Rockwell Automation FactoryTalk Security System Quick Start Guide
FactoryTalk Security System
Configuration Guide
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021
Supersedes Publication FTSEC-QS001P-EN-E - September 2020
Quick Start |
Original Instructions |
FactoryTalk Security System Configuration Guide
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
2 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
|
|
Table of Contents |
Preface |
Summary of changes .................................................................................. |
9 |
|
About this publication ................................................................................ |
9 |
|
Additional resources .................................................................................. |
10 |
|
Legal Notices............................................................................................... |
10 |
|
Chapter 1 |
|
About FactoryTalk systems |
FactoryTalk systems................................................................................... |
13 |
|
FactoryTalk Directory types ................................................................ |
15 |
|
Accounts and groups............................................................................ |
16 |
|
Account types ....................................................................................... |
18 |
|
Applications and areas........................................................................ |
20 |
|
Security in a FactoryTalk system ....................................................... |
20 |
|
Example: Two directories on one computer ..................................... |
22 |
Install FactoryTalk Services
Platform
Getting started with
FactoryTalk Security
Chapter 2 |
|
Install FactoryTalk Services Platform ..................................................... |
25 |
Install FactoryTalk System Services and FactoryTalk Policy Manager. 26 |
|
Chapter 3 |
|
FactoryTalk Security ................................................................................. |
29 |
Security on a local directory ................................................................ |
31 |
Security on a network directory.......................................................... |
31 |
How security authenticates user accounts ........................................ |
32 |
Things you can secure.......................................................................... |
32 |
Best practices........................................................................................ |
34 |
Audit trails and regulatory compliance.............................................. |
36 |
Configure a computer to be the FactoryTalk Directory network server 38 |
|
Configure a computer to be the network directory server ............... |
39 |
Configure a network directory client computer................................ |
39 |
Check network directory server connection status.......................... |
40 |
FactoryTalk Directory Server Location Utility ................................... |
41 |
|
Chapter 4 |
|
Manage users |
Manage users ............................................................................................. |
43 |
|
Add a FactoryTalk user account .......................................................... |
43 |
|
Add a Windows-linked user account.................................................. |
45 |
|
Add group memberships to a user account ...................................... |
46 |
|
Remove group memberships from a user account............................ |
47 |
|
Delete a user account .......................................................................... |
48 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
3 |
Table of Contents |
|
|
|
Chapter 5 |
|
Manage user groups |
Manage user groups .................................................................................. |
51 |
|
Add a FactoryTalk user group ............................................................ |
52 |
|
Add a Windows-linked user group ..................................................... |
53 |
|
Edit or view user group properties ..................................................... |
55 |
|
Delete a user group .............................................................................. |
56 |
|
Add accounts to a FactoryTalk user group ......................................... |
56 |
|
Remove accounts from a FactoryTalk user group ............................. |
57 |
|
Chapter 6 |
|
Manage computers |
Manage computers .................................................................................... |
59 |
|
Add a computer .................................................................................... |
59 |
|
Delete a computer ............................................................................... |
60 |
|
Edit or view computer properties....................................................... |
61 |
Add and remove user-computer pairs
Chapter 7 |
|
Add and remove user-computer pairs...................................................... |
63 |
Add a user-computer pair.................................................................... |
63 |
Remove a user-computer pair............................................................. |
65 |
Edit or view user account properties.................................................. |
65 |
|
Chapter 8 |
|
Add and remove action groups Add and remove action groups................................................................. |
67 |
|
|
Add an action group............................................................................. |
67 |
|
Delete an action group........................................................................ |
68 |
|
Add an action to an action group....................................................... |
69 |
|
Remove an action from an action group........................................... |
69 |
|
Chapter 9 |
|
Set system policies |
Authorize an application to access the FactoryTalk Directory.............. |
72 |
|
FactoryTalk Service Application Authorization................................. |
73 |
|
FactoryTalk Service Application Authorization settings .................. |
73 |
|
Publisher Certificate Information ...................................................... |
75 |
|
Digitally signed FactoryTalk products................................................ |
76 |
|
Authorize a service to use FactoryTalk Badge Logon .............................. |
76 |
|
FactoryTalk Badge Authorization ....................................................... |
77 |
|
FactoryTalk Badge Authorization settings......................................... |
77 |
|
Assign user rights to make system policy changes ................................. |
78 |
|
User rights assignment policies.......................................................... |
79 |
|
User Rights Assignment Policy Properties ....................................... |
80 |
|
Configure Securable Action ............................................................... |
80 |
4 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
|
|
Table of Contents |
|
|
Select a user or group........................................................................... |
81 |
|
Change the default communications protocol ....................................... |
82 |
|
Default communications protocol settings ...................................... |
82 |
|
Live Data Policy Properties................................................................. |
83 |
|
Set network health monitoring policies .................................................. |
84 |
|
Health Monitoring Policy Properties ................................................ |
85 |
|
Set audit policies ....................................................................................... |
86 |
|
Audit policies ....................................................................................... |
87 |
|
Audit Policy Properties ....................................................................... |
89 |
|
Monitor security-related events......................................................... |
90 |
|
Example: Audit messages.................................................................... |
91 |
|
Set system security policies ....................................................................... |
91 |
|
Modify Account Policy Settings ......................................................... |
92 |
|
Modify Computer Policy Settings....................................................... |
93 |
|
Modify Directory Protection Policy Settings ..................................... |
95 |
|
Modify Password Policy Settings....................................................... |
96 |
|
Modify Badge login policies ............................................................... |
98 |
|
Enable single sign-on.......................................................................... |
99 |
|
Disable single sign-on....................................................................... |
100 |
|
Account Policy Settings .................................................................... |
100 |
|
Computer Policy Settings.................................................................. |
102 |
|
Directory Protection Policy Settings ................................................ |
103 |
|
Cache expiration policies .................................................................. |
105 |
|
Password Policy Settings................................................................... |
106 |
|
Single Sign-On Policy Settings ......................................................... |
109 |
|
When to disable single sign-on......................................................... |
110 |
|
Security Policy Properties.................................................................. |
110 |
|
Navigate the Policy Properties windows ................................................. |
111 |
|
Export policies to XML............................................................................. |
112 |
|
Chapter 10 |
|
Set product-specific policies |
Secure features of a single product ........................................................ |
114 |
|
Secure multiple product features ........................................................... |
114 |
|
Feature Security for Product Policies ..................................................... |
115 |
|
Feature Security Policies.......................................................................... |
116 |
|
Differences between securable actions and product policies............... |
116 |
|
Chapter 11 |
|
Manage logical names |
Logical names........................................................................................... |
119 |
|
Add a logical name ................................................................................... |
121 |
|
Delete a logical name ............................................................................... |
122 |
|
Add a device to a logical name................................................................. |
122 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
5 |
|
Table of Contents
Resource grouping
Secure resources
Disaster Recovery
6
Remove a device from a logical name..................................................... |
122 |
Assign a control device to a logical name ............................................... |
123 |
Add a logical name to an area or application ......................................... |
124 |
Delete a logical name from an area or application ................................ |
124 |
New Logical Name.................................................................................... |
125 |
Logical Name Properties.......................................................................... |
126 |
Device Properties ..................................................................................... |
126 |
Chapter 12 |
|
Resource groupings ................................................................................. |
129 |
Group hardware resources in an application or area............................ |
130 |
Move a resource between areas................................................................ |
131 |
Remove a device from a resource grouping ............................................ |
131 |
Resources Editor ...................................................................................... |
132 |
Select Resources ....................................................................................... |
133 |
Chapter 13 |
|
Secure resources ...................................................................................... |
135 |
Permissions ........................................................................................ |
135 |
Breaking the chain of inheritance .............................................. |
138 |
Order of precedence .................................................................... |
139 |
Actions .......................................................................................... |
140 |
Set FactoryTalk Directory permissions ............................................ |
144 |
Set application permissions .............................................................. |
145 |
Set area permissions.......................................................................... |
147 |
Set System folder permissions.......................................................... |
148 |
Set action group permissions ........................................................... |
149 |
Set database permissions .................................................................. |
151 |
Set logical name permissions............................................................ |
152 |
Allow a resource to inherit permissions........................................... |
153 |
Prevent a resource from inheriting permissions ............................ |
154 |
View effective permissions................................................................ |
154 |
Effective permission icons ................................................................ |
156 |
Chapter 14 |
|
Back up a FactoryTalk system ................................................................. |
159 |
Back up a FactoryTalk Directory ....................................................... |
160 |
Back up a System folder..................................................................... |
162 |
Back up an application....................................................................... |
164 |
Back up a Security Authority identifier............................................ |
166 |
Backup FactoryTalk Linx configuration........................................... |
167 |
Backup................................................................................................. |
168 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
|
Table of Contents |
|
Backup and restore options............................................................... |
170 |
Modify Security Authority Identifier................................................. |
171 |
Restore a FactoryTalk system .................................................................. |
172 |
Restore a FactoryTalk Directory........................................................ |
172 |
Restore a System folder ..................................................................... |
175 |
Restore an application ....................................................................... |
176 |
Restore a Security Authority identifier ............................................ |
179 |
Restore FactoryTalk Linx configuration........................................... |
180 |
Verify security settings after restoring a FactoryTalk system........ |
181 |
Update computer accounts in the network directory............... |
181 |
Recreate a Windows-linked user account.................................. |
182 |
Update Windows-linked user groups ........................................ |
183 |
Update security settings for Networks and Devices ................. |
183 |
Update security settings for the FactoryTalk Linx OPC UA |
|
Connector..................................................................................... |
184 |
Restore database connections .................................................... |
185 |
Restore an earlier system after upgrading FactoryTalk platform |
|
software .............................................................................................. |
185 |
Generate a Security Authority identifier.......................................... |
187 |
Restore ................................................................................................ |
188 |
Restore (FactoryTalk Directory)........................................................ |
189 |
Restore (System folder) ..................................................................... |
190 |
Restore (Application) ......................................................................... |
190 |
Restore (Security Authority Identifier) ............................................ |
192 |
Restore Backup File............................................................................ |
193 |
Use commands to back up and restore................................................... |
193 |
FactoryTalk Directory Configuration Wizard........................................ |
196 |
Select a FactoryTalk Directory to configure..................................... |
197 |
Configure FactoryTalk Network Directory................................ |
197 |
Network directory and the FactoryTalk Directory Configuration |
|
Wizard .......................................................................................... |
198 |
Configure FactoryTalk Local Directory...................................... |
199 |
Local directory and the FactoryTalk Directory Configuration |
|
Wizard ......................................................................................... |
200 |
Product support for network and local directories................... |
201 |
Enter an administrator user name and password ......................... |
202 |
Reset an expired password............................................................... |
203 |
Change Password (local)................................................................... |
203 |
Change Password (network) ............................................................ |
204 |
Summary ........................................................................................... |
205 |
Default passwords............................................................................. |
206 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
7 |
Table of Contents
Upgrade FactoryTalk Services
Platform
FactoryTalk Web Services
Appendix A |
|
Upgrade FactoryTalk Services Platform................................................ |
209 |
Identify the installed FactoryTalk Services Platform version .............. |
210 |
Appendix B |
|
Install FactoryTalk Web Services............................................................ |
211 |
Add an HTTPS site binding for FactoryTalk Web Services .................. |
212 |
Client computers unable to connect to FactoryTalk Web Services ...... |
213 |
User cannot log into FactoryTalk Web Services..................................... |
214 |
Introduction to FactoryTalk Policy Manager and FactoryTalk System Services
Index
Appendix C |
|
FactoryTalk Policy Manager and FactoryTalk System Services |
........... 215 |
Install FactoryTalk System Services and FactoryTalk Policy Manager 216 |
|
Start FactoryTalk System Services ......................................................... |
217 |
Log on to FactoryTalk Policy Manager ................................................... |
217 |
Navigate FactoryTalk Policy Manager .................................................... |
218 |
FactoryTalk Policy Manager Global Settings.......................................... |
219 |
FactoryTalk Policy Manager planning ................................................... |
220 |
FactoryTalk Policy Manager component considerations..................... |
222 |
Authentication methods .......................................................................... |
223 |
Security Groups ........................................................................................ |
223 |
Zones ........................................................................................................ |
224 |
Add a zone.......................................................................................... |
225 |
Conduits................................................................................................... |
225 |
Add a conduit..................................................................................... |
226 |
Devices ...................................................................................................... |
227 |
Discovery ............................................................................................ |
227 |
Add a device to a zone........................................................................ |
227 |
FactoryTalk Linx devices .................................................................. |
229 |
Ports ................................................................................................... |
229 |
Add a port .................................................................................... |
230 |
Replace a device................................................................................. |
230 |
Remove the security policy from a device ........................................ |
231 |
Ranges ....................................................................................................... |
232 |
Add a range......................................................................................... |
232 |
Deploy a security model........................................................................... |
233 |
Backup and restore security models ....................................................... |
234 |
Backup FactoryTalk System Services................................................ |
235 |
Restore FactoryTalk System Services ............................................... |
235 |
8 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Preface
Summary of changes
This manual includes new and updated information. Use these reference tables to locate changed information.
Grammatical and editorial style changes are not included in this summary.
Global changes
None in this release.
New or enhanced features
This table contains a list of topics changed in this version, the reason for the change, and a link to the topic that contains the changed information.
Topic Name |
Reason |
|
|
Account Policy Settings on page 100 |
The default value of the Account lockout threshold for the |
|
Local Directory and Network Directory is changed from 0 invalid |
|
logon attempts to 3 invalid logon attempts. |
|
|
Back up a FactoryTalk Directory on page |
Enhanced to provide a backup step for FactoryTalk Linx |
160 |
configurations. |
Back up an application on page 164 |
Enhanced to provide a backup step for FactoryTalk Linx |
|
configurations. |
Back up a System folder on page 162 |
Enhanced to provide a backup step for FactoryTalk Linx |
|
configurations. |
Restore a FactoryTalk Directory on page |
Enhanced to provide a restore step for FactoryTalk Linx |
189 |
configurations. |
Restore a System folder on page 190 |
Enhanced to provide a restore step for FactoryTalk Linx |
|
configurations. |
Restore an application on page 176 |
Enhanced to provide a restore step for FactoryTalk Linx |
|
configurations. |
Use command line to back up and restore |
New topic that introduces the command lines can be used to |
on page 193 |
backup and restore FactoryTalk Directory, System folder, and |
|
applications. |
About this publication
This Quick Start Guide provides you with information on using FactoryTalk Services Platform with FactoryTalk Security.
Before using this guide, review the FactoryTalk Services Platform Release Notes for information about required software, hardware, and anomalies.
After using this guide, you will be more familiar with how FactoryTalk Services Platform uses:
•FactoryTalk Directory types
•User accounts
•Computer accounts
•Local and network security options
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
9 |
Preface
Additional resources
Legal Notices
•Authentication methods
•Password management
•Security policies
For more information on system security download the System Security Design Guidelines (publication SECURE-RM001) from the Rockwell Automation Literature Library.
For more information on the products and components discussed in this guide, the following manuals and Help files are available with the software:
•FactoryTalk® Help – Go to Rockwell Software > FactoryTalk Tools >
FactoryTalk Help
•FactoryTalk View Installation Guide or FactoryTalk View Help – Go to
Rockwell Software > FactoryTalk View > User Documentation and then select the appropriate Help or User Guide.
•FactoryTalk® Linx™ Help – Go to Rockwell Software > FactoryTalk Linx > FactoryTalk Linx Online Reference.
•RSLinx® Classic Help – Go to Rockwell Software > RSLinx > RSLinx Classic Online Reference.
•Studio 5000 Logix Designer® application Help – In Logix Designer, select Help > Contents
•FactoryTalk Batch Administrator’s Guide – Go to Rockwell Software >
FactoryTalk Batch Suite > FactoryTalk Batch > Online Books > FactoryTalk Batch > Batch Administrator's Guide
•FactoryTalk® Transaction Manager Help
•FactoryTalk® AssetCentre Help
The Rockwell Automation® Literature Library also has related Getting Results Guides that can be viewed online or downloaded:
•FactoryTalk Linx Getting Results Guide - Rockwell Automation Publication LNXENT-GR001_-EN-E
•RSLinx Classic Getting Results Guide - Rockwell Automation Publication LINX-GR001_-EN-E
•FactoryTalk Batch Getting Results Guide - Rockwell Automation Publication BATCH-GR011_-EN-P
•FactoryTalk Policy Manager Getting Results Guide - Rockwell Automation Publication FTALK-GR001_-EN-E
Rockwell Automation publishes legal notices, such as privacy policies, license agreements, trademark disclosures, and other terms and conditions on the Legal Notices page of the Rockwell Automation website.
End User License Agreement (EULA)
You can view the Rockwell Automation End User License Agreement (EULA) by opening the license.rtf file located in your product's install folder on your hard drive.
10 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Preface
The default location of this file is:
C:\Program Files (x86)\Common Files\Rockwell\license.rtf.
Open Source Software Licenses
The software included in this product contains copyrighted software that is licensed under one or more open source licenses.
You can view a full list of all open source software used in this product and their corresponding licenses by opening the index.html file located your product's OPENSOURCE folder on your hard drive.
The default location of this file is:
C:\Program Files (x86)\Common Files\Rockwell\Help\FactoryTalk
Services Platform\Release Notes\OPENSOURCE\index.htm
You may obtain Corresponding Source code for open source packages included in this product from their respective project web site(s). Alternatively, you may obtain complete Corresponding Source code by contacting Rockwell Automation via the Contact form on the Rockwell Automation website: http://www.rockwellautomation.com/global/aboutus/contact/contact.page. Please include "Open Source" as part of the request text.
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
11 |
Chapter 1
About FactoryTalk systems
FactoryTalk systems
A FactoryTalk® system is composed of software products, services, and hardware devices participating together and sharing the same FactoryTalk Directory and FactoryTalk services.
For example, a FactoryTalk system may be as simple as FactoryTalk® Services Platform, FactoryTalk View, RSLinx® Classic, and RSLogix™ 5 all installed on the same computer, communicating with a single programmable logic controller, and all participating in the same local application held in a local directory.
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
13 |
Chapter 1 |
About FactoryTalk systems |
|
|
A FactoryTalk system may be much more complex, with software products and hardware devices participating in multiple network applications distributed across a network, all sharing the same network directory.
A single computer can host both a local directory and a network directory. The two directories are completely separate and do not share any information. When using both directories, that single computer participates in two separate FactoryTalk systems.
In the network directory example above, the directory hosts two network applications: Waste Water and Water Distribution. All of the areas, data servers, HMI servers, device servers, and alarm and event servers organized within each application are specific to that application. None of the application-specific information is shared with any other application in the directory. However, all information and settings organized within the System folder, such as security settings, system policies, product policies, and user accounts apply to all applications held in the directory.
For example, modifying security settings in the Waste Water application does not affect the Water Distribution application. However, making a change to a security policy applies the change to both the Waste Water application and the Water Distribution application. The security policy settings also apply to any other new applications created in this same network directory.
See also
FactoryTalk Directory types on page 15
14 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Chapter 1 |
About FactoryTalk systems |
|
|
Accounts and groups on page 16 |
|
Applications and areas on page 20 |
|
Security in a FactoryTalk system on page 20 |
|
|
Example: Two directories on one computer on page 22 |
FactoryTalk Directory types |
The FactoryTalk Directory is the centerpiece of the FactoryTalk Services |
|
Platform. FactoryTalk Directory provides a central lookup service for all |
|
products participating in an application. Rather than a traditional system |
|
design with multiple, duplicated databases or a central, replicated database, |
|
FactoryTalk Directory references tags and other system elements from |
|
multiple data sources—and makes the information available to clients |
|
through a lookup service. |
|
Tags are stored in their original environments, such as logic controllers. |
|
Graphic displays are stored in the HMI servers where they are created. This |
|
information is available, without duplication, to any FactoryTalk product |
|
participating in an application. |
For example, at workstation 1, a logic programmer programs PLC tags using RSLogix™ and saves the project. At workstation 2, an engineer using FactoryTalk View SE has immediate access to the tags created in the PLC program, without creating an HMI tag database. Tags are available for immediate use anywhere within the application, even before the logic program is downloaded to the controller. As the logic program is edited, most tag information is updated, and new tags are available immediately across the system.
With RSLogix 5000® controllers, tags reside within the hardware itself. With Allen-Bradley® PLC-5® and SLC™ 500 devices, and with third-party controllers, tags reside within data servers, such as RSLinx Classic and FactoryTalk® Linx™. Tags are not held within a common database, nor are they duplicated in multiple databases. Instead, the FactoryTalk Directory references tags from their source locations and passes the information on to the software products that need it, such as FactoryTalk View SE and FactoryTalk Transaction Manager.
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
15 |
Chapter 1 |
About FactoryTalk systems |
|
|
A single computer can host two types of directories
The FactoryTalk Services Platform installs and configures two completely separate and independent directories: a local directory and a network directory. Each directory can hold multiple applications.
•In a local directory, all project information and security settings are located on a single computer, and the FactoryTalk system cannot be shared across a network or from the network directory on the same computer. Products such as FactoryTalk View SE (Local) and FactoryTalk View ME use the local directory.
•A network directory organizes project information and security settings from multiple FactoryTalk products across multiple computers on a network. Products such as FactoryTalk View SE and FactoryTalk Transaction Manager use the network directory.
Determining the appropriate directory depends upon the software products and whether the environment is stand-alone or networked.
See also
Accounts and groups
Example: Two directories on one computer on page 22
Configure a network directory client computer on page 39
FactoryTalk systems on page 13
Create accounts for users, computers, and groups of users and computers to define who can perform actions, and from where.
Security settings for accounts are stored in FactoryTalk Directory, and are separate for FactoryTalk network and local directories. As much as possible, secure resources by defining security permissions for the group accounts. Add user and computer accounts to the groups, and all individual accounts in the groups have the security settings of those groups.
User accounts and user group accounts
Accounts for users and user groups can link to accounts in a Windows® domain or workgroup, or be separate from those in Windows.
If the FactoryTalk system security needs are the same as the Windows security needs, using Windows-linked user or group accounts provides a convenient way to add large numbers of existing Windows user or group accounts to the FactoryTalk system. Account properties — for example, whether users can change passwords — are inherited directly from the Windows accounts, and update automatically when changed in Windows. Separate account administration is not required.
16 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Chapter 1 |
About FactoryTalk systems |
|
|
FactoryTalk user accounts or user group accounts provide secure access to the FactoryTalk system independently of the level of access users have in Windows. If the security needs of the FactoryTalk system are different from those of the Windows network, FactoryTalk Directory user accounts provide the benefits and convenience of centralized administration, without needing a Windows domain. FactoryTalk user group accounts also retain their security settings if the FactoryTalk Directory moves to a new domain.
Computer and computer group accounts
Sometimes restricting access to resources based on a user's physical location is necessary. Some critical operations require line-of-sight security, to ensure that computers are located within view of the equipment they are controlling. For example, a system designer might determine that a piece of equipment is operated from one specific operator workstation or group of workstations physically located within a clear view of the machine.
Computer accounts and computer group accounts are not linked to Windows. Accounts for computers that do not yet exist in Windows can be created in a local FactoryTalk Directory. However, the name of a computer account must match the Windows computer name for the security settings associated with the computer to take effect. Because a FactoryTalk local directory runs on a single computer, add computer accounts only to a FactoryTalk local directory.
Account status
By default, user accounts and group accounts have active status, which means that the account can be used to access resources. Other possible account statuses are:
•Disabled, prevents the user from accessing the account temporarily.
•Locked, the wrong password was entered more than a certain number of times.
•Deleted, prevents the user from accessing the account permanently.
•Unknown, information about the account could not be obtained from the network.
See also
Account types on page 18
Manage users on page 43
Manage user groups on page 51
Manage computers on page 59
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
17 |
Chapter 1 |
About FactoryTalk systems |
|
|
Account types
FactoryTalk supports these account types:
•FactoryTalk user accounts that are separate from Windows accounts.
•Windows-linked user accounts that are linked to existing user accounts in a Windows domain or workgroup.
•Windows-linked user groups that determine access for all of the Windows accounts in the group. To specify different permissions for some users in the Windows-linked group, add Windows-linked user accounts for those users.
Both Windows-linked accounts and FactoryTalk accounts can be in a FactoryTalk Directory. Example: A FactoryTalk administrator account that is unique to the FactoryTalk Directory and FactoryTalk user accounts that are linked to Windows user accounts.
When to use FactoryTalk user accounts
•For the convenience and benefits of centralized security administration across the entire distributed system, without reliance on a Windows domain. This is often necessary when your organization's IT department controls administration of Windows users, and does not allow you to modify accounts in Windows.
•For central user authentication when using Windows workgroups in a FactoryTalk network directory. For all FactoryTalk products, FactoryTalk Directory is the central authority for user authentication, allowing you administer user accounts centrally, rather than locally on each computer. You can use Windows-linked accounts with Windows workgroups in a local directory.
•When the security needs of the Windows network are different from the security needs of the control network. For example:
•When all operators share the same Windows account to gain access to the computer.
•When the computer is always logged on under a particular Windows account, FactoryTalk accounts allow different operators to gain different levels of access to the control system, independently of their access to Windows.
•When the computer automatically logs on to the Windows network after restarting (for example, after a power failure), so that it can run control programs automatically. FactoryTalk accounts allow operators to log on and off the control system independently of Windows.
When to use Windows-linked user accounts
•When the security needs of the Windows network are the same as the security needs of the control system. For example:
18 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Chapter 1 |
About FactoryTalk systems |
|
|
•When the control system is located in its own domain, perhaps separately from business systems, and user accounts and passwords can be shared between Windows and FactoryTalk software programs.
•When operators can log on and off computers with their own Windows accounts, and the software programs they use start automatically.
When to use Windows-linked user group accounts
If you expect the need to move Windows accounts from one domain to another, use Windows-linked user group accounts. Windows-linked user group accounts, and the user accounts they contain, can be moved from one domain to another while keeping security permissions for the group accounts intact. Individual Windows-linked user accounts must be deleted and then recreated in the new domain, causing all security permissions for the user accounts to be lost.
Always have at least one Windows-linked user account that is a member of the FactoryTalk Administrators group. This prevents an inadvertent lock out of the FactoryTalk system. If the Windows-linked administrator account is locked out, for example because the user exceeds the maximum number of logon tries, the Windows domain administrator can reset the account. Alternatively, the user can wait until Windows automatically resets and frees the locked-out account. When this happens depends on the account lockout duration policy in Windows. For details, see Windows Help.
Rules for using FactoryTalk accounts and Windows-linked accounts
•FactoryTalk user accounts cannot be members of Windows-linked user groups.
•Both of the Windows-linked user group and individual Windowslinked user accounts can be members of FactoryTalk user groups. This allows you to use FactoryTalk user groups when setting permissions.
•A FactoryTalk user account or Windows-linked user account can be a
member of more than one FactoryTalk user group.
Note: If an action is set to Deny for the user in any one group, then the Deny takes precedence over any Allow setting in a different group of which the user is a member.
See also
How security authenticates user accounts on page 32
Accounts and groups on page 16
Manage users on page 43
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
19 |
Chapter 1 |
About FactoryTalk systems |
|
|
Applications and areas
Security in a FactoryTalk system
Manage user groups on page 51
Secure resources on page 135
In a FactoryTalk Directory, elements such as data servers, alarm and event servers, device servers, HMI servers, and project information are organized into applications. A FactoryTalk Directory holds any number of applications, stores information about each application, and makes that information available to FactoryTalk products and services.
A FactoryTalk network directory can manage any number of separate network applications. Likewise, a FactoryTalk local directory can manager any number of separate local applications. When developing a FactoryTalk system, log on to either a network directory or a local directory, create an application, add device servers, data servers, and optional alarm and event servers.
Areas organize and subdivide applications in a network directory into logical or physical divisions. For example, separate areas might correspond with separate manufacturing lines in one facility, separate plants in different geographical locations, or different manufacturing processes.
HMI Servers are added and configured using FactoryTalk View Studio, but their status can be viewed in FactoryTalk Administration Console. The root of an application in a network directory can contain only one HMI server. Create a separate area for each HMI server added to an application. Areas cannot be created within a local application.
See also
FactoryTalk Directory types on page 15
FactoryTalk systems on page 13
FactoryTalk Security is intended to improve the security of an automation system by limiting access to users with a legitimate need. Security in FactoryTalk is accomplished through authentication and authorization. Security services are managed separately in the FactoryTalk local directory and the FactoryTalk network directory.
Authentication
FactoryTalk authenticates the user's identities to access a FactoryTalk system against a defined set of user accounts held in the FactoryTalk Directory. FactoryTalk verifies a user’s identity and that a request for service actually originates with that user.
20 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Chapter 1 |
About FactoryTalk systems |
|
|
Authorization
FactoryTalk authorizes user requests to access resources in a FactoryTalk system against a set of defined access permissions held in the FactoryTalk Directory.
Securing resources
FactoryTalk Security addresses both authentication and authorization concerns by helping define the answer to this question:
"Who can carry out what actions upon which secured resources from which locations?"
•Who—refers to users and groups of users. Different users need different access rights.
•Actions—refers to the operations to perform on a resource, such as read, write, update, download, create, delete, edit, insert, and so on.
•Secured resources—refers to the objects for which actions are secured. Each FactoryTalk product defines its own set of resources. For example, some products might allow configuring security on resources in an area, while others might allow configuring security for logic controllers and other devices.
•Locations—refers to the location of the authorized computers. For example, allowing values to be downloaded to a controller only from workstations that are located within a clear line of sight to the plant floor machinery to adhere to safety requirements.
The principle of inheritance determines how access permissions are set. For example, when assigning security to an area in an application, all of the items in the area inherit the security settings of the area. Override this behavior by setting up security for one or more of the individual objects inside the area as well.
When a user attempts to log on to a FactoryTalk system, FactoryTalk Security verifies the user's identity. If the user is authenticated, FactoryTalk Security continues to check the user's level of access to the system, to authorize the actions the user performs on secured resources.
System-wide policies dictate some security settings. For example, setting up a policy that requires users to change their passwords once every 90 days.
See also
Permissions on page 135
Best practices on page 34
FactoryTalk systems on page 13
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
21 |
Chapter 1 |
About FactoryTalk systems |
|
|
Example: Two directories on one computer
Different software products have different requirements for the FactoryTalk Directory. Both directories are installed and configured as part of installing the FactoryTalk Services Platform. The directory needed depends upon which software products are used and whether working in a stand-alone or a networked environment.
For example, if using FactoryTalk View SE or FactoryTalk Transaction Manager, use the network directory to create and manage network applications. If using FactoryTalk View ME, use the local directory to create and manage local applications. Other products, such as RSLogix 5, RSLogix 500, and FactoryTalk Linx, allow using either directory.
Even though a local directory and a network directory reside on the same computer, all of their project information and security settings remain completely separate and cannot be shared, including:
•User accounts, passwords, security permissions
•System-wide policy settings, including security and audit policies
•Project information, such as applications, areas, and their contents
The graphic below shows three computers. Each computer has both a local directory and a network directory configured. Each directory holds objects, which represent project information, such as applications, references to data servers, and security settings, including user accounts. In each local directory, access to these project objects is only by software products installed on that same local computer. The network directory, however, can share references to its objects across a network.
For example, suppose each colored icon above represents the project information and security settings that are part of a FactoryTalk system. The local directories on each computer hold completely separate sets of information (represented by the green, blue, and yellow icons). In the network directory case, all client computers that point to the same network directory server computer share the same set of information across the network (represented by the orange icons).
22 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Chapter 1 |
About FactoryTalk systems |
|
|
Run FactoryTalk Administration Console on Computer 3, log on to the network directory, and create a user account named "Terry" with the password "OpenSesame." The change is actually made in the network directory server, held on Computer 1, and immediately reflected on each network directory client computer. "Terry" can now log on to the network directory from any of the three computers.
Now create a user account named "Terry" with the password "OpenSesame" in each Local Directory on every computer. Even though the user name and password are the same, each user account is a separate object in each local directory.
When changing the password in the local directory on Computer 1, the change does not affect the user account held in the network directory server on the same computer, nor does it affect the user accounts held in the local directories on computers 2 and 3.
See also
Applications and areas on page 20
FactoryTalk Directory types on page 15
FactoryTalk systems on page 13
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
23 |
Chapter 2
Install FactoryTalk Services Platform
Install FactoryTalk Services
Platform
FactoryTalk Services Platform and FactoryTalk Security software are not installed separately — FactoryTalk Security is an integrated part of the FactoryTalk Services Platform.
FactoryTalk Services Platform is installed from either:
•A FactoryTalk product installation disc, such as FactoryTalk View (FactoryTalk Services Platform software is included on the installation disc of every product that requires it); or,
•The Rockwell Automation Product Compatibility and Download Center (PCDC) website. On the Compatibility & Downloads page, click
Find Downloads. On the Find Downloads page, in the Search box, type "FTSP". FTSP-Download FT Services Platform appears in your download list.
To install FactoryTalk Services Platform, you must log on to Windows with a user account that is a member of the Windows Administrators group on the local computer.
Install FactoryTalk Services Platform on every computer where you plan to develop or run Network or Local applications. During installation several components are installed on the computer, if any prerequisite software components are not present on a computer, the installation program will attempt to install the software.
Platform components and services currently include:
•FactoryTalk Directory
•FactoryTalk Security
•FactoryTalk Diagnostics
•FactoryTalk Live Data
•FactoryTalk Administration Console – a stand-alone tool for configuring, managing, and securing applications.
All of these components and services install together as a platform, integrated into the software install process for each FactoryTalk-enabled product.
FactoryTalk Web Services is not installed by default, and must be installed separately.
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
25 |
Chapter 2 Install FactoryTalk Services Platform
Tip: FactoryTalk Services Platform establishes a Network Directory server when installed, other computers on which FactoryTalk Services Platform is installed will be client computers. Determine which computer in the system is going to be used as the directory server and note this computer name. After FactoryTalk Services Platform is installed on the client computers, run the
FactoryTalk Directory Server Location Utility and identify the computer name of the Network Directory server.
Network security
For the latest network security considerations when using Rockwell
Automation products, visit the Rockwell Automation Knowledgebase.
For information about:
•File extensions created by Rockwell Automation software, firewall rules, and service dependences, see Knowledgebase Document ID: PN826 - Security considerations when using Rockwell Automation Software Products.
•TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Document ID: BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Install FactoryTalk System
Services and FactoryTalk
Policy Manager
See also
Product Compatibility and Download Center
FactoryTalk Web Services on page 211
Upgrade FactoryTalk Services Platform on page 209
FactoryTalk Services Platform version 6.11.00 includes two optional components that are used to manage CIP Security; FactoryTalk System Service and FactoryTalk Policy Manager.
FactoryTalk System Services provides these core security services:
•Authentication Service
Authenticates users and validates user resource requests. Validate user credentials against the FactoryTalk Directory and FactoryTalk security policy settings to obtain privileges associated with the user.
•Certificate Service
Issues and manages X.509v3 certificates for use within the FactoryTalk system.
•Deployment Service
Translates the security policy model defined using FactoryTalk Policy Manager to CIP configurations that are delivered to endpoints.
•Diagnostics Service
26 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Chapter 2 Install FactoryTalk Services Platform
Makes FactoryTalk audit and diagnostic logs available as a web service.
•Policy Service
Used to build and manage CIP network trust models and define security policy for the CIP endpoints.
Use FactoryTalk Policy Manager to configure, deploy, and view the FactoryTalk system security policy configuration.
FactoryTalk Policy Manager is dependent upon the FactoryTalk System Service and must be installed together on the network directory server. FactoryTalk Policy Manager is a web service, and does not need to be installed on additional computers.
On a new installation of FactoryTalk Services Platform 6.11.00 select Customize on the first page of the installation wizard to include these items in the installation process.
To install FactoryTalk System Service and FactoryTalk Policy Manager when FactoryTalk Services Platform 6.10 is already installed
1.Log in to FactoryTalk on the computer hosting the FactoryTalk network directory,
2.Run FTUpdater to make sure you have the latest update of FactoryTalk Services Platform.
3.Run FactoryTalk Services Platform setup.exe.
4.In the FactoryTalk Security installation wizard, select Modify.
5.Expand the item for FactoryTalk Services Platform v6.10.00.
6.Select FactoryTalk Policy Manager. FactoryTalk System Service is automatically selected.
7.Select Modify.
8.The installation proceeds.
See also
FactoryTalk Policy Manager
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
27 |
Chapter 3
Getting started with FactoryTalk Security
This chapter introduces you to key parts of FactoryTalk Security, including:
•FactoryTalk Administration Console
•Action groups
•Policies
•Computers and groups
•Networks and devices
•Users and groups
•Single sign-on
•Tightening security
FactoryTalk Security
FactoryTalk Security improves the security of your automation system by limiting access to those with a legitimate need. FactoryTalk Security authenticates the identities of users, and authorizes user requests to access a FactoryTalk system against a set of defined user accounts and access permissions held in the FactoryTalk local directory or FactoryTalk local directory.
Integrated security services for your FactoryTalk system
FactoryTalk Security provides security services integrated into both the FactoryTalk local directory and the FactoryTalk local directory. In a local directory, all project elements are located on a single computer, and the FactoryTalk Administration Console system cannot be shared across a network. A network directory organizes information about project elements from multiple FactoryTalk products across multiple computers on a network. Even though a local directory and a network directory are always present on the same computer, all of their project elements remain completely separate and cannot be shared.
Authentication and authorization
Using FactoryTalk Security with Rockwell Automation software for an integrated, cross-product solution to two universal security concerns: authentication and authorization.
•Authenticate—verify a user’s identity and verify that a request for service actually originates with that user.
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
29 |
Chapter 3 Getting started with FactoryTalk Security
•Authorize—verify a user’s request to access a software resource against defined access permissions.
FactoryTalk Security addresses both authentication and authorization concerns and defines the answer to the question:
"Who can carry out what actions upon which secured resources from where?"
•Who—refers to users and groups of users. Different users need different access rights.
•What actions—refers to the actions that can be performed on a resource, such as read, write, update, download, create, delete, edit, insert, and so on.
•Which secured resources—refers to the objects for which actions are secured. Each FactoryTalk product defines its own set of resources. For example, some products might allow security configuration on resources in an area, while others might allow security configuration for logic controllers and other devices.
•Where—allows security to differ based on machine location. It is sometimes important to restrict certain actions to specific workstations. For example, for safety reasons, it might be necessary to allow downloading values to a controller only from workstations that are located within a clear line of sight to the plant floor machinery that are affected by the downloads.
The principle of inheritance determines how access permissions are set. For example, assigning security to an area in an application, all of the items in the area inherit the security settings of the area. Override this behavior by setting up security for one or more of the individual objects inside the area.
At runtime, when a user attempts to log on to a FactoryTalk system, FactoryTalk Security verifies the user's identity. If the user is authenticated, FactoryTalk Security continues to check the user's level of access to the system, in order to authorize the actions the user performs on secured resources.
System-wide policies dictate some security settings. For example, you can set up a policy that requires users to change their passwords once every 90 days.
See also
How security authenticates user accounts on page 32
Things you can secure on page 32
Best practices on page 34
Permissions on page 135
Secure resources on page 135
30 |
Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 |
Loading...