Once a user has logged on to the FactoryTalk system once, any actions requiring the same level of security are permitted in other FactoryTalk products on the same computer, without the need for the user to log on to each product separately. This is a security policy called single sign-on, and is defined by the system administrator. Single sign-on is enabled by default.
For example, suppose that single sign-on is enabled, and user called Jane has a Windows-linked account. Jane can log on to the system once, and is not prompted to log on again when she runs FactoryTalk View SE Client, FactoryTalk View Studio, RSLogix, and so on, on that same computer.
When single sign-on is enabled:
If Jane has a FactoryTalk user account, she would log on to Windows, and then log on to FactoryTalk. Once logged on to FactoryTalk, she would not be prompted to log on again when she runs another FactoryTalk product that allows single sign-on.
If Jane has a Windows-linked account, she would log on to Windows, select the Network Directory or Local Directory, and then be automatically logged on to FactoryTalk using her Windows-linked account. She would not be prompted to provide a user name and password at all. Once logged onto FactoryTalk using her Windows-linked account, she would not be prompted to log on again when she runs another FactoryTalk product that allows single sign-on.
Setting up single sign-on
Single sign-on is a security policy setting. To set it up:
1. In the FactoryTalk View Studio Explorer window, open the System folder, open Policies > System Policies, and then double-click Security Policy.
2. In the Single Sign-On Policy Settings list, verify whether Use single sign-on is enabled or disabled.
If single sign-on still does not seem to be working properly, it is likely that the FactoryTalk product you are using does not support the single sign-on capability. Some FactoryTalk products always require users to log on, even if single sign-on is enabled.
For detailed information on using single sign-on, see FactoryTalk Help.
Two ways to log on
You can log on to FactoryTalk in one of two ways:
From the Windows Start menu – to log on to FactoryTalk, you can run Start >
Programs > Rockwell Software > FactoryTalk Tools > Log On to FactoryTalk.
Once you select the Network Directory or Local Directory and then log on with a user account, all subsequent attempts to access FactoryTalk products from this same FactoryTalk Directory and this same computer automatically use this same user name and password, if single sign-on is enabled. If single sign-on is disabled, users are always prompted to provide credentials when logging on.
From a FactoryTalk product – if you log on to a FactoryTalk product without first logging on to FactoryTalk, then security uses this user name and password to also automatically log on to the FactoryTalk system. All subsequent attempts to access FactoryTalk products, from this same FactoryTalk Directory on this same computer, automatically use this same user name and password, if single sign-on is enabled.
For example, suppose Jane has a user account and logs on to FactoryTalk Administration Console with the user name “Jane” and the password “robotics.”
Behind the scenes, security uses this same name and password to silently log Jane on
security credentials and allows her to access the product without prompting her to log on again, even if she has closed or logged off from FactoryTalk Administration Console.
Logging on as administrator with single sign-on
If a computer is being used by multiple users, one of whom is an administrator, the administrator should be careful that the administrator account does not remain logged on as the single sign-on account, because all subsequent FactoryTalk products that run on the computer will automatically use the administrator account.
Administrators should log on to FactoryTalk using a non-administrator account, and then log on to individual FactoryTalk products as administrator. This allows administrators to make changes without changing the single sign-on user.
Two ways to log off
While you can log on to FactoryTalk from either the Windows Start menu or automatically as part of logging on to a FactoryTalk product, you must use the Log On to FactoryTalk tool to log off from the FactoryTalk system.
If you log off a FactoryTalk product, such as FactoryTalk Administration Console or FactoryTalk View, from the product's File menu, and do not log off FactoryTalk using the Log On to FactoryTalk tool, you remain logged on to FactoryTalk, and all
subsequent attempts to access FactoryTalk products automatically use the user name and password shown in the Log On to FactoryTalk tool.
If you log off FactoryTalk using the Log On to FactoryTalk tool, but do not log off from the product's File menu, you remain logged on to any FactoryTalk products, but you are prompted for a user name and password the next time you run a FactoryTalk product on this computer. If single sign-on is enabled, all subsequent attempts to access FactoryTalk products then use that same user name and password. If single sign-on is disabled, users are always prompted to provide credentials when logging on.
For example, suppose Jane logs on to the FactoryTalk Administration Console with the user name “Administrator” and then later logs off from the Administration Console's File menu. While Jane is out to lunch, Joe uses the computer to run FactoryTalk View. When he starts up the software, he is not prompted to log on, because Jane's “Administrator”
account is still logged on to the FactoryTalk system. Joe now has Jane's “Administrator”
security rights in every FactoryTalk product he runs, until the computer logs off Windows or until the Log On to FactoryTalk tool logs off “Administrator.”
When to disable single sign-on
If multiple users are sharing the same Windows user account, but have different
FactoryTalk Security user accounts, it might be necessary to disable single sign-on. This is because with single sign-on enabled, the last user that logged on to FactoryTalk is
automatically logged on to all subsequent FactoryTalk products. If you need to be able to distinguish the actions of individual users, disable single sign-on to force all users to identify themselves to each FactoryTalk product they use.
There is no way to log all users off all FactoryTalk products simultaneously. This is because some products might need to run without interruption in the background. To log all users off all FactoryTalk products simultaneously, log off Windows. Logging off Windows also shuts down all FactoryTalk products that were started in the Windows session, regardless of how many users were logged on.
Where to go from here
Do one of the following:
Go to Chapter 5 on page 45 to learn about creating user, group, and computer accounts.
Go to Chapter 6 on page 55 to learn about assigning permissions to the users, groups, and computers added in this chapter.
Go to Chapter 7 on page 67 to learn about setting system-wide and policy-wide security policies.
Go to Chapter 8 on page 77 to learn about FactoryTalk Security advanced features, such as resource grouping.
Go to Chapter 9 on page 85 to learn how to use FactoryTalk Security with RSLinx software.
Go to Chapter 10 on page 95 to learn how to use FactoryTalk Security with Logix Designer application to secure projects and devices like Logix5000, PLC, and SLC controllers.
Go to Chapter 11 on page 115 to learn how to use FactoryTalk Security with FactoryTalk View SE.
Go to Chapter 12 on page 137 to learn how to use FactoryTalk Security with FactoryTalk View ME.
Go to Chapter 13 on page 161 to learn how to use FactoryTalk Security with FactoryTalk Batch components
Go to Chapter 14 on page 179 to learn about deploying a FactoryTalk system to runtime computers.