action group

Use FactoryTalk Service Application Authorization to authorize the applications that have access to FactoryTalk Directory. By default FactoryTalk Services Platform processes are automatically allowed access.

FactoryTalk Service Application Authorization settings on page 73

Use Publisher Certificate Information to view digital signature details and verify the identity and authenticity of software.

Digitally signed FactoryTalk products on page 76

Authorize a service to use FactoryTalk Badge Logon

4. In FactoryTalk Badge Authorization, click Add to permit access to a

FactoryTalk Badge Authorization settings on page 77

User rights assignment policies on page 79

User Rights Assignment Policy Properties on page 80

Select a user or group

Change the default communications protocol

Default communications protocol settings

Live Data Policy Properties

Health Monitoring Policy Properties on page 85

Set audit policies

Audit policies

Audit Policy Properties

Example: Audit messages

Modify Account Policy Settings on page 92

Modify Badge login policies

Enable single sign-on

Disable single sign-on

Account Policy Settings