FTSecurity Sys Config
FTSecurity Sys Config
FTSecurity Sys Config
Configuration Guide
Version 6.31.00
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss.
Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will
cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for
Personal Protective Equipment (PPE).
Rockwell Automation recognizes that some of the terms that are currently used in our industry and in this publication are not in
alignment with the movement toward inclusive language in technology. We are proactively collaborating with industry peers to
find alternatives to such terms and making changes to our products and content. Please excuse the use of such terms in our
content while we implement these changes.
Chapter 1
About FactoryTalk systems FactoryTalk systems................................................................................... 15
FactoryTalk Directory types ................................................................ 16
Accounts and groups............................................................................ 18
Account types ....................................................................................... 19
Applications and areas ......................................................................... 21
Security in a FactoryTalk system ........................................................ 21
Example: Two directories on one computer ..................................... 22
Chapter 2
Install FactoryTalk Services FactoryTalk Services Platform installation .............................................. 25
Platform Step 1: Launch the Setup wizard and select what to install .............. 26
Step 2: Configure the communication protocol ................................ 27
Step 3: Read and accept license agreements ..................................... 28
Step 4: Start the installation ............................................................... 28
Step 5: Finish the installation ............................................................. 28
Switch the communication protocol to HTTPS ................................ 28
Modify FactoryTalk Services Platform..................................................... 28
Switch the communication protocol to HTTP .................................. 29
Install FactoryTalk System Services and FactoryTalk Policy Manager . 29
Chapter 3
Getting started with FactoryTalk FactoryTalk Security .................................................................................. 33
Security Security on a local directory ................................................................ 34
Security on a network directory .......................................................... 35
How security authenticates user accounts ........................................ 35
Things you can secure ..........................................................................36
Best practices ........................................................................................ 37
Audit trails and regulatory compliance ............................................. 38
Configure a computer to be the FactoryTalk Directory network server 40
Configure a computer to be the network directory server .............. 42
Configure a network directory client computer ............................... 42
Check the network directory server performance in system
operation.............................................................................................. 42
FactoryTalk Directory Server Location Utility ...................................44
Chapter 4
Manage users Manage users ............................................................................................. 45
Add a FactoryTalk user account .......................................................... 45
Add a Windows-linked user account ................................................. 46
Add group memberships to a user account ...................................... 48
Remove group memberships from a user account ........................... 48
Delete a user account .......................................................................... 49
Chapter 5
Manage user groups Manage user groups .................................................................................. 51
Add a FactoryTalk user group ............................................................. 52
Add a Windows-linked user group ..................................................... 53
Edit or view user group properties .....................................................54
Delete a user group .............................................................................. 55
Add accounts to a FactoryTalk user group .........................................56
Remove accounts from a FactoryTalk user group .............................56
Chapter 6
Manage computers Manage computers .................................................................................... 57
Add a computer .................................................................................... 57
Delete a computer ............................................................................... 58
Edit or view computer properties ...................................................... 58
Historical Usage .........................................................................................59
Configure feature security for Historical Usage ..................................... 60
Users tab..................................................................................................... 60
Items on the Users tab .............................................................................. 60
Meanings of the column headings on the Users tab .............................. 60
Disable a user account with Historical Usage .......................................... 61
Enable a user account with Historical Usage ........................................... 61
Delete a user account with Historical Usage ............................................ 61
Computers tab ........................................................................................... 62
Items on the Computers tab ..................................................................... 62
Meanings of the column headings on the Computers tab ..................... 62
Delete a computer with Historical Usage ................................................ 62
Filter records in Historical Usage ............................................................ 62
Meanings of the filter conditions in Historical Usage ............................63
Sort records in Historical Usage ...............................................................63
Chapter 7
Add and remove user-computer Add and remove user-computer pairs...................................................... 65
pairs Add a user-computer pair .................................................................... 65
Remove a user-computer pair ............................................................. 66
Chapter 8
Add and remove action groups Add and remove action groups ................................................................. 69
Add an action group ............................................................................. 69
Delete an action group ........................................................................ 70
Add an action to an action group ....................................................... 70
Remove an action from an action group ............................................ 71
Chapter 9
Set system policies Authorize an application to access the FactoryTalk Directory ............... 74
FactoryTalk Service Application Authorization ................................. 74
FactoryTalk Service Application Authorization settings .................. 75
Publisher Certificate Information ...................................................... 77
Digitally signed FactoryTalk products................................................ 77
Authorize a service to use FactoryTalk Badge Logon ............................. 78
FactoryTalk Badge Authorization ...................................................... 78
FactoryTalk Badge Authorization settings.........................................79
Assign user rights to make system policy changes ..................................79
User rights assignment policies ......................................................... 80
User Rights Assignment Policy Properties ........................................ 81
Configure Securable Action ................................................................ 81
Select a user or group.......................................................................... 82
Change the default communications protocol ....................................... 82
Default communications protocol settings ...................................... 83
Live Data Policy Properties................................................................. 84
Set network health monitoring policies .................................................. 84
Health Monitoring Policy Properties ................................................ 85
Set audit policies ....................................................................................... 86
Audit policies ....................................................................................... 87
Audit Policy Properties ....................................................................... 89
Monitor security-related events......................................................... 90
Example: Audit messages ................................................................... 90
Set system security policies ....................................................................... 91
Modify Account Policy Settings ......................................................... 92
Modify Badge login policies ................................................................93
Modify Computer Policy Settings ...................................................... 94
Modify Directory Protection Policy Settings .................................... 96
Configure a FactoryTalk Directory using a DNS alias name ............97
Switch a computer hosting the FactoryTalk Directory server ......... 98
Assign a client computer to a new FactoryTalk Directory server .... 99
Modify Event System Settings ........................................................... 99
Chapter 10
Set product-specific policies Secure features of a single product ........................................................ 122
Secure multiple product features ........................................................... 122
Feature Security for Product Policies ..................................................... 123
Feature Security Policies .......................................................................... 124
Differences between securable actions and product policies ............... 125
Chapter 11
Manage logical names Logical names ............................................................................................127
Add a logical name ................................................................................... 129
Delete a logical name ............................................................................... 129
Add a device to a logical name ................................................................. 130
Remove a device from a logical name ..................................................... 130
Assign a control device to a logical name ............................................... 130
Add a logical name to an area or application ..........................................131
Delete a logical name from an area or application .................................131
New Logical Name.................................................................................... 132
Logical Name Properties .......................................................................... 132
Chapter 12
Resource grouping Resource groupings .................................................................................. 135
Group hardware resources in an application or area............................. 136
Move a resource between areas ............................................................... 137
Remove a device from a resource grouping ........................................... 137
Resources Editor ...................................................................................... 138
Select Resources ....................................................................................... 138
Chapter 13
Disaster Recovery Back up a FactoryTalk system .................................................................. 141
Back up a FactoryTalk Directory ........................................................ 141
Back up a System folder..................................................................... 144
Back up an application....................................................................... 145
Back up a Security Authority identifier ............................................ 147
Backup FactoryTalk Linx configuration ........................................... 148
Back up FactoryTalk Linx Gateway configuration .......................... 150
Backup................................................................................................. 151
Backup and restore options............................................................... 152
Modify Security Authority Identifier................................................ 153
Restore a FactoryTalk system .................................................................. 154
Restore a FactoryTalk Directory........................................................ 154
Restore a System folder ..................................................................... 156
Restore an application ....................................................................... 157
Restore a Security Authority identifier ............................................ 160
Restore FactoryTalk Linx configuration........................................... 161
Restore FactoryTalk Linx Gateway configuration ........................... 162
Verify security settings after restoring a FactoryTalk system ........ 163
Update computer accounts in the network directory ............... 163
Recreate a Windows-linked user account.................................. 164
Update Windows-linked user groups ........................................ 164
Update security settings for Networks and Devices ................. 165
Update security settings for the FactoryTalk Linx OPC UA
Connector ..................................................................................... 165
Restore database connections .................................................... 166
Restore an earlier system after upgrading FactoryTalk platform
software .............................................................................................. 166
Generate a Security Authority identifier .......................................... 167
Restore ................................................................................................ 168
Restore (FactoryTalk Directory) ........................................................ 169
Restore (System folder) ..................................................................... 170
Chapter 14
Secure resources Secure resources ...................................................................................... 185
Permissions ........................................................................................ 185
Breaking the chain of inheritance .............................................. 188
Order of precedence .................................................................... 189
Actions .......................................................................................... 190
Set FactoryTalk Directory permissions ............................................ 193
Set application permissions .............................................................. 195
Set area permissions .......................................................................... 196
Set System folder permissions .......................................................... 197
Set action group permissions ........................................................... 199
Set database permissions ................................................................. 200
Configure a permission set ...............................................................201
Set logical name permissions ........................................................... 202
Allow a resource to inherit permissions .......................................... 203
Prevent a resource from inheriting permissions ........................... 204
View effective permissions............................................................... 205
Effective permission icons ............................................................... 206
Appendix A
Upgrade FactoryTalk Services Upgrade FactoryTalk Services Platform.................................................. 211
Platform Identify the installed FactoryTalk Services Platform version .............. 212
Appendix B
FactoryTalk Web Services Install FactoryTalk Web Services .............................................................213
Add an HTTPS site binding for FactoryTalk Web Services .................. 214
Client computers unable to connect to FactoryTalk Web Services ...... 215
User cannot log into FactoryTalk Web Services..................................... 216
Index
Summary of changes This manual includes new and updated information. Use these reference
tables to locate changed information.
Grammatical and editorial style changes are not included in this summary.
Global changes
None in this release.
About this publication This Quick Start Guide provides you with information on using FactoryTalk
Services Platform with FactoryTalk Security.
Before using this guide, review the FactoryTalk Services Platform Release
Notes for information about required software, hardware, and anomalies.
After using this guide, you will be more familiar with how FactoryTalk
Services Platform uses:
• FactoryTalk Directory types
• User accounts
• Computer accounts
• Local and network security options
• Authentication methods
• Password management
• Security policies
Additional resources For more information on system security download the System Security Design
Guidelines (publication SECURE-RM001) from the Rockwell Automation
Literature Library.
For more information on the products and components discussed in this
guide, the following manuals and Help files are available with the software:
The Rockwell Automation® Literature Library also has related Getting Results
Guides that can be viewed online or downloaded:
• FactoryTalk Linx Getting Results Guide
• RSLinx Classic Getting Results Guide
• FactoryTalk Batch Getting Results Guide
• FactoryTalk Policy Manager Getting Results Guide
Legal Notices Rockwell Automation publishes legal notices, such as privacy policies, license
agreements, trademark disclosures, and other terms and conditions on the
Legal Notices page of the Rockwell Automation website.
A single computer can host a local directory and a network directory on page
22. The two directories on page 16 are completely separate and do not share
any information. When using both directories, that single computer
participates in two separate FactoryTalk systems.
In the network directory example above, the directory hosts two network
applications: Waste Water and Water Distribution. All of the areas on page 21,
data servers, HMI servers, device servers, and alarm and event servers
organized within each application are specific to that application. None of the
application-specific information is shared with any other application in the
directory. However, all information and settings organized within the System
folder, such as security settings on page 21, system policies, product policies,
and user accounts on page 18 apply to all applications held in the directory.
For example, modifying security settings in the Waste Water application does
not affect the Water Distribution application. However, you must make a
change to a security policy to apply the change to both the Waste Water
application and the Water Distribution application. The security policy
settings also apply to any other new applications created in this same network
directory.
FactoryTalk Directory types The FactoryTalk Directory is the centerpiece of the FactoryTalk Services
Platform. FactoryTalk Directory provides a central lookup service for all
products participating in an application. Rather than a traditional system
design with multiple, duplicated databases or a central, replicated database,
FactoryTalk Directory references tags and other system elements from
multiple data sources - and makes the information available to clients through
a lookup service.
16 Rockwell Automation Publication FTSEC-QS001S-EN-E - November 2022
Chapter 1 About FactoryTalk systems
Tags are stored in their original environments, such as logic controllers.
Graphic displays are stored in the HMI servers where they are created. This
information is available, without duplication, to any FactoryTalk product
participating in an application.
Accounts and groups Create accounts for users, computers, and groups of users and computers to
define who can perform actions, and from where.
Security settings for accounts are stored in the FactoryTalk Directory and are
separate for FactoryTalk network and local directories. As much as possible,
secure resources by defining security permissions for the group accounts. Add
user and computer accounts to the groups, and all individual accounts in the
groups have the security settings of those groups.
Account status
By default, user accounts and group accounts have active status, which means
that the account can be used to access resources. Other possible account
statuses are:
• Disabled, prevents the user from accessing the account temporarily.
• Locked, the wrong password was entered more than a certain number
of times.
• Deleted, prevents the user from accessing the account permanently.
• Unknown, information about the account could not be obtained from
the network.
Account types FactoryTalk supports these account types:
• FactoryTalk user accounts that are separate from Windows accounts.
• Windows-linked user accounts that are linked to existing user
accounts in a Windows domain or workgroup.
• Windows-linked user groups that determine access for all of the
Windows accounts in the group. To specify different permissions for
some users in the Windows-linked group, add Windows-linked user
accounts for those users.
Windows-linked accounts and FactoryTalk accounts can be in a FactoryTalk
Directory. Example: A FactoryTalk administrator account that is unique to the
FactoryTalk Directory and FactoryTalk user accounts that are linked to
Windows user accounts.
Applications and areas In a FactoryTalk Directory, elements such as data servers, alarm and event
servers, device servers, HMI servers, and project information are organized
into applications. A FactoryTalk Directory on page 16 holds any number of
applications, stores information about each application, and makes that
information available to FactoryTalk products and services.
A FactoryTalk network directory can manage any number of separate network
applications. Likewise, a FactoryTalk local directory can manager any number
of separate local applications. When developing a FactoryTalk system on page
15, log on to either a network directory or a local directory, create an
application, add device servers, data servers, and optional alarm and event
servers.
Areas organize and subdivide applications in a network directory into logical
or physical divisions. For example, separate areas might correspond with
separate manufacturing lines in one facility, separate plants in different
geographical locations, or different manufacturing processes.
HMI Servers are added and configured using FactoryTalk View Studio, but
their status can be viewed in FactoryTalk Administration Console. The root of
an application in a network directory can contain only one HMI server. Create
a separate area for each HMI server added to an application. Areas cannot be
created within a local application.
Authentication
FactoryTalk authenticates the user's identities to access a FactoryTalk system
against a defined set of user accounts held in the FactoryTalk Directory.
FactoryTalk verifies a user’s identity and that a request for service actually
originates with that user.
Authorization
FactoryTalk authorizes user requests to access resources in a FactoryTalk
system against a set of defined access permissions held in the FactoryTalk
Directory.
Securing resources
FactoryTalk Security addresses both authentication and authorization
concerns by helping define the answer to this question:
"Who can carry out what actions upon which secured resources from
which locations?"
• Who—refers to users and groups of users. Different users need
different access rights.
• Actions—refers to the operations to perform on a resource, such as
read, write, update, download, create, delete, edit, insert, and so on.
• Secured resources—refers to the objects for which actions are secured.
Each FactoryTalk product defines its own set of resources. For
example, some products might allow configuring security on resources
in an area, while others might allow configuring security for logic
controllers and other devices.
• Locations—refers to the location of the authorized computers. For
example, allowing values to be downloaded to a controller only from
workstations that are located within a clear line of sight to the plant
floor machinery to adhere to safety requirements.
The principle of inheritance determines how access permissions on page 185
are set. For example, when assigning security to an area in an application, all
of the items in the area inherit the security settings of the area. Override this
behavior by setting up security for one or more of the individual objects inside
the area as well.
When a user attempts to log on to a FactoryTalk system on page 15,
FactoryTalk Security verifies the user's identity. If the user is authenticated,
FactoryTalk Security continues to check the user's level of access to the
system, to authorize the actions the user performs on secured resources.
System-wide policies dictate some security settings. For example, setting up a
policy that requires users to change their passwords once every 90 days.
Know more about the tips when setting up the FactoryTalk system to achieve
efficient management of user authentication and authorization from Best
practices on page 37.
Example: Two directories on Different software products have different requirements for the FactoryTalk
Directory on page 16. Both directories are installed and configured as part of
one computer installing the FactoryTalk Services Platform. The directory needed depends
For example, suppose each colored icon above represents the project
information and security settings that are part of a FactoryTalk system on
page 15. The local directories on each computer hold completely separate sets
of information (represented by the green, blue, and yellow icons). In the
network directory case, all client computers that point to the same network
directory server computer share the same set of information across the
network (represented by the orange icons).
FactoryTalk Services FactoryTalk Services Platform and FactoryTalk Security software are not
installed separately and FactoryTalk Security is an integrated part of the
Platform installation FactoryTalk Services Platform.
FactoryTalk Services Platform is installed from either:
• A FactoryTalk product installation disc, such as FactoryTalk View
(FactoryTalk Services Platform software is included on the installation
disc of every product that requires it); or,
• The Rockwell Automation Product Compatibility and Download
Center (PCDC) website. On the Compatibility & Downloads page, click
Find Downloads. On the Find Downloads page, in the Search box, type
"FTSP". FTSP-Download FT Services Platform appears in your
download list.
To install FactoryTalk Services Platform, you must log on to Windows with a
user account that is a member of the Windows Administrators group on the
local computer.
Install FactoryTalk Services Platform on every computer where you plan to
develop or run Network or Local applications. During installation, several
components are installed on the computer. If any prerequisite software
components are not present on a computer, the installation program will
attempt to install the software.
Platform components and services currently include:
• FactoryTalk Directory
• FactoryTalk Security
• FactoryTalk Diagnostics
• FactoryTalk Live Data
• FactoryTalk Administration Console – a stand-alone tool for
configuring, managing, and securing applications.
All of these components and services install together as a platform, integrated
into the software install process for each FactoryTalk-enabled product.
FactoryTalk Web Services is not installed by default, and must be installed
separately.
Tip: FactoryTalk Services Platform establishes a Network Directory server when installed, other computers
on which FactoryTalk Services Platform is installed will be client computers. Determine which computer
in the system is going to be used as the directory server and note this computer name. After FactoryTalk
Services Platform is installed on the client computers, run the FactoryTalk Directory Server Location
Utility and identify the computer name of the Network Directory server.
Network security
For the latest network security considerations when using Rockwell
Automation products, visit the Rockwell Automation Knowledgebase.
For information about:
• File extensions created by Rockwell Automation software, firewall
rules, and service dependences, see Knowledgebase Document ID:
PN826 - Security considerations when using Rockwell Automation
Software Products.
• TCP/UDP ports used by Rockwell Automation products, see
Knowledgebase Document ID: BF7490 - TCP/UDP Ports Used by
Rockwell Automation Products.
See also
Product Compatibility and Download Center
FactoryTalk Web Services on page 213
Step 1: Launch the Setup Follow these steps to launch the Setup wizard and select what to install:
wizard and select what to 1. Sign in to your server computer as an administrator, or as a user with
install administrative privileges.
2. Place the FactoryTalk Services Platform Installation DVD in the
computer's DVD drive.
Tip: You can also download the software from the Rockwell Automation Product Compatibility
and Download Center.
3. Run D:\setup.exe, where D:\ is the drive containing the DVD.
4. To install all components available in the selected software using the
recommended settings, click Install now and skip to Step 3: Read and
accept license agreements on page 28.
IMPORTANT If you select Install now, HTTPS will be turned on by default. For more
information, see Step 2: Configure communication protocol on page 27.
Step 3: Read and accept End-user license agreements (EULA) spell out your rights and
responsibilities. Depending on the components being installed, there may be
license agreements more than one license agreement on this page. The individual license
agreements are listed above the text box.
Some software products may be delivered or made available only after you
agree to the terms and conditions of each of the license agreements.
1. On the End User License Agreements page, select each agreement and
read the agreement carefully.
2. When all license agreements have been read, click Accept All.
Tip: If you click Decline, you will return to the FactoryTalk Services Platform Setup page.
Step 4: Start the installation After accepting the license agreements, the Setup wizard automatically
installs all the Rockwell Software applications selected previously. Installation
is automatic and does not require any input.
Step 5: Finish the After the installation succeeds, restart the computer.
installation
If HTTPS is not turned on when installing FactoryTalk Services Platform, you
can follow these steps to switch the communication protocol to HTTPS
Switch the communication manually.
protocol to HTTPS IMPORTANT We recommend you use HTTPS to secure communication. If you don't turn on HTTPS, you
must know the potential risks:
• The data is transmitted without encryption across a network, which will cause leakage
of information, if other solutions, such as IPSEC, are not used.
• The system may be vulnerable to a Remote Code Execution (RCE) attack.
Modify FactoryTalk Services If FactoryTalk Services Platform without custom components already exists
on a computer, you can install the custom components by changing
Platform FactoryTalk Services Platform in Control Panel.
Switch the communication After modifying FactoryTalk Services Platform successfully, if you don't want
to use HTTPS, you can switch the communication protocol to HTTP manually.
protocol to HTTP
IMPORTANT We recommend you use HTTPS to secure communication. If you turn off HTTPS, you must
know the potential risks:
• The data is transmitted without encryption across a network, which will cause leakage
of information, if other solutions, such as IPSEC, are not used.
• The system may be vulnerable to a Remote Code Execution (RCE) attack.
Security on a local directory By default, security is open in the FactoryTalk local directory. All users who
have successfully logged on to Windows have full access to the local directory.
Because the network directory and local directory are separate, secure them
separately. Some Rockwell Automation software products require the
FactoryTalk network directory, others require the FactoryTalk local directory,
and some require both directories to be configured.
Manage on a local directory:
• User accounts, passwords, and security permissions
• System-wide policy settings, including security and audit policies
How security authenticates When a user attempts an action that is secured, security authenticates user
names and passwords in this order:
user accounts
1. Against the list of FactoryTalk user accounts on page 19. If a match is
found, the user is allowed to proceed.
2. Against the list of Windows-linked user accounts. If a match is found,
the user is allowed to proceed.
3. Against the list of accounts in a Windows-linked user group. If a match
is found for the user name and password in a Windows-linked user
group, the user is allowed to proceed, even if no Windows-linked user
account is present for that user.
Things you can secure Use Allow or Deny permissions to secure access to resources in the system.
Resources include:
• The FactoryTalk network directory or local directory
• The System folder and its contents
• Applications
• Areas
• Servers
• Control networks
• Hardware devices
Best practices Use these tips when setting up the FactoryTalk system to achieve efficient
management of user authentication and authorization.
Administrator accounts
• Always have more than one user account on page 19 that is a member
of the FactoryTalk Administrators group. If the password to one
administrator account is lost, use a second administrator account to
reset the password to the first one. A lost password to a user account is
not recoverable. A second administrator account prevents being locked
out of the FactoryTalk system if the first administrator password is
lost.
Windows-linked accounts
If Windows accounts might move from one domain to another, avoid using
individual, Windows-linked user accounts. Use Windows-linked user group
accounts instead. Windows-linked user group accounts can move from one
domain to another, while keeping security permissions for the group accounts
intact. Windows-linked user accounts must be deleted and then recreated in
the new domain, causing the loss of all security permissions for the user
accounts. If this occurs all permissions for any individual Windows-linked
user accounts must be recreated.
Permissions
• Assign permissions to groups rather than to users.
• Assign permissions to user accounts only by exception. Maintaining
user accounts directly is inefficient.
• Wherever possible, remove Allow permissions instead of assigning
explicit Deny permissions. The order of precedence of explicit
permissions over inherited permissions makes administration
simpler, and Deny permissions take precedence over Allow
permissions.
• Use Deny permissions to:
• Exclude a subset of a group that has Allow permissions
• Exclude one special permission when full control to a user or group
is already granted
• Assign permissions at the highest level possible. This provides the
greatest breadth of effect with the least effort. Establish rights that are
adequate for the majority of users. For example, assign security to
areas rather than to objects within areas.
• Administrators should use an account with restrictive permissions to
perform routine, non-administrative tasks. Use an account with
broader permissions only when performing specific administrative
tasks.
Audit trails and regulatory To achieve compliance in regulated industries, the plant might be required to
compliance keep records that answer these questions:
Log information about user and system activity to diagnostic log files
Logging information consists of two steps:
See also
Monitor security-related events on page 90
Audit policies on page 87
Configure a computer to be FactoryTalk Services Platform configures a network directory and a local
directory on every computer where it is installed.
the FactoryTalk Directory
network server Use a network directory to organize project information and security settings
from multiple FactoryTalk products across multiple computers on a network.
After installing and activating FactoryTalk software, specify one of the
Configure a computer to be After installing and activating FactoryTalk software, specify one computer on
the network as the network directory server. All computers on the network
the network directory can share FactoryTalk network directory services and resources.
server
After configuring the network directory server, configure the client
computers on page 42 to reference the network directory.
Manage users
Manage users Use FactoryTalk Administration Console to add and delete FactoryTalk
Directory and Windows-linked user on page 46 accounts. User accounts exist
only in the FactoryTalk Directory where the account was created.
Management of FactoryTalk user accounts includes:
• View users' historical usage on page 59 of the FactoryTalk system
• Adding group memberships to the user account on page 48
• Editing the user's name and description
• Associating an email address with the user's account
• Setting user password options
• Changing the user account password
• Enabling, disabling, or unlocking the user account
• Resetting the account password
Use Windows administrative tools to edit Windows-linked user accounts.
IMPORTANT Managing users requires explicit permissions. To verify permissions, in FactoryTalk
Administration Console Explorer, expand System, then right-click Users and Groups
and select Security. Confirm the permissions listed in the prerequisites for the task are
present with the logged in user account.
Add a FactoryTalk user To create a user account that is separate from a user's Windows account on
page 46, add a FactoryTalk Directory account. FactoryTalk Directory accounts
account are managed by the FactoryTalk Administrator and specify the account's
identity, account policy, and group membership independent of the Windows
account settings.
Prerequisites
Obtain these permissions for the Users folder in the Explorer window:
• Common > Create Children
• Common > List Children
• Common > Read
Prerequisites
Adding a Windows-linked user account requires these permissions:
• Common > Create Children
• Common > List Children
• Common > Read
See also
Add a FactoryTalk user account on page 45
Delete a user account on page 49
Add group memberships to a user account on page 48
Remove group memberships from a user account on page 48
Manage users on page 45
Add group memberships to a To quickly change the permissions on page 185 for a user account to those of
an existing FactoryTalk user group, assign the user account to the user group
user account on page 51. New group memberships take effect only when the user logs off
FactoryTalk and then logs on again.
Prerequisites
Changing the group memberships of a user account requires these
permissions:
• Common > List Children
• Common > Read
• Common > Write
Prerequisites
Deleting a user account that is a member of a user group requires these
permissions:
• Common > Delete
• Common > List Children
• Common > Read
• Common > Write
Deleting a user account that is not a member of a user group requires these
permissions:
• Common > Delete
• Common > List Children
• Common > Read
Manage user groups Use FactoryTalk Administration Console to add and delete FactoryTalk and
Windows-linked user group accounts. Add both FactoryTalk and
Windows-linked user accounts to FactoryTalk user group accounts.
Windows-linked user groups, and the user accounts they contain, can move
from one domain to another while keeping security permissions for the group
accounts intact.
FactoryTalk Services Platform includes these built-in user groups:
Group Name Description
Administrators Add user accounts to the Administrators user group to grant those user
accounts full control of areas, applications, users, and groups in the
FactoryTalk Directory. These permissions are defined by default.
Engineers No users or permissions are defined by default in FactoryTalk Services
Platform. Other software may use this group to establish permission sets.
Maintenance No users or permissions are defined by default in FactoryTalk Services
Platform. Other software may use this group to establish permission sets.
See also
Add a FactoryTalk user group on page 52
Add a Windows-linked user group on page 53
Add accounts to a FactoryTalk user group on page 56
Add a FactoryTalk user Create a new FactoryTalk user group to administer security permissions for
specified users as a group. Change the memberships of a user account to
group quickly change the resources a user can access.
Prerequisites
Adding a FactoryTalk user group requires these permissions:
• Common > Create Children
• Common > List Children
• Common > Read
Prerequisites
1. Connect the computer to the Windows domain containing the user
groups to add to the FactoryTalk Directory.
2. Obtain these permissions in the User Groups folder in FactoryTalk
Administration Console Explorer:
• Common > Create Children
• Common > List Children
• Common > Read
Edit or view user group Modify the properties of a FactoryTalk user group on page 52 account that is
properties not linked to a Windows user group on page 53 account. View the properties
of a Windows-linked user group account. The name of a user group cannot
change.
Group memberships added to a user group account take effect only when the
user logs off FactoryTalk and then logs on again.
Prerequisites
Editing or viewing user group properties requires these permissions:
Prerequisites
Deleting a user group account that has no members requires these
permissions:
• Common > Delete
• Common > List Children
• Common > Read
Deleting a user group account that has members requires these permissions:
• Common > Delete
• Common > List Children
• Common > Read
Manage computers
Manage computers Use FactoryTalk Administration Console to manage the computer accounts in
a FactoryTalk network directory. The FactoryTalk local directory does not
make use of computer accounts because all activity on the directory is
restricted to the local computer.
Note: Starting from version 6.31.00, FactoryTalk Services Platform provides Historical Usage to manage
computers in the FactoryTalk system.
Add a computer To allow a computer to access the FactoryTalk system, add a computer to a
FactoryTalk network directory. After adding the computer account, specify
security settings for the computer that allow or deny access to parts of the
FactoryTalk system or add the computer to a group account, and then specify
security settings for the group.
IMPORTANT Even if the security policy Require computer accounts for all client machines is
disabled, you must still create computer accounts for any computers hosting servers —
for example, Terminal Servers, Rockwell Automation Device Servers (FactoryTalk Linx),
OPC data servers, Tag Alarm and Event Servers, or HMI servers.
Prerequisites
Adding computer accounts requires these permissions:
• Common > Create Children
• Common > List Children
• Common > Read
Prerequisites
Deleting a computer account that is not a member of a computer group
requires these permissions:
• Common > Delete
• Common > List Children
• Common > Read
Deleting a computer account that is a member of a computer group requires
these permissions:
• Common > Delete
• Common > List Children
• Common > Read
• Common > Write
To delete a computer
• In FactoryTalk Administration Console Explorer, expand System >
Computers and Groups > Computers, right-click the computer
account, and then select Delete.
You can also use Historical Usage on page 59 to delete on page 62 a
computer.
Edit or view computer Modify the name of a computer, its description, and the computer groups to
properties which it belongs in General Computer Properties.
Prerequisites
Editing or viewing computer properties requires these permissions:
Historical Usage
How do I open Historical Usage?
1. Open FactoryTalk Administration Console.
2. Select Tools > View Historical Usage.
FactoryTalk Services Platform provides Historical Usage to make FactoryTalk
users, Windows-lined users, and computers in the FactoryTalk system easier
to manage. To use Historical Usage, you must configure Feature Security of
FactoryTalk Administration Console to grant the required permissions on
page 60. Use Historical Usage to:
Users tab Computers tab
IMPORTANT • Historical Usage will not display information for Windows users that are members of
Windows-linked groups that have been added to the FactoryTalk Directory.
• You can only use Historical Usage to delete a Windows-linked user from the FactoryTalk
Directory. It is not available to disable and enable a Windows-linked user using
Historical Usage.
• You must have the List Children and Read permission for the Computers and Users
folder.
Configure feature security Use Feature Security to manage user access to viewing the historical usage.
5. Select OK.
Users tab The Users tab shows by default when Historical Usage is opened. Use the
Users tab to:
• View the historical usage of users
• Disable a user
• Enable a user
• Delete a user
• Filter the historical usage of users
• Sort the historical usage of users
Items on the Users tab The following table shows the items on the Users tab and their meanings.
Items Descriptions
Refresh Refreshes the historical usage of users as found in the
FactoryTalk system.
Enable Enables a FactoryTalk user account when it is disabled.
Disable Disables a FactoryTalk user account to prevent a user from
logging on.
Delete Deletes a user account from the FactoryTalk Directory.
Clear All Filters Reverts to the original state.
Help Opens Help.
Rows 0 of 0 Shows the filter results among the total users.
For example, when the filter results' number is 2 and the
total users' number is 5, it shows Rows 2 of 5.
Meanings of the column The following table shows the meanings of the column headings on the Users
headings on the Users tab tab.
Headings Descriptions
User name Shows the user account name.
Full name Shows the full name of a user account.
Disable a user account with Use Historical Usage to disable a FactoryTalk user account to prevent a user
Historical Usage from logging on.
Computers tab The computer tab shows the historical usage of computers in the FactoryTalk
system. Use the Computers tab to:
• View the historical usage of computers
• Delete a computer
• Filter the historical usage of computers
• Sort the historical usage of computers
Items on the Computers tab The following table shows the items on the Computers tab and their
meanings.
Items Descriptions
Refresh Refreshes computers' historical usage as found in the
FactoryTalk system.
Delete Deletes a computer from the FactoryTalk network directory
to remove its access to the FactoryTalk system.
Clear All Filters Reverts to the original state.
Help Opens Help.
Rows 0 of 0 Shows the filter results among the total computers.
For example, when the filter results' number is 2 and the
total computers' number is 5, it shows Rows 2 of 5.
Connected Shows the connected computers among the total computers.
Meanings of the column The following table shows the meanings of the column headings on the
headings on the Computers Computers tab.
Delete a computer with Use Historical Usage to delete a computer from the FactoryTalk network
Historical Usage directory.
To delete a computer
1. On the Computers tab, select the computers that you want to delete.
2. Select Delete.
When the warning message prompts, select OK.
Filter records in Historical Use filters to search for a record associated with a user or a computer, such as
Usage the last logon time, the user name, and the status.
To filter records
1. On the Users tab or the Computers tab, hover over a column heading.
The Filter button appears.
2. Select the Filter button, and then configure the filter conditions.
3. Select OK.
Meanings of the filter The following table shows the meanings of the filter conditions in Historical
conditions in Historical Usage.
Sort records in Historical Use Historical Usage to sort records in ascending or descending order for
each column.
Usage
To sort records
• On the Users tab or the Computers tab, click a column heading.
The Sort icon appears.
Add and remove Security for FactoryTalk resources is always tied to users or groups of users,
the actions the users perform, for example, read, write, and so on, and the
user-computer pairs computers, or groups of computers where the users work.
This ensures that only authorized personnel can perform actions on the
equipment and resources in the system from appropriate locations, for
example, computers located within line of sight of equipment.
Available options are:
• Add a user-computer pair on page 65
• Remove a user-computer pair on page 66
See also
Add a user-computer pair on page 65
Remove a user-computer pair on page 66
Prerequisites
• Obtain the appropriate permissions to specify security settings on the
selected resource.
Prerequisites
• Obtain the appropriate permissions to specify security settings on the
selected resource.
Prerequisites
Obtain these permissions in the Users folder in FactoryTalk Administration
Console Explorer:
• Common > List Children
• Common > Read
• Common > Write
Add and remove action To avoid setting permissions for individual actions, group actions together to
grant or deny permissions for a set of actions in one step.
groups
When adding an action group, decide:
• The name of the action group
• What actions belong to that group
Use action groups to assign permissions based on any convenient grouping.
For example:
• A person's role or job (operator, supervisor, maintenance engineer, and
so on)
• The equipment a person has access to (hoppers, mixers, ovens, and so
on)
When setting security using action groups:
• Add an action group on page 69
• Add actions to an action group on page 70
• Remove actions from an action group on page 71
• Delete an action group on page 70
Add an action group Group actions together to grant or deny permissions for a set of actions in
one step rather than having to set permissions for each action separately.
When adding an action group, decide:
• The name of the action group
• What actions belong to that group
Prerequisites
Obtain these security permissions for the Action Groups folder in Explorer:
• Common > Read
• Common > List Children
• Common > Create Children
• Common > Write
Prerequisites
1. Before deleting an action group, back up the FactoryTalk Directory on
page 141.
2. Deleting an acting group requires these security permissions for the
Action Groups folder:
• Common > Read
• Common > List Children
• Common > Delete
Prerequisites
Adding an action on page 190 to an action group requires these permissions
for the Action Groups folder in FactoryTalk Administration Console Explorer:
• Common > Read
• Common > List Children
• Common > Create Children
• Common > Write
Prerequisites
Removing an action on page 190 from an action group requires these security
permissions for the Action Groups folder in FactoryTalk Administration
Console Explorer:
• Common > Read
• Common > List Children
• Common > Create Children
• Common > Write
Set system policies to manage settings that apply across the entire FactoryTalk
system. Policy settings are separate in the network directory and the local
directory.
Navigate to System > Policies > System Policies to view and edit the
following:
• Application Authorization
Determines whether applications can access the FactoryTalk Directory.
• User Rights Assignment
Determines which users can perform system-wide actions, such as
backing up and restoring the contents of the FactoryTalk Directory,
changing the directory server computer, performing a manual
switchover to a redundant server, and modifying the security authority
identifier.
• Live Data Policy
Determines the default communications protocol for a distributed
FactoryTalk system.
• Health Monitoring Policy
Defines the parameters that the health monitoring service uses when
determining if a network error occurred and how long to wait before
switching to a standby server.
• Audit Policy
Defines which activities generate an audit message.
• Security Policy
Defines the security policies applied to FactoryTalk account, divided
into these categories: account policy, computer policy, directory
protection policy, password policy, and single sign-on policy. These
policies do not apply to Windows-linked accounts. Define policies for
Windows-linked accounts in Windows.
See also
Authorize an application to access the FactoryTalk Directory on page
74
FactoryTalk Service Use FactoryTalk Service Application Authorization settings to authorize the
applications that have access to FactoryTalk Directory on page 74.
Application Authorization
settings If the Verify Publisher Info option is selected, applications that are not signed
by Rockwell Automation or Microsoft are not allowed access to FactoryTalk
Directory.
The Application Authorization policy controls access by monitoring the
information of each application that is requesting a service token from
FactoryTalk. To configure the Application Authorization policy, log into
FactoryTalk with an account that is a member of the FactoryTalk
Administrators group.
To sort the application list by process name, version number, computer name,
publisher, or access allowed status, select the corresponding column header.
Column Description
Process Shows the process name of the application that is requesting a service
token.
Some applications are required by FactoryTalk and cannot be removed or
denied. These entries appear with gray text in the list.
To sort the application list by process name, computer name, or access
allowed status, select the corresponding column header.
Version Shows the version number of the application that is requesting a service
token.
Computer Shows the computer name where the application runs.
To sort the application list by process name, computer name, or access
allowed status, select the corresponding column header.
Publisher Info Shows the publisher name of the application. If no certificate exists, the
cell displays with None.
To view the detailed publisher certification information on page 77, select
the desired cell in this column.
Use these settings to specify how FactoryTalk allows access to the FactoryTalk
Directory.
Setting Description
Enable Default Access Determines whether new applications are automatically allowed access to
FactoryTalk Directory.
Default: Enabled
To disable the default access, clear the check box. All new applications are
automatically denied access.
If the default access of a FactoryTalk Directory server is disabled, you can
still configure your local computer to join the directory server.
Verify Publisher Info Determines whether to verify the publisher certificate information of
FactoryTalk applications.
If enabled, FactoryTalk Services Platform verifies whether the application
requesting a service token is signed by Rockwell Automation or Microsoft.
Any application not signed by them will fail to receive a service token.
Default: Disabled
To disable the publisher information verification, clear the check box.
FactoryTalk Services Platform does not verify the publisher information.
Applications are verified by the corresponding Access Allowed settings.
Some earlier versions of Microsoft applications (for example, msiexec.exe)
and FactoryTalk products were not signed when released. The publisher
information on these applications may fail verification.
Remove Removes one or more applications from the list, select the entries and
select Remove.
Some applications are required by FactoryTalk and cannot be removed or
denied. These entries appear with gray text in the list. When removing one
or more of these required entries, a warning message displays indicating
that the required entries are not removed.
Refresh Refreshes the list to show the latest application list. Select Refresh.
When refreshing the list, if a newer version of an existing application from
the same computer is found, the entry is updated to reflect the new
version or certificate information.
Save the changes before refreshing. Any changes that are not saved will
be lost when refreshing.
Check All Selects all applications to obtain access to the FactoryTalk Directory.
Uncheck All Clears all applications to revoke access to the FactoryTalk Directory.
Some applications are required by FactoryTalk and cannot be cleared.
These entries appear with gray text in the list.
Publisher Certificate Use Publisher Certificate Information to view digital signature details on
page 77 and verify the identity and authenticity of software.
Information
Field Description
Issued to Shows the publisher name (or a portion of the name) of the entity to which the certificate is issued.
Issued by Shows the name (or a portion of the name) of the issuer.
Status Shows the status of the certificate, for example, valid, revoked, or expired.
Serial # Shows the unique serial number (or a portion of the serial number) of the certificate.
Date signed Shows the date when the binary was signed.
Valid from Shows the beginning date of the period for which the certificate is valid.
Valid to Shows the ending date of the period for which the certificate is valid.
Digitally signed FactoryTalk FactoryTalk Services Platform 2.51 or later provides the ability to verify
whether an application requesting a service token is signed by Rockwell
products Automation. The access to FactoryTalk Directory on page 74 is denied if the
certification is not signed by Rockwell Automation.
Some earlier versions of FactoryTalk products were not signed when released.
These products may fail to verify the publisher information on page 77.
This table shows which versions of FactoryTalk products are signed.
Products Signed since version
FactoryTalk Administration Console 2.10.01
FactoryTalk Administration Console 2.31.00
FactoryTalk Batch 11.00
eProcedure® 11.00
FactoryTalk Linx 5.20
FactoryTalk Linx Gateway 3.02
FactoryTalk Historian SE 3.0
FactoryTalk Metrics 9.10
FactoryTalk Transaction Manager 9.10
FactoryTalk View ME 5.10
FactoryTalk View SE 5.10
Logix Designer 21.00
RSLinx Classic 2.54
RSLogix 5 7.40
RSLogix 500 8.10
RSLogix 5000 18.00
Authorize a service to use Use FactoryTalk Badge Authorization to authorize services to use the
FactoryTalk Badge Logon function.
FactoryTalk Badge Logon
The service that requests access to use the FactoryTalk Badge Logon function
must be trusted by Rockwell Automation. Please be aware that selecting
Badge Only as the system Login method allows access to the system without
authenticating the native FactoryTalk user. The system grants access solely on
the identity of the badge. To maintain a strong security posture, we
recommend that it is required to provide passwords in addition to presenting
the badge, that is to say, you must select Password and Badge as the system
Login method. Please note that the Badge Only system Login method cannot be
used with Windows-linked users.
Note: To configure the Badge Authorization policy, log on to FactoryTalk with an account that is a
member of the FactoryTalk Administrators group.
FactoryTalk Badge Use FactoryTalk Badge Authorization to authorize services to use the
Authorization settings FactoryTalk Badge Logon function.
The service that requests access to use the FactoryTalk Badge Logon function
must be trusted by Rockwell Automation. Please be aware that selecting
Badge Only as the system Login method allows access to the system without
authenticating the native FactoryTalk user. The system grants access solely on
the identity of the badge. To maintain a strong security posture, we
recommend that it is required to provide passwords in addition to presenting
the badge, that is to say, you must select Password and Badge as the system
Login method. Please note that the Badge Only system Login method cannot be
used with Windows-linked users.
Note: To configure the Badge Authorization policy, log on to FactoryTalk with an account that is a
member of the FactoryTalk Administrators group.
To sort the service list by process name, select the column header.
Column Description
Process Shows the process name of the service that is requesting the access to use the FactoryTalk Badge Logon
function.
The FactoryTalk services are not displayed in the list.
Use these settings to specify how FactoryTalk allow access to the services that
are requesting to use the FactoryTalk Badge Logon function.
• Add. Used to open the Select Application dialog box to select a service
that is requesting the FactoryTalk Badge Logon function.
• Remove. Used to remove one or more services that is using the
FactoryTalk Badge Logon function.
Assign user rights to make In User Rights Assignment Policy Properties, specify which users are
system policy changes permitted to:
• Back up or restore FactoryTalk Directory, the System folder, or
applications
• Change the FactoryTalk Directory server computer
• Switch between primary and secondary servers in a redundant pair
(for example, HMI servers, or data servers)
• Modify the security authority identifier
Policy settings are completely separate in the network directory and local
directory. The network directory and local directory also have different default
policy settings.
User Rights Assignment How do I open User Rights Assignment Policy Properties?
Select a user or group Use Select User or Group to select a user account or FactoryTalk user group
account. You can then specify security settings for the user or group.
Use the options under Filters to show only users, only user groups, or all
accounts you may add to the group.
See also
Manage user groups on page 51
Accounts and groups on page 18
Account types on page 19
Change the default To change the default communications protocol for a distributed FactoryTalk
system, use Live Data Policy Properties.
communications protocol
Change this setting only if necessary. For example, if the system experiences
communications problems and troubleshooting require switching to DCOM.
Live Data Policy Properties How do I open Live Data Policy Properties?
1. In FactoryTalk Administration Console Explorer, expand System >
Policies > System Policies.
2. Right-click Live Data Policy and select Properties.
Use the Policy Settings tab of Live Data Policy Properties to select a default
communications protocol for a distributed FactoryTalk system on page 82.
This setting on page 83 affects communications between client and server
services and between the FactoryTalk Directory and servers on the network.
This setting is considered a "default". If the FactoryTalk Live Data service
detects that some components on the network are not compatible with the
selected policy setting, the service overrides the policy and uses whichever
setting is most likely to ensure uninterrupted communications. For example,
for third-party servers and RSLinx Classic, FactoryTalk Live Data does not
attempt a TCP/IP connection and always uses DCOM.
Change this setting only if necessary, such as if the system is experiencing
communications problems and it is necessary to switch to DCOM for
troubleshooting purposes. Thoroughly test communications before deploying
this change to a running production system. Many factors affect
communications, including firewalls, closed ports, and differences in network
architectures and configurations.
IMPORTANT Changing this policy setting can have unexpected results. Do not change this setting in a
running production system. For changes to take effect, shut down and restart all
computers on the network.
Set network health Use Health Monitoring Policy Properties to fine tune the parameters that the
system uses when determining whether a network failure is occurring and
monitoring policies how long to wait before switching to a Standby server.
A network failure occurs when a server is temporarily unable to communicate
with other computers because of network traffic and fluctuations. During a
network failure, even though the computers in the redundant server pair
cannot communicate, the active server remains active and the standby server
remains on standby.
Tip: Changing health monitoring policy settings can have unexpected results. The preset default settings
typically provide optimal efficiency for most networks.
Set audit policies Use Audit Policy Properties to specify what security-related information is
recorded while the system is being used. Audit policies on page 87 include
whether access checks are audited, whether access grants, denies, or both are
audited, and so on. Audit messages are sent to FactoryTalk Diagnostics, and
are viewed using the FactoryTalk Diagnostics Viewer.
See also
Set audit policies on page 86
See also
Set audit policies on page 86
Audit trails and regulatory compliance on page 38
Audit policies on page 87
Monitor security-related Monitor security-related events to find out if changes are made to security
policies or other objects, who made the changes, and when they were made.
events Monitor security-related events by setting up audit policies.
In a FactoryTalk automation system, Rockwell Automation software products
monitor system activity and generate detailed diagnostic messages.
Meanwhile, FactoryTalk Diagnostics collects these activity, warning, error,
and audit messages from all participating products throughout a distributed
system and routes them to Local Logs on each computer. Depending on the
products installed and the configuration options set, FactoryTalk Diagnostics
can also route these messages to other centralized logging destinations, such
as an ODBC database or FactoryTalk® AssetCentre Audit Log.
See also
Set audit policies on page 86
Example: Audit messages If the setting Audit changes to configuration and control system is enabled in
Audit Policy, audit messages are generated when any configuration and
control system changes occur across the FactoryTalk system.
Examples of messages for adding and removing control system components:
• Added area [Line2] to application [Network/Paper Mill]
• Removed area [Line1b] from application [Network/PaperMill]
• Added graphic display [Overview] to area [Network/Paper Mill/Line2]
• Removed user [BBilly] from directory [Network/System]
• Downloaded project [PASTEURIZE] to processor
[/NetworkPath/Line1]
• Inserted rung [XIC B3/0 OTE B3/0] in processor [XYZ/File 2/Rung 10]
Examples of messages for modifying control system values:
• Modified properties of user [JSmith] in directory [Network/System]
See also
Audit policies on page 87
Set system security policies Use Security Policy Properties to define general rules for implementing
security across all FactoryTalk products in the system. To modify security
policies, obtain the appropriate permissions for the System Policies folder in
the Explorer.
• Account Policy Settings: Specifies how FactoryTalk manages policies
for user, computer, and group accounts.
• Badge Policy Settings: Specifies how FactoryTalk user accounts can log
on using a Radio-Frequency-Identification (RFID) badge.
• Computer Policy Settings: Specifies how computer accounts in the
FactoryTalk network directory can use remote access.
• Directory Protection Policy Settings: Specifies client computer
accounts usage of the FactoryTalk network directory.
• DNS Alias Name: Specifies a DNS alias name associated with a
computer hosting the FactoryTalk Directory server.
• Event System Settings: Specifies the communication settings in the
FactoryTalk event system.
• Password Policy Settings: Specifies password requirements for
FactoryTalk user accounts.
• Single Sign-On Policy Settings: Specifies whether users can log on
once to the FactoryTalk system or must log on to each FactoryTalk
product separately.
• Web Authentication/Authorization Server: Specifies security settings
for FactoryTalk-enabled software web applications.
See also
Modify Account Policy Settings on page 92
Modify Computer Policy Settings on page 94
Modify Account Policy Use Account Policy Settings to change these security policy properties:
See also
Account Policy Settings on page 105
Audit trails and regulatory compliance on page 38
Enable single sign-on on page 101
Modify Badge login policies Use Badge Login Policy Settings to specify how FactoryTalk user accounts
can login using an RFID badge. Badge login policies include whether login
using a badge is enabled, whether facility codes are required, the badge
provider, and the data format used by the badge. After this policy is enabled
and configured login options are available in FactoryTalk user account
properties and Badge IDs can be added to the FactoryTalk user account.
See also
Badge Login Policy Settings on page 106
Modify Computer Policy Use Computer Policy Settings to change these security policy properties:
Settings • Whether or not a user can connect to the FactoryTalk Directory from a
client computer that does not have a computer account in the network
directory
• How client computers connect to the FactoryTalk Directory through
Remote Desktop Services, and how the computer name appears in the
FactoryTalk Diagnostics log of actions.
These settings apply only to computers in the FactoryTalk network directory
because the FactoryTalk local directory does not permit remote access.
See also
Computer Policy Settings on page 107
Enable single sign-on on page 101
Modify Directory Protection Use Directory Protection Policy Settings to change the security policy
properties that determine:
Policy Settings
• If computers with FactoryTalk versions less than 2.50, which are
considered non-secure, can access a directory server with FactoryTalk
CPR 9 SR5 or later, and if so, whether or not an audit message is
generated
• How long cache files remain available after a client computer
disconnects from the server, and if a warning message displays
These settings apply only to computers in the FactoryTalk network directory.
See also
Computer Policy Settings on page 107
Enable single sign-on on page 101
Configure a FactoryTalk Beginning with FactoryTalk Services Platform version 6.30.00, you can use a
DNS alias name, or CNAME, to specify the FactoryTalk Directory sever on
Directory using a DNS alias each client computer. By altering the computer name associated with the
name DNS alias name, the FactoryTalk Directory sever association can be changed
without reconfiguring the FactoryTalk Directory association of each client
computer. The DNS alias name is created and maintained in the DNS sever.
This capability allows you to switch from an old to a new FactoryTalk
Directory server with minimal effort and impact to the system.
IMPORTANT This function requires FactoryTalk Linx version 6.30.00 or later.
Prerequisites
• Ensure that an existing DNS alias name is associated with the
computer hosting the FactoryTalk Directory server in the DNS server.
Switch a computer hosting This capability allows you to provision a new FactoryTalk Directory server in
the FactoryTalk Directory parallel with an existing server. If you specify the FactoryTalk Directory sever
on each client computer using a DNS alias name, you don’t have to
server reconfigure each FactoryTalk Directory client computer after switching over
from the existing FactoryTalk Directory server to the new one.
Prerequisites
• Ensure that the existing FactoryTalk Directory server is associated
with a DNS alias name.
Assign a client computer to Using a DNS alias name to switch to a new FactoryTalk Directory server can
reduce the effort and impact to the system in the future.
a new FactoryTalk Directory
server
To assign a client computer to a new FactoryTalk Directory server
1. On the client computer, open FactoryTalk Administration Console.
2. On the menu bar, select Tools > FactoryTalk Directory Server
Options....
3. In FactoryTalk Directory Server Location Utility, select Browse.
4. In FactoryTalk Directory Server Configuration, select Remote
computer, and then enter the DNS alias name associated with the
computer hosting the FactoryTalk Directory server.
5. Select OK.
Modify Event System Use Event System Settings to specify the communication settings on page 112
between the FactoryTalk Web Event Server and the Rockwell Event Server
Settings and the Rockwell Event Multiplexer.
Modify Password Policy Use Password Policy Settings to set security policy properties that control the
conditions for a valid FactoryTalk password, such as minimum and maximum
Settings password length, password encryption method, password complexity
requirements, and when a password expiration warning is given.
These policies do not apply to Windows-linked user accounts. Backing up the
FactoryTalk system folder before making changes to Password Policy Settings
is recommended.
IMPORTANT Be aware of these items before modifying Password Policy Settings:
• Previous releases used the MD5 cryptographic hashing algorithm to encode passwords.
If compatibility with FactoryTalk Services Platform version 3.00 or earlier is required,
the MD5 password encryption method must be selected.
MD5 is an older algorithm that has known security vulnerabilities. Using the SHA-256
encryption method is recommended.
• If Passwords must meet complexity requirements is set to Enabled, the minimum
password length is 6 characters and cannot be decreased using the Minimum
password length setting. Setting Minimum password length to a value greater than
6 is enforced.
See also
Password Policy Settings on page 112
Add a FactoryTalk user account on page 45
Back up a System folder on page 144
Enable single sign-on Use Single Sign-On Policy Settings to configure security policy properties to
enable single sign-on capability. When single sign-on is enabled, only one
logon per directory, on a given computer is allowed. Once logged on, all
participating FactoryTalk products that run in that directory on that
computer automatically use those same security credentials.
See also
Disable single sign-on on page 102
Disable single sign-on To require users to log into each FactoryTalk product separately, configure
Single Sign-On Policy Settings to disable single sign-on capability.
See also
Enable single sign-on on page 101
Disable single sign-on To require users to log into each FactoryTalk product separately, configure
Single Sign-On Policy Settings to disable single sign-on capability.
See also
Enable single sign-on on page 101
Modify Web Use Web Authentication/Authorization Server to set security policies for
FactoryTalk-enabled software web applications.
Authentication/Authorizatio
n Server
To modify Web Authentication/Authorization Server
1. In FactoryTalk Administration Console Explorer, go to localhost >
System > Policies > System Policies.
2. Double-click Security Policy.
3. In FactoryTalk Web Authentication port, enter a port number for the
FactoryTalk-enabled software web applications.
The default port is 7110.
4. In FactoryTalk Web Support Service port, enter a port number for the
FactoryTalk Web Support Service.
The default port is 7111.
5. In Reverse Proxy port, enter the website port number for computers
using the FactoryTalk Reverse Proxy Server.
If you are using HTTPS, the default port is 443.
If you are using HTTP, the default port is 80.
6. In Reverse Proxy port, select HTTPS or HTTP.
If Reverse Proxy port or Reverse Proxy protocol is changed, the
system will make changes to Site Bindings in the Internet Information
Services (IIS) Default Web Site. If you use TLS to secure the
communication, you may need to reconfigure the TLS certificate.
7. In Access token expiration, enter a value from 1 through 52,600 to
change the amount of time before the access token expires.
8. In Authorization code expiration, enter a value from 1 through 1,440 to
change the amount of time before the authorization code expires.
9. In Refresh token expiration, enter a value from 1 through 1,440 to
change the amount of time before the refresh token expires.
10. Select Apply, and then select OK.
Restart the computer to apply the configuration changes.
FactoryTalk Reverse Proxy A reverse proxy retrieves resources on behalf of a client from one or more
servers. These resources are then returned to the client, appearing as if they
originated from the reverse proxy server itself. Beginning with FactoryTalk
Services Platform version 6.30.00, FactoryTalk Reverse Proxy is available for
FactoryTalk software, such as FactoryTalk AssetCentre or FactoryTalk
ViewPoint. You can use FactoryTalk Reverse Proxy to:
• Prevent a Cross-Origin Resource Sharing (CORS) behavior that affects
FactoryTalk-enabled software web applications.
Defaults:
• For the Network Directory, 3 invalid logon attempts.
• For the Local Directory, 3 invalid logon attempts.
Account lockout auto reset Specifies the amount of time that must expire before a locked account is
reset, allowing the user to attempt access again. Type a value between 0
and 999 minutes to specify the amount of time a user must wait before using
the account again to gain access to the system.
If set to 0, locked accounts are not reset automatically. A FactoryTalk
administrator and must unlock the account manually.
Minimum: 0 minutes
Maximum: 999 minutes
Default: 15 minutes
See also
Modify Account Policy Settings on page 92
Audit trails and regulatory compliance on page 38
See also
Modify badge login policies on page 93
Computer Policy Settings Computer Policy Settings control how computer accounts can access the
FactoryTalk Directory remotely. These settings apply only to computer
accounts in the FactoryTalk network directory because the FactoryTalk local
directory does not permit remote access.
Setting Description
See also
Modify Computer Policy Settings on page 94
Directory Protection Policy The Directory Protection Policy Settings specify client computer accounts
usage of the FactoryTalk network directory.
Settings
Setting Description
Support non-secure clients Determines whether client computers with FactoryTalk versions earlier than 2.50
can access a directory server computer with FactoryTalk CPR 9 SR5 or later. The
policy is ignored if client computers are installed with FactoryTalk 2.50 or later.
Allow means client computers with FactoryTalk versions earlier than 2.50 can
connect to and retrieve information from a directory server computer with
FactoryTalk 2.50 or later.
Deny means only client computers with FactoryTalk 2.50 can connect to and
retrieve information from a directory server computer with FactoryTalk 2.50 or later.
Clients with FactoryTalk versions earlier than 2.50 are denied access and a
Protocol version mismatch error occurs.
Default: Allow
Disconnect the directory server from the network before changing this policy.
Reconnect to the network after applying the change. Otherwise, this policy is not
properly enforced.
Audit non-secure client Determines whether an audit message is created when client computers with
connections FactoryTalk versions earlier than 2.50 connect to a directory server computer with
FactoryTalk 2.50 or later.
Enabled means an audit message is created when a client computer with a
FactoryTalk version earlier than 2.50 connects to a directory server computer with
FactoryTalk 2.50 or later.
Disabled means an audit message is not created when a client computer with a
FactoryTalk version earlier than 2.50 connects to a directory server computer with
FactoryTalk 2.50 or later.
Default: Enabled
Directory cache expiration Determines how long the cache files remain available after the client computer is
disconnected from the server. Once this time elapses, reconnect to the directory
server to access the latest data files.
If set to 0, cache files never expire.
Minimum: 0 hours
Maximum: 9999 hours
Default: 0 hours
Directory cache expiration Determines when a warning notification displays in the notification area prior to the
warning directory cache expiring. Select FactoryTalk Directory in the notification area to
quickly view the time expiration information.
If set to 0, warnings do not appear prior to cache expiration. However, notifications
can be seen upon disconnection and cache expiration.
Minimum: 0 hours
Maximum: 24 hours
Default: 0 hours before expiration
See also
Modify Directory Protection Policy Settings on page 96
Cache expiration policies on page 110
Cache expiration policies In FactoryTalk, rules for directory cache expiration are managed system-wide
by the Directory Protection Policy Settings security policy properties. These
policies determine:
• How long cache files remain available after the client computer
disconnects from the server
• If a warning displays before the directory cache expires
Directory cache expiration policies for a specific computer or group of
computers can be customized. For example, to allow a group of laptop
computers to operate without a network connection for a longer time period,
and for the cache to never expire for one of the laptops. To override the
FactoryTalk network directory cache expiration policies, set directory cache
timeout policies for a computer group or an individual computer.
The directory cache timeout policies cannot be modified in a FactoryTalk local
directory.
Tip: The directory cache timeout policies are not supported if the client computer is installed with
FactoryTalk Services Platform version 2.40 or earlier.
See also
Modify Directory Protection Policy Settings on page 96
FactoryTalk Security on page 33
DNS Alias Name Using DNS Alias Name to switch to a new FactoryTalk Directory server can
reduce the effort and impact to the system.
Setting Description
DNS alias name of the Specifies the DNS alias name of a computer hosting the FactoryTalk Directory
FactoryTalk Directory server server. By altering the alias name associated with another computer, the client
computer will be assigned to the new FactoryTalk Directory server automatically.
FactoryTalk Event Settings Use FactoryTalk Event Settings to set how the FactoryTalk Web Event Server
communicates with the Rockwell Event Server and the Rockwell Event
Multiplexer. These settings only impact the Network directory. Changing this
setting can impact the ability of FactoryTalk Directory clients to communicate
with the FactoryTalk Directory Server.
Setting Description
Event communication type Specifies the communication type used in the FactoryTalk
event system.
• Auto: The FactoryTalk Directory event server accepts both
Socket.IO and DCOM connections from clients.
You must use Auto or DCOM when computers running
FactoryTalk Services Platform version 6.30 or earlier
communicate with the version 6.31 FactoryTalk Directory
Server.
• Socket.IO: The FactoryTalk Directory event server will
only accept Socket.IO connections. If all computers
hosting FactoryTalk-enabled software are running
FactoryTalk Services Platform version 6.31 or later, you
can use Socket.IO.
Note: When using this setting, computers running
FactoryTalk Services Platform client that predates 6.31 will
not be able to communicate with the FactoryTalk Directory
Server.
• DCOM: The FactoryTalk Directory event server will only
accept DCOM connection. You must use Auto or DCOM
when computers running FactoryTalk Services Platform
version 6.30 or earlier to communicate with the version
6.31 FactoryTalk Directory Server.
The default type is Auto. This default setting ensures that
both version 6.31 clients and previous version clients can
communicate with the version 6.31 FactoryTalk Directory
Server.
Event communication protocol Specifies the communication protocol used between the
computer hosting the FactoryTalk-enabled software client
and the computer hosting the FactoryTalk Web Event Server.
• WebSocket: It is a persistent TCP connection between a
client and a server, which provides a real-time full-duplex
communication channel.
• Polling: It is a discontinuous TCP connection between a
client and a server, which provides a near-real-time data
access pattern.
Note: When the network is not stable, we do not
recommend that you use WebSocket protocol.
This setting only affects the system when Event
communication type is set as Auto or Socket.IO.
The default protocol is Polling.
Event communication port Specifies the communication port for the computer hosting
the FactoryTalk Web Event Server.
This setting only affects the system when Event
communication type is set as Auto or Socket.IO.
The default port is 7113.
Password Policy Settings For FactoryTalk user accounts, use Password Policy Settings to configure
these security property settings:
• Password encryption method
• Password complexity
See also
Add a FactoryTalk user account on page 45
Add a Windows-linked user account on page 46
Web The following table shows the security settings for FactoryTalk-enabled
software web applications.
Authentication/Authorizatio
Setting Description
n Server
FactoryTalk Web Authentication port Specifies the communication port that FactoryTalk-enabled software web
applications can access. The default port is 7110.
FactoryTalk Web Support Service port Specifies the communication port that the FactoryTalk Web Support
Service can access. The default port is 7111.
Reverse Proxy port Specifies the website port for computers using the FactoryTalk Reverse
Proxy Server.
• If you are using HTTPS, the default port is 443.
• If you are using HTTP, the default port is 80.
Reverse Proxy protocol Specifies the communication protocol, HTTPS or HTTP, for computers
using the FactoryTalk Reverse Proxy Server.
Access token expiration Specifies the amount of time before the access token expires.
• Minimum: 1 minute
• Maximum: 52,600 minutes
• Default: 60 minutes
Authorization code expiration Specifies the amount of time before the authorization code expires.
• Minimum: 1 minute
• Maximum: 1,440 minutes
• Default: 10 minutes
Refresh token expiration Specifies the amount of time before the refresh token expires.
• Minimum: 1 minute
• Maximum: 1,440 minutes
• Default: 1,440 minutes
Single Sign-On Policy Use Single Sign-On Policy Settings in Security Policy Properties to set
whether users can log on once to the FactoryTalk system or must log on to
Settings each FactoryTalk product separately.
Disable single sign-on if users will be connecting through Remote Desktop
Services using the name of the Remote Desktop Connection server computer.
This is determined through the computer policy setting Identify terminal
server clients using the name of. The computer name is saved as part of the
single sign-on user's credentials and might affect the level of access a user has
to the FactoryTalk system.
Setting Description
Enabled Requires users to log on to the FactoryTalk system only once. The system checks
the user's access rights as the user performs actions after logging on. If the user
has the required access rights, the action is allowed to proceed. If the user does
not have the required access rights, the action is prevented from taking place.
The user is not prompted repeatedly to log on with a user name and password.
See also
When to disable single sign-on on page 116
Modify Computer Policy Settings on page 94
When to disable single If multiple users are sharing the same Windows user account, but have
different FactoryTalk user accounts, it might be necessary to disable single
sign-on sign-on. This is because with single sign-on enabled, the last user that logged
on to FactoryTalk is automatically logged on to all subsequent FactoryTalk
products. If the ability to distinguish the actions of individual users is
necessary, disable single sign-on to force all users to identify themselves to
each FactoryTalk product they use.
There is no way to log all users off all FactoryTalk products simultaneously.
This is because some products might need to run without interruption in the
background. To log all users off all FactoryTalk products simultaneously, log
off Windows. Logging off Windows also shuts down all FactoryTalk products
that were started in the Windows session, regardless of how many users were
logged on.
Also disable single sign-on when logging on to FactoryTalk through Remote
Desktop Services using the name of the Remote Desktop Connection server
computer. Alternatively, change the security policy Identify terminal server
clients using the name of to allow Remote Desktop Services users to connect
using the name of the Remote Desktop Connection client computer.
If single sign-on still does not seem to be working properly, the FactoryTalk
product in use may not support the single sign-on capability. Some
FactoryTalk products always require users to log on, even if single sign-on is
enabled.
See also
Enable single sign-on on page 101
Navigate the Policy All Product Policies and System Policies windows contain the same features
to navigate to the property setting.
Properties windows
See also
Assign user rights to make system policy changes on page 79
Set audit policies on page 86
Export policies to XML Export policies to save current FactoryTalk Directory policy settings to an
XML file. Use an XML or text comparison tool to determine policy changes
between exported policy files.
The exported policies are limited to the policies accessible by the logged on
user. If the logged-on user does not have Read, Execute, or List Children
permissions for a policy or its parent folders, that policy is not exported.
Prerequisites
Obtain permissions for each policy to be exported:
• Common > Read
• Common > Execute
• Common > List Children
See also
Set system security policies on page 91
Export policies via Beginning with FactoryTalk Services Platform version 6.30, users can export
policies with FTPolicyExport Tool. The policies can be exported from the
command line
Prerequisites
• To successfully export policies, ensure the user has the permission to
export the current FactoryTalk Directory policy settings:
• In FactoryTalk Administration Console, select System > Policies >
FactoryTalk Administration Console > Feature Security >
Properties > Export Policies > Configure Security.
• To successfully export policies, ensure the user has the following
permissions to all areas of the FactoryTalk Directory:
• Common > Read
• Common > Execute
• Common > List Children
Command-line Parameters
When executing the export utility from the command line, use the following
syntax: "FTPolicyExportTool.exe.-sso [-g/ -l] -p"
Parameters Description
-sso Required.
Uses single sign-on for authentication.
-g/-l Required.
Specifies the FactoryTalk Directory you need to log in and export policies. "g" means
the Global (network) directory. "l" means the Local directory.
-p Required.
Specifies the location to save the exported XML file.
User account and password In FactoryTalk Services Platform version 6.30, the exported FactoryTalk
Directory policies include the user account and password status information.
status in exported policies The information can be found in the exported XML file.
The values in the XML file represent different user account statuses.
Value Status
0 The account is in a normal status.
-1 The account is deleted.
-2 The account is disabled.
-3 The account is locked.
-4 The account is disabled and locked.
See also
Secure features of a single product on page 122
Secure multiple product features on page 122
Differences between securable actions and product features on page
125
Secure features of a single To restrict access to one or more features of a single FactoryTalk property, use
Feature Security Properties.
product
See also
Feature Security for Product Policies on page 123
Permissions on page 185
Secure multiple product Use Feature Security for Product Policies to secure features of multiple
FactoryTalk products at once. The term action in Feature Security for Product
features Policies refers to a product feature. Each FactoryTalk product installed
provides different securable features (actions).
Select plus (+) next to each FactoryTalk product to view the features to secure.
See also
Secure features of a single product on page 122
Permissions on page 185
Differences between securable actions and product policies on page
125
Feature Security for Product How do I open Feature Security for Product Policies?
See also
Secure multiple product features on page 122
Permissions on page 185
Things you can secure on page 36
Differences between securable actions and product policies on page
125
See also
Secure features of a single product on page 122
See also
Secure features of a single product on page 122
Secure multiple product features on page 122
Secure resources on page 185
See also
Logical names on page 127
Add a logical name on page 129
Add a device to a logical name on page 130
Assign a control device to a logical name on page 130
Add a logical name to an area or application on page 131
Logical names A logical name is an alias that identifies a control network or device. Use
logical names to provide a shorter or more intuitive name to identify a device
instead of using its network relative path. Logical names also change the way
devices inherit security permissions.
Consider these questions:
Question Answer
Add a logical name Add a logical name on page 127 to Networks and Devices to create an alias
that identifies a control network or a device. Use a logical name to provide a
shorter or more intuitive name to identify a device, instead of using its
network relative path. Logical names also change the way devices inherit
security permissions. Control devices with identical logical names share
security permissions across different control networks and across different
computers, without requiring identical driver names or relying on identical
network paths.
Add logical names in FactoryTalk Administration Console before configuring
security for RSLogix 5000 controllers. For all other types of control hardware,
choose whether to associate security settings with logical names or with
network relative paths.
Logical names can be added and configured in advance of creating areas or
applications.
Delete a logical name Delete a logical name on page 127 from Networks and Devices when not
needed as an alias for a control device or network. After deleting a logical
name, the security permissions for the devices associated with it revert to the
permissions of the device or network.
IMPORTANT Because RSLogix 5000 controllers do not use network relative paths, deleting a logical
name associated with a RSLogix 5000 controller can cause unexpected results.
Add a device to a logical Use Logical Name Properties to add control devices or networks to a logical
name so that they inherit the security permissions of the logical name.
name
Add a logical name to an Devices with identical logical names on page 127 share security permissions
area or application across different control networks and across different computers, even if
those devices are configured with different driver names or network paths.
Add logical names before configuring security for RSLogix 5000 controllers.
For all other types of control hardware, choose whether to associate security
settings with logical names or with network relative paths.
Add a logical name to an area or application when the permissions associated
with the logical name are inherited from that area or application. For how to
delete the logical name, see Delete a logical name from an area or application
on page 131.
Prerequisites
Adding a logical name requires these permissions for the area or application:
• Common > Create Children
• Common > List Children
• Common > Read
Prerequisites
Deleting a logical name requires these permissions for the application or area:
After creating a new logical name, type a descriptive name to identify it.
• If New Logical Name is opened from an application or area in
FactoryTalk Administration Console Explorer, the new logical name is
assigned to the application or area.
• If New Logical Name is opened from Select Resources, use Logical
Name Properties to assign the new logical name to an application or
area.
How to add or delete a logical name
• Add a logical name to an area or application on page 131
• Delete a logical name from an area or application on page 131
Logical Name Properties How do I open Logical Name Properties?
Device Properties For control hardware displayed in the Networks and Devices tree, use Device
Properties to:
• View network relative paths
• Add a device to a new logical name
• Assign a control device to an existing logical name on page 130
• Change the logical name associated with the device
• Remove a device from a logical name on page 130
• Remove the control device from a resource grouping on page 137
IMPORTANT Do not remove RSLogix 5000 controllers from a logical name. Because RSLogix
5000 controllers do not use network relative paths, removing the device from a
logical name can cause unexpected results.
Setting Description
Device path Displays the network relative path of the device. This setting is read-only.
Resource grouping
See also
Group hardware resources in an application or area on page 136
Move a resource between areas on page 137
Remove a device from a resource grouping on page 137
Resource groupings on page 135
Resource groupings A resource grouping is a collection of hardware resources from the Networks
and Devices tree that is associated with an application or area. A resource
grouping is not a separate account type.
Grouping resources under an application or area allows granting or denying
security permissions for a set of control hardware in one step, rather than
setting permissions for each device separately.
Create a resource grouping in any application or area in the FactoryTalk
Directory by selecting resources to associate with the area in the Resources
Editor. A resource grouping automatically inherits the security settings of the
application or area where the resource group is located.
These security permissions on page 185 might be explicit permissions defined
specifically for the area, or they might be inherited from the application in
which the area is located, or from the FactoryTalk Directory in which the
application is located. If needed, set explicit permissions for a device that
override the security permissions set for its resource group by browsing for
the network or device in the Networks and Devices tree.
Prerequisites
Grouping hardware resources together requires these permissions for the
application or area:
• Common > Read
• Common > List Children
• Common > Configure Security
Move a resource between Use the Resources Editor to move a hardware resource from one application
or area to another. The device or control network that is moved inherits the
areas security permissions of its new area or application.
Prerequisites
Moving hardware resources between areas requires these permissions for the
application or area:
• Common > Read
• Common > List Children
• Common > Configure Security
Prerequisites
Removing a device from a resource group requires these permissions for the
application or area:
• Common > Configure Security
• Common > List Children
• Common > Read
Select Resources Use Select Resources to associate resources with an application or area.
Referenced the hardware devices on page 136 by logical name or by network
relative path. Use these settings to specify how resources are added to the
grouping.
Setting Description
Disaster Recovery
Back up a FactoryTalk For safekeeping and disaster recovery, or to move a FactoryTalk system from
one set of computers to another, backup and restore an archive containing
system one of the following:
• An entire FactoryTalk Directory on page 141 with all of its applications
and its System folder.
• Only an individual application on page 145, with or without the System
folder. An application archive file typically contains areas (in a network
directory), resource grouping information, and references to data
servers, device servers, alarm servers, and HMI servers.
• Only a System folder on page 144. The System folder includes a list of
user, computer, and group accounts, passwords, system policy
settings, product policy settings, system security settings, action
groups, and alarm and event database definitions.
• FactoryTalk Linx configuration on page 148.
• FactoryTalk Linx Gateway configuration on page 150.
The backup process creates an archive file that contains only objects and
references to objects held within the FactoryTalk Directory. The archive file
does not contain project files that are specific to individual products.
FactoryTalk Services Platform 6.10 applies a new encryption algorithm to the
backup file for enhanced security. Backups created using FactoryTalk Services
Platform 6.10 can only be restored to host computers that are also running
FactoryTalk Services Platform 6.10 or later. Backups created using FactoryTalk
Services Platform 2.90 or later can be restored onto host computers that are
running FactoryTalk Services Platform 6.10.
IMPORTANT Take care to choose the correct backup options when creating a backup archive.
Restoring from the wrong type of backup archive can overwrite existing data that affects
all applications.
Prerequisites
• Obtain the security permissions needed to perform backup and
restore operations. Open System > Policies > System Policies, and
open User Rights Assignment. Under Backup and Restore > Backup
and restore directory contents select Configure Security and verify
access permissions have been granted.
IMPORTANT Remember the passphrase when choosing to encrypt the file contents. The
archive file cannot be restored without the correct passphrase.
6. Select OK.
Unless a different file name was specified, FactoryTalk Administration
Console creates a directory backup file with its current security
authority identifier in the default location or in the location specified.
If a backup file with the same name already exists in the location
selected, the system asks whether to overwrite the existing file.
7. After backing up a directory, perform backups of project files and
databases from individual software products that are participating in
the FactoryTalk system.
If the applications include:
• HMI servers: Back up FactoryTalk View files separately. See
FactoryTalk View documentation for help.
• RSLinx Classic data servers: Run the RSLinx Backup Restore utility
to back up the data server configuration. From the Windows Start
menu, select Rockwell Software > RSLinx > Backup Restore Utility.
• FactoryTalk Linx servers: The base configuration of the FactoryTalk
Linx server is included in the backup, including redundancy and
alarms and events configurations.
Note: If the FactoryTalk Linx configuration option is not selected, make a copy of the file
RSLinxNG.xml and keep it with your backup archive to retain device, driver, and
shortcut configurations. By default, the file is located in
C:\ProgramData\Rockwell\RSLinxEnterprise.
• FactoryTalk Linx Data Bridge: Open FactoryTalk Linx Data Bridge,
select File > Export configuration. Keep the exported file with your
backup archive.
• FactoryTalk Linx Gateway:
• For FactoryTalk Linx Gateway version 6.20 and earlier, make a
copy of the FTLinxGateway.xml file and keep it with your
backup archive. By default, the file is located in
C:\ProgramData\Rockwell\FactoryTalk Linx Gateway.
• For FactoryTalk Linx Gateway version 6.21, make a copy of the
FTLinxGateway.db file and keep it with your backup archive.
By default, the file is located in
C:\ProgramData\Rockwell\FactoryTalk Linx Gateway.
Note: If there are two files named as FTLinxGateway.db-shm and
FTLinxGateway.db-wal under the folder
C:\ProgramData\Rockwell\FactoryTalk Linx
Gateway, make a copy of these two files together with
FTLinxGateway.db file.
Back up a System folder Back up a System folder to create a backup archive that contains:
• The list of user, computer, and group accounts
• Action groups
• Passwords
• Policy settings
• Security settings
• Alarm and event database definitions
Restoring a System folder archive to a FactoryTalk Directory overwrites the
contents of the eisting System folder with the contents in the backup archive.
Prerequisites
• Obtain the security permissions needed to perform backup and restore
operations. Expand System > Policies > System Policies, and open User
Rights Assignment.
Back up an application An application typically contains areas (in a network directory), resource
grouping information, and references to data servers, device servers, alarm
servers, and HMI servers.
Back up an application and create an archive file to:
• Restore the application to a FactoryTalk Directory on a different
computer
• Duplicate the application with a different name within the same
directory
Optionally, include the System folder in the archive. The System folder
includes a list of user, computer, and group accounts, passwords, system
policy settings, product policy settings, system security settings, action
groups, and alarm and event database definitions. Refer to Restore an
application on page 157 to find the steps to restore an application.
Prerequisites
• Obtain the security permissions needed to perform backup and restore
operations. Open System > Policies > System Policies, and double-click
User Rights Assignment.
To back up an application
1. In FactoryTalk Administration Console Explorer, right-click the
selected application, and select Backup.
2. Use the default name or enter another name for the backup file.
Back up a Security Authority Each FactoryTalk Directory has a unique Security Authority identifier
identifier generated during installation. Back up a Security Authority identifier to save
the identifier in case of disaster.
Secure controller projects and controllers running secure projects can only be
accessed when the FactoryTalk Directory Security Authority identifier
matches the identifier saved in the project. This prevents unauthorized access
Prerequisites
• Obtain the following permissions from System > System Policies>
User Rights Assignment:
• Modify Security Authority Identifier on page 153
Backup FactoryTalk Linx FactoryTalk Services Platform provides an option to back up the FactoryTalk
configuration Linx drivers and shortcuts configured on the same computer where the
backup operation is initiated. If the application utilizes distributed
FactoryTalk Linx data servers, you must perform a backup on each computer
to ensure all of the configuration settings are retained. Refer to Restore
Prerequisites
• Identify the FactoryTalk Linx data servers used by the application.
• Identify the host machines of the distributed FactoryTalk Linx servers.
• Identify if FactoryTalk Linx is configured to utilize CIP Security.
Tip: To check the CIP security information, from the Communications tab of FactoryTalk
Administration Console, right-click the top element in the communication tree and select
Properties. In the Device Properties dialog box, select the CIP Security tab.
Back up FactoryTalk Linx FactoryTalk Services Platform provides an option to back up FactoryTalk Linx
Gateway configuration configured on the same computer. You can back up
Gateway configuration the current settings and restore them later to control the settings, especially
when the application or scope (Local or Network) of FactoryTalk Linx is
changed.
The backup operation cannot include:
• Incoming and outgoing certificates of FactoryTalk Linx Gateway
• Trusted and rejected lists
• DA Access option
• The list of approved users that can manage certificates
Refer to Restore FactoryTalk Linx Gateway configuration on page 162 to find
steps to restore FactoryTalk Linx Gateway configuration on the local
computer and distributed data servers.
Prerequisites
• Identify the security permissions needed to perform the backup
operation. Backup is only available when you have the access in
FactoryTalk Security (System > Policies > System Policies > User
Rights Assignment > Backup and Restore).
Passphrase Type a passphrase for the archive file you want to encrypt.
The passphrase must meet the following requirements:
• Any alphanumeric character or other characters
• Minimum length: 0
• Maximum length: 64
Confirm passphrase Type the same passphrase you typed in the Passphrase field.
IMPORTANT Remember the passphrase if you choose to encrypt your file contents. The archive file
cannot be restored without the correct passphrase.
FactoryTalk Services Platform 6.10 applies a new encryption algorithm to the backup file
for enhanced security. Backups created using FactoryTalk Services Platform 6.10 can only
be restored to host computers that are also running FactoryTalk Services Platform 6.10 or
later. Backups created using FactoryTalk Services Platform 2.90 or later can be restored
onto host computers that are running FactoryTalk Services Platform 6.10.
Backup and restore options Use backup and restore options to select which data in the FactoryTalk
Directory should be backed up or restored.
Restore a FactoryTalk To move an entire FactoryTalk system from one computer to another, restore
Directory a FactoryTalk Directory backup archive. As a safeguard, create a backup
archive of the directory before performing a restore operation.
IMPORTANT • Do not restore an archive file created under FactoryTalk Services Platform 2.10 (CPR 9)
or later into a FactoryTalk Directory that is currently running FactoryTalk Automation
Platform 2.00 (CPR 7). This restore scenario is not supported and may have unexpected
results.
• A FactoryTalk Directory archive file that is automatically created when you install or
upgrade FactoryTalk Services Platform 2.50 or later can only be restored on the same
computer.
• An archive file created using FactoryTalk Services Platform 6.10 cannot be restored on a
computer running an earlier version of FactoryTalk Services Platform.
• Archive files created using FactoryTalk Services Platform 2.90 or later can be restored
on a computer running FactoryTalk Services Platform 6.10.
Prerequisites
1. Obtain the security permissions needed to perform backup and restore
operations. Open System > Policies > System Policies, and then
double-click User Rights Assignment.
2. Shut down all FactoryTalk software products, components, and
services, except FactoryTalk Administration Console and FactoryTalk
Help.
3. Log on to the directory to restore into, and create a backup archive of
the existing directory on page 141.
Prerequisites
1. Obtain the security permissions needed to perform backup and restore
operations. Open System > Policies > System Policies, and then
double-click User Rights Assignment.
2. Create the system-only backup archive on page 144.
3. Shut down all FactoryTalk software products, components, and
services, except FactoryTalk Administration Console and FactoryTalk
Help.
4. Log on to the directory you want to restore into, and create a backup
archive of the existing directory.
IMPORTANT Do not restore an archive file created under FactoryTalk Services Platform 2.10
(CPR 9) or later into a FactoryTalk Directory that is currently running FactoryTalk
Services Platform 2.00 (CPR 7). This restore scenario is not supported and may
have unexpected results.
An archive file created using FactoryTalk Services Platform 6.10 cannot be
restored on a computer running an earlier version of FactoryTalk Services
Platform.
Archive files created using FactoryTalk Services Platform 2.90 or later can be
restored on a computer running FactoryTalk Services Platform 6.10.
Prerequisites
1. Obtain the security permissions needed to perform backup and restore
operations. Open System > Policies > System Policies, and then
double-click User Rights Assignment.
2. Create the application archive on page 145, with or without a System
folder.
3. Shut down all FactoryTalk software products, components, and
services, except FactoryTalk Administration Console and FactoryTalk
Help.
4. Log on to the directory you want to restore into, and create a backup
archive of the existing directory.
To restore an application
1. In FactoryTalk Administration Console Explorer, right-click Network
or Local, and select Restore.
2. In Restore, select Browse, and then select the backup archive file
(ApplicationName.bak) to restore. Select OK, then select Next.
3. If the backup file is encrypted, Restore Backup File opens. Type the
passphrase that was used during the backup operation.
IMPORTANT An error message opens if the passphrase entered is not correct. Enter the
passphrase again. If the wrong passphrase is entered three times, Restore
Backup File closes. Select the archive file and try again.
4. In Restore Contents:
• (optional) Select Restore System to overwrites user, computer, and
group accounts, passwords, policy settings, and security settings for
all applications in the FactoryTalk Directory. Clear Restore System.
If restoring an application to a different directory or to a different
computer, manually recreate security permissions for FactoryTalk
users and groups in the restored application.
• (optional) Select FactoryTalk Linx Gateway configuration to restore
server configuration, UA Server Endpoint settings, Advanced
Settings, and UA Tag List configuration in FactoryTalk Linx
Gateway.
Prerequisites
1. Obtain the following permissions from System > System Policies>
User Rights Assignment:
• Modify Security Authority Identifier on page 153
2. Back up the FactoryTalk Directory on page 141.
3. Use Logix Designer to remove security from any controllers and
controller projects in the FactoryTalk Directory.
4. Shut down all FactoryTalk software products, components, and
services except FactoryTalk Administration Console.
Prerequisites
1. Obtain the security permissions needed to perform backup and restore
operations. Open System > Policies > System Policies, and then
double-click User Rights Assignment.
2. Shut down all FactoryTalk software products, components, and
services, except FactoryTalk Administration Console and FactoryTalk
Help.
3. Log on to the directory to restore into, and create a backup archive of
the existing directory.
Restore FactoryTalk Linx The FactoryTalk Linx Gateway configuration can be restored when the
configuration is backed up. This is helpful when a computer needs to be
Gateway configuration replaced or refreshed resulting from a significant hardware or operating
system failure.
Prerequisites
• Identify the security permissions needed to perform the restore
operation. Restore is only available when you have the access in
FactoryTalk Security (System > Policies > System Policies > User
Rights Assignment > Backup and Restore).
Recreate a Windows-linked When using individual Windows-linked user accounts, recreate these
user account accounts when restoring your FactoryTalk Directory to a new FactoryTalk
system.
IMPORTANT Only Windows-linked user group accounts move to a new domain, individual
Windows-linked user accounts do not move. This allows you to retain all of the security
permissions for the group.
Prerequisites
• Restore the FactoryTalk Directory on page 154 on the run-time
network.
• Complete any follow-up tasks needed to recreate the development
FactoryTalk Directory on the run-time network.
Update security settings for After restoring an entire FactoryTalk Directory, update security settings for
Networks and Devices to secure them in the new domain.
Networks and Devices
The Networks and Devices tree displays information about the networks and
devices connected to the local computer. The contents of the Networks and
Devices tree are not included in the backup archive, however the backup
archive does include any security settings on page 163 defined for networks
and devices.
If an archive is restored on a computer connected to the same networks and
devices using the same drivers or logical names, the security settings restored
from the archive file take effect. Check to make sure security settings are
accurate for the resources in the new FactoryTalk system, and make edits as
needed.
Generate a Security Each FactoryTalk Directory has a unique Security Authority identifier
Authority identifier generated during installation. Generate a Security Authority identifier to
change the Security Authority identifier assigned to the FactoryTalk
Directory.
Secure controller projects and controllers running secure projects can only be
accessed when the FactoryTalk Directory Security Authority identifier
matches the identifier saved in the project. This prevents unauthorized access
to a controller or controller project if moved or copied to a different
FactoryTalk Directory.
Prerequisites
1. Obtain the following permissions from System > System Policies>
User Rights Assignment:
• Modify Security Authority Identifier on page 153
2. Back up the FactoryTalk Directory on page 141.
3. Use Logix Designer to remove security from any controllers and
controller projects in the FactoryTalk Directory.
4. Shut down all FactoryTalk software products, components, and
services except FactoryTalk Administration Console.
Directory) 1. In the Explorer window, verify that the applications located in the
directory that you are restoring into are not currently expanded or
being used by some other product or component.
2. Right-click Network or Local, and click Restore.
After selecting a FactoryTalk Directory archive to restore on page 154, verify
the restoration settings are correct to finish the restore operation. If this is
not the correct backup archive, select Cancel to exit or Back to select a
different archive file.
Backup files that are created automatically when upgrading to FactoryTalk
Services Platform 2.50 or later can only be restored on the same computer.
IMPORTANT • Do not restore an archive file created under FactoryTalk Services Platform 2.10 (CPR 9)
or later into a FactoryTalk Directory that is running FactoryTalk Automation Platform
2.00 (CPR 7). This restore scenario is not supported and may have unexpected results.
• An archive file created using FactoryTalk Services Platform 6.10 cannot be restored on a
computer running an earlier version of FactoryTalk Services Platform.
• Archive files created using FactoryTalk Services Platform 2.90 or later can be restored
on a computer running FactoryTalk Services Platform 6.10.
Setting Description
Archive name The name of the backup archive file to restore.
Tip: After restoring from a backup archive, manually back up and restore project files and databases
from other software products participating in the FactoryTalk system, and check security settings and
computer accounts.
Setting Description
Archive name The name of the backup archive file to be restored. By default, the archive name is
ApplicationName.bak file.
Directory type Identifies the type of information held within the backup archive file.
• Application and System - Identifies an archive file that contains both an application and a
System folder.
• Application - Identifies an archive file that contains only an application.
Application(s) The name of the application or applications held in the backup archive file.
System Directory configuration Select or clear this option to your need:
• To restore the application and the System folder, select Restore System. Restoring the
System folder overwrites all user and computer accounts and groups, passwords, policy
settings, and security settings for all applications in the FactoryTalk Directory.
• To restore the application without restoring the System folder, clear Restore System.
Restoring the System folder overwrites all user and computer accounts and groups, passwords,
policy settings, and security settings for all applications in the FactoryTalk Directory.
When restoring an application without its associated System folder to a different directory or to
a different computer, security permissions for FactoryTalk users and groups need to be
manually recreated in the restored application.
FactoryTalk Linx configuration Restores the FactoryTalk Linx shortcuts and drivers configuration.
Only FactoryTalk Linx configurations exist on the local PC can be restored. Refer to Restore
FactoryTalk Linx configuration on page 161 to find how to restore a distributed system.
FactoryTalk Linx Gateway configuration Restores server configuration, UA Server Endpoint settings, Advanced Settings, and UA Tag List
configuration in FactoryTalk Linx Gateway.
Identifier) 1. In the Explorer window, verify that the applications located in the
directory that you are restoring into are not currently expanded or
being used by some other product or component.
2. Right-click Network or Local, and click Restore.
Setting Description
Archive name The name of the backup archive file to be restored. By default, the archive name is
ApplicationName.bak file.
Directory type Identifies the type of information held within the backup archive file.
• FactoryTalk Directory - Identifies an archive file that contains the contents of an entire
directory, including all applications and the System folder.
• Application and System - Identifies an archive file that contains both an application and a
System folder.
• Application - Identifies an archive file that contains only an application.
• System Only - Restoring the System folder overwrites all user and computer accounts and
groups, passwords, policy settings, and security settings for all applications in the FactoryTalk
Directory.
Application(s) The name of the application or applications held in the backup archive file.
Restore directory contents only Restores applications, users, computers, groups, passwords, policies, and security settings. The
security authority identifier is not restored.
Restore security authority identifier only Only restores the security authority identifier. Applications, users, computers, groups,
passwords, policies, and security settings are not restored.
Back up your directory and remove the old bindings from all controllers and controller projects
before continuing. Back up the directory with the new identifier after the restore process is
completed.
FactoryTalk Directory configuration Restores applications, users, computers, groups, passwords, policies, and security settings. This
option is only available when Restore directory contents is selected.
FactoryTalk Linx configuration Restores shortcut and driver configurations of FactoryTalk Linx.
Only FactoryTalk Linx configurations exist on the local PC can be restored. Refer to Restore
FactoryTalk Linx configuration to find how to restore a distributed system.
FactoryTalk Linx Gateway configuration Restores server configuration, UA Server Endpoint settings, Advanced Settings, and UA Tag List
configuration in FactoryTalk Linx Gateway.
Restore Backup File Use Restore Backup File to enter the passphrase which was used during the
archive file backup operation. The archive file cannot be restored without the
correct passphrase.
Use commands to back up FactoryTalk Services Platform supports backing up and restoring directory,
system, and application via the user interface. From FactoryTalk Services
and restore Platform version 6.21, the FTSysBackupRestore Tool provides an option to
use commands to back up and restore the directory, system, and applications.
Parameter Required/Opti Description
onal
-s Required Specifies the FactoryTalk Directory scope. Only "Global" and "Local" scopes are
supported.
-sso Required Uses single sign-on for authentication.
-b Required Command for backup, which is a conflict with the -r command.
-r Required Command for restore, which is a conflict with the -b command.
-bak Required Specifies the location to save the backup file or the location where the restore
file can be found. (For example: -bak c:\aa.bak)
• For backup operation, the existing files will be replaced while creating new
files.
• For restore operation, make sure the file already exists in the system.
-ftd Optional The whole FactoryTalk directory. The -sys and -app commands will be ignored
if the -ftd is used.
-sys Optional The FactoryTalk System directory.
-app Optional Specifies the FactoryTalk application. Specific application names are needed
when using this parameter.
-ido Optional Used to restore the FactoryTalk Directory identifier. It's only valid with
command -r.
-prod Optional Specifies the product names. (For example: -prod "FactoryTalk Linx", -prod
"FactoryTalk Linx Gateway")
-e Optional Used to encrypt the backup file.
-pp Optional The plain passphrase is used to encrypt or decrypt the backup file. The
command will be ignored when "-ep" command is used or the "-e" command is
not used.
Note: If the passphrase contains a ", it should be type as "" in command
line. For example, if the passphrase is
~!@#$%^&*()_+-={}[]|\:";'<>,.?/, when you use
the passphrase to encrypt or decrypt the backup file in commands, you should
type the passphrase as
"~!@#$%^&*()_+-={}[]|\:"";'<>,.?/".
-f Optional Used to force replace the opened applications if needed.
-ow Optional Used to overwrite the existing applications.
Configuration Wizard 1. On the computer where FactoryTalk Services Platform is installed, log
on to Windows with a user account that is a member of the local
Windows Administrators group.
2. Click Start > All Programs > Rockwell Software > FactoryTalk Tools >
FactoryTalk Directory Configuration Wizard.
FactoryTalk Directory products share a common address book, finding and
providing access to plant floor resources, such as data tags and graphic
displays.
Configuration of the FactoryTalk Directory is automatic during installation of
FactoryTalk Services Platform. Use FactoryTalk Directory Configuration
Wizard when circumstances require a manual configuration of FactoryTalk
Directory. The FactoryTalk Directory Configuration Wizard is for use by
FactoryTalk administrators.
Run the FactoryTalk Directory Configuration Wizard if:
• An error occurs while installing the FactoryTalk Services Platform, or a
message displays instructing to run the wizard manually.
• A valid FactoryTalk Administrator account could not be found for the
directory during an upgrade of an existing FactoryTalk Directory from
FactoryTalk® Automation Platform version 2.0.
• If FactoryTalk Services Platform was installed from a remote client
(such as Remote Desktop Services). The FactoryTalk Directory cannot
be configured from a remote client. The FactoryTalk Directory
See also
Select a FactoryTalk Directory to configure on page 176
Network directory and account access on page 176
Network directory and the FactoryTalk Directory Configuration
Wizard on page 177
Local directory and account access on page 178
Product support for network and local directories on page 179
Select a FactoryTalk The first step in configuring a FactoryTalk Directory is to select which
FactoryTalk directory to configure from the first page in the FactoryTalk
Directory to configure Directory Configuration Wizard.
See also
Network directory and the FactoryTalk Directory Configuration
Wizard on page 177
Reset an expired password on page 181
Change Password (network) on page 182
Summary on page 183
Network directory and the Running the FactoryTalk Directory Configuration Wizard to reconfigure the
FactoryTalk network directory on page 176 performs these operations:
FactoryTalk Directory
• Backs up the original directory.
Configuration Wizard
The backup file is named NetworkInstall*.bak and is located in
C:\ProgramData\Rockwell\RNAServer\Backups. The location of the
backup files is also logged to FactoryTalk Diagnostics. View the
diagnostic log files using the FactoryTalk Diagnostics Viewer.
• Adds the Windows Administrators group to the FactoryTalk
Administrators group, if an error occurred while you were installing or
Local directory and the Running the FactoryTalk Directory Configuration Wizard to reconfigure the
FactoryTalk local directory on page 178 performs these operations:
FactoryTalk Directory
• Backs up the original directory.
Configuration Wizard
The backup file is named LocalInstall*.bak and is located in
C:\ProgramData\Rockwell\RNAServer\Backups. The location of the
backup files is also logged to FactoryTalk Diagnostics. Use FactoryTalk
Diagnostics Viewer to view the diagnostic log files.
• Adds the Windows Administrators group to the FactoryTalk
Administrators group if an error occurred while installing or
upgrading the FactoryTalk Services Platform on a computer for the
first time, or if a valid administrator account could not be found.
This means that any user account that is a member of the local
Windows Administrators group on the local computer has
administrative access to the directory.
• Adds the Windows Authenticated Users group to the local directory,
allowing any user who is logged on to Windows to access the local
directory.
Tip: The Windows Authenticated Users group includes all users and computers whose identities
have been authenticated. The Authenticated Users group is used to override security in the local
directory by granting access to all authenticated Windows user accounts. Authenticated Users
does not include Guest even if the Guest account has a password.
• Updates policies in the directory, and adds the $AnonymousLogon
account to the directory, if an error occurred while upgrading an
existing FactoryTalk Directory.
This account is given Common > Read and Common > List Children
access to the FactoryTalk Directory. This account is used when
FactoryTalk products require service access to the directory.
• Changes the password on page 181, if the password to a FactoryTalk
account that is a member of the FactoryTalk Administrators group
expires.
• Resets the account if a FactoryTalk administrator account becomes
locked.
Product support for network FactoryTalk® Directory allows products to share a common address book,
and local directories which finds and provides access to plant-floor resources, such as data tags
and graphic displays.
The FactoryTalk® Services Platform includes two separate directories: a local
directory and a network directory.
• In a local directory, a Directory Server, all project information, and all
participating software products are located on a single computer. Local
applications cannot be shared across a network.
• A network directory organizes project information from multiple
FactoryTalk® products across multiple computers on a network.
Enter an administrator user Enter a Windows Administrator account user name and password. If the user
name and password are accepted, the directory is configured, and the
name and password FactoryTalk Directory Configuration Wizard summary is displayed.
Prerequisites
1. If not already on the second page of the FactoryTalk Directory
Configuration Wizard, go to Rockwell Software > FactoryTalk Tools
> and open FactoryTalk Directory Configuration Wizard.
2. In FactoryTalk Directory Configuration Wizard, select the directory
you want to configure on page 176, and select Next.
IMPORTANT Keep a record of the administrator user name and password in a safe place. To enable
the administrator account, you must have both the original user name and password to
the account. If either is lost, the account cannot be enabled.
Change Password (network) When running the Configuration Wizard, if your administrator account has
an expired password, Change Password appears automatically. There is no
way to make this window appear manually, if there is no administrator
account with an expired password in the directory.
To change the password to an account manually, use FactoryTalk
Administration Console or FactoryTalk View Studio instead of the FactoryTalk
Directory Configuration Wizard.
If no other user is available and you cannot remember the password to your
FactoryTalk administrator account, contact Rockwell Automation Technical
Support.
Use the following settings to reset the password in your FactoryTalk network
directory on page 176.
Setting Description
Administrator user name This box displays the user name you typed for the expired administrator
account in the previous step of the wizard.
Old password This box displays asterisks (*) as a placeholder for the old password you
typed for the expired account in the previous step of the wizard.
New password Type the new password to the account.
If no other user is available and you cannot remember the password to your
FactoryTalk administrator account, contact Rockwell Automation Technical
Support.
Secure resources
Secure resources To secure the resources in the FactoryTalk system, select the resource, and use
Allow or Deny permissions to specify which users can perform what actions
on that resource from what computers. This helps ensure that only authorized
personnel can perform approved actions from appropriate locations.
Common actions include the ability to see the resource, to edit or delete it,
and to add additional items to the resource. Additional securable actions
might appear, depending on which FactoryTalk products installed.
Set security permissions for:
• FactoryTalk local or network directory
• Applications
• Areas
• System folder
• Action groups
• Policies
• Computers and Computer Groups
• Users and User Groups
• Connections, including databases
• Networks and devices
Security for networks and devices follows special rules for inheriting security
permissions, and includes the use of logical names, permission sets, and
resource groupings. For this reason, security for networks and devices is
covered in its own section.
See also
Permissions on page 185
Set FactoryTalk Directory permissions on page 193
View effective permissions on page 205
Actions on page 190
Permissions Permissions determine which users can perform which actions on specific
resources in the system from which computers.
Effective permissions
To find out what actions a user or group can perform on a resource, view the
permissions in effect (effective permissions) for the resource. The effective
permissions are shown in the Effective Permissions tab of the Security
Settings for the resource.
Effective Permissions shows the permissions that are granted to the selected
user, computer, or group. When calculating effective permissions, the system
takes into account the permissions in effect from group membership, as well
as any permissions inherited from the parent object.
If a check mark appears for an action, permission is allowed, whether
explicitly or by inheritance. If a check mark does not appear, permission is
denied, whether explicitly or by inheritance. If a category (for example,
Common) shows a gray check mark, one or more – but not all – of the actions
inside the category is allowed. Expand the category to see which permissions
within it are allowed or denied.
Breaking the chain of By default, resources inherit permissions on page 185 automatically from
their parent resources. For example, if assigning security to an area in an
inheritance application, all of the items in the area inherit the security settings of the area,
and the area inherits security settings from the application. The top of the
hierarchy is the network directory or local directory.
Override inherited permissions in two ways:
• Set up explicit permissions for resources at a lower level of the
hierarchy. For example, if an area inherits permissions from an
application, override the inherited permissions by specifying
permissions explicitly for the area.
• Break the chain of inheritance at a level in the network directory or
local directory tree. For example, stop an area from inheriting
permissions from the application in which it is located by selecting Do
not inherit permissions when setting up security for the area. When
breaking the chain of inheritance, specify whether to remove all
permissions from resources below the break (which then implies Deny
permission), or whether to use the permissions that are inherited by
the resource at the break as explicit permissions.
Order of precedence When the system evaluates the level of access a user, computer, or group has,
these rules apply:
• Deny permissions are implied. If no permissions are assigned to a
resource, Deny is implied. Use implied Deny permissions rather than
explicit Deny permissions wherever possible, because this simplifies
administration.
• Deny permissions are evaluated before Allow permissions. For
example, if the Operators group is explicitly denied access to a data
server, but an individual user account in the group (Jane) is explicitly
Read
Controls whether a user or group can see the resource in the Explorer from a
computer or group of computers.
Resource type Result of Denying "Read"
Network directory or local directory Prevents users from seeing the directory or its contents.
Application Prevents users from seeing the application or its contents. Denying Read does not prevent users from
reading tag values from data servers in the application.
Area Prevents users from seeing the area or its contents. Denying Read does not prevent users from
reading tag values from data servers in the area.
System folder Prevents users from seeing the System folder or its contents. Denying Read does not prevent users
from reading tag values for devices in the Networks and Devices tree.
Networks and Devices tree Prevents users from seeing the Networks and Devices tree and its contents. Denying Read does not
prevent users from reading tag values for a particular device.
Write
Controls whether a user or group can write to the resource from a computer
or group of computers.
Resource type Result of Denying "Write"
Network directory or local directory Prevents users from modifying the properties of any item in the directory. For example, denying Write
prevents users from modifying the description of an application, area, or the properties of a data
server. However, if Create Children is allowed, the user or group can create applications in the
directory, add areas to an application, and add data servers to areas.
Application Prevents users from modifying the properties of any item in the application. For example, denying
Write prevents users from modifying the description of the application, the descriptions of areas
within the application, or the properties of data servers within the application or its areas. However, if
Create Children is allowed, the user or group can add areas or data servers to an application and can
add data servers to areas.
Area Prevents users from modifying the properties of any item in the area. For example, denying Write
prevents users from modifying the description of the area, or the properties of data servers within the
area. However, if Create Children is allowed, the user or group can add areas or data servers within
the area.
System folder Prevents users from modifying the properties of any item in the System folder. For example, denying
Write prevents users from modifying policy settings, and the properties of user accounts, such as an
account's description or group memberships. Denying Write also prevents deleting user and group
accounts, if the accounts have group memberships associated with them. This is because the group
memberships are updated automatically when an account is deleted, and updating group
memberships is controlled by the Write action.
Networks and Devices tree Prevents users from defining, modifying, or removing logical names for networks or devices. Denying
Write does not prevent users from writing tag values to devices.
Individual network or device in the Networks and Devices tree Prevents users from defining, modifying, or removing logical names for the network or device. Denying
Write does not prevent users from writing tag values to devices.
Configure Security
Controls whether a user or group can change the security permissions for the
resource, while working from a computer or group of computers, by using
FactoryTalk Administration Console and selecting Security for the resource.
Denying Configure Security has the same effect on all types of securable
resources. For example, if a user is denied Configure Security for an area, the
user cannot change the security settings of the area, such as allowing or
denying users permission to perform actions in the area, while working from
the specified computer or group of computers.
Similarly, denying Configure Security on the Users and Groups folder
prevents users from setting security permissions for the Users and Groups
folder. Denying Configure Security on the Users and Groups folder does not
limit the access users have to resources in the system.
Create Children
Controls whether a user or group can create a new, related resource beneath
an existing resource in the FactoryTalk Administration Console directory tree
while working from a computer or group of computers.
Resource type Result of Denying "Create Children"
Network directory or local directory Prevents users from creating applications or areas.
Application Prevents users from creating areas or data servers in the application.
Area Prevents users from seeing the area or its contents. Denying Read does not prevent users from
reading tag values from data servers in the area.
System folder Prevents users from creating user, computer, or group accounts. Denying Create Children has no
effect on policies.
Networks and Devices tree Create Children is not available because users cannot add items to the Networks and Devices tree.
Networks and Devices is populated automatically, based on the networks and devices that are
available to your local computer.
Individual network or device in the Networks and Devices tree Create Children is not available because users cannot add items to the Networks and Devices tree.
Networks and Devices is populated automatically, based on the networks and devices that are
available to your local computer.
List Children
Controls whether a user or group can list the children of the resource from a
computer or group of computers.
Denying List Children has the same effect on all types of securable resources.
For example, if List Children access is denied to an application, the user or
group can see the application, but not its contents while working from the
specified computer or group of computers.
Unlike the Read action, List Children does allow the user to see the resource
that contains other resources, for example, the application that contains areas
or data servers.
Execute
Controls whether a user or group can perform an executable action from a
computer or group of computers. The Execute action is used primarily for
Product Policy Feature Security settings.
Instead of using the Execute action, each FactoryTalk product can use its own
actions to secure its executable features. For details about what, if anything,
the Execute action does in a particular FactoryTalk product, see the
documentation for that product.
Delete
Resource type Result of Denying "Delete"
Set FactoryTalk Directory Set permissions on your FactoryTalk Directory folder to control whether a
user or group can:
permissions
• See the directory or its contents (Read)
• Modify the properties of any item in the directory (Write)
• Add applications, areas, and data servers to the directory (Create
Children)
• Change the security settings of the directory (Configure Security)
• View child folders within the directory (List Children)
• Write tags in data servers (Write Value)
• Perform other product-specific actions
• Perform actions defined in user action groups
Prerequisites
Setting FactoryTalk Directory permissions requires these permissions:
• Common > Read
• Common > Configure Security
See also
Actions on page 190
Secure resources on page 185
Set application permissions Set permissions on the application to control whether a user-computer pair
can:
• See the application or its contents (Read)
• Modify the properties of any item in the application (Write)
• Add areas or data servers to the application (Create Children)
• Change the security settings of the application (Configure Security)
• View the contents of the application (List Children)
• Delete the application or any item within it (Delete)
• Write tags in data servers (Write Value)
• Perform other product-specific actions
• Perform actions defined in user action groups
If a resource grouping is associated with the application, the networks or
devices in the resource grouping inherit the security permissions of the
application.
Tip:
• Denying Read does not prevent users from reading tag values from data servers in the application.
• Denying Write prevents users from modifying the properties of any item in the application. However,
if Create Children is allowed, users can add areas or data servers to an application.
• The Write Value action does not prevent users from writing values to tags in specific hardware
devices.
Prerequisites
Setting application permissions requires these security permissions:
• Common > Read
• Common > Configure Security
See also
View effective permissions on page 205
Add a user-computer pair on page 65
Secure resources on page 185
Actions on page 190
Set area permissions Set permissions on an area in order to control whether a user-computer pair
can:
• See the area or its contents (Read)
• Modify the properties of any item in the area (Write)
• Add areas or data servers to the area (Create Children)
• Change the security settings of the area (Configure Security)
• View the contents of the area (List Children)
• Delete the area or any item within it (Delete)
• Write tags in data servers (Write Value)
• Perform other product-specific actions
• Perform actions defined in user action groups
For example, set Read and Write permissions to the Ingredients area within
an application to allow the operators of the Ingredients machinery to read and
write values to and from controllers in their own area, but only when using
computers located within sight of the equipment.
If a resource grouping is associated with the area, the networks or devices in
the resource grouping inherit the security permissions of the area.
Tip:
• Denying Read does not prevent users from reading tag values from data servers in the area.
• Denying Write prevents users from modifying the properties of any item in the area. However, if
Create Children is allowed, users can add areas or data servers within the area.
• The Write Value action does not prevent users from writing values to tags in specific hardware
devices.
Prerequisites
Setting area permissions requires these security permissions:
See also
View effective permissions on page 205
Add a user-computer pair on page 65
Actions on page 190
Secure resources on page 185
Set System folder Set permissions on the System folder to control whether a user-computer pair
can:
permissions
• See the System folder or its contents (Read)
• Modify the properties of any item in the System folder (Write)
• Add user, user group, computer, or computer group accounts (Create
Children)
• Change the security settings of the System folder (Configure Security)
• View the contents of the System folder (List Children)
• Delete the System folder or any item within it (Delete)
Prerequisites
Obtain the following security permissions for the System folder:
• Common > Read
• Common > Configure Security
See also
View effective permissions on page 205
Add a user-computer pair on page 65
Actions on page 190
Secure resources on page 185
Set action group Set permissions on an action group to control whether a user-computer pair
can:
permissions
• See the action group (Read)
• Modify the properties of the action group (Write)
• Change the security settings of the action group (Configure Security)
• Delete the action group (Delete)
• Perform actions defined in another user action group
Prerequisites
Setting action group permissions requires these security permissions:
• Common > Read
• Common > Configure Security
See also
View effective permissions on page 205
Add a user-computer pair on page 65
Add and remove action groups on page 69
Actions on page 190
Secure resources on page 185
Set database permissions Set permissions on a database to specify which user-computer pairs can:
• See the database
• Modify the properties of the database (Write)
• Change the security settings of the database (Configure Security)
• Delete the database within it (Delete)
• Perform actions defined in a user action group
Prerequisites
Setting database permissions requires these security permissions:
• Common > Read
• Common > Configure Security
See also
View effective permissions on page 205
Add a user-computer pair on page 65
Actions on page 190
Secure resources on page 185
Configure a permission set Starting from version 2.80, FactoryTalk Services Platform supports
Permission Sets. If you select Permission Sets to secure resources in Studio
5000 Logix Designer version 28.00 or later, you can associate sets of
permissions with users, user groups, and computers to limit access to specific
actions. You can create multiple Permission Sets using different users, user
groups, and computers.
Note: We recommend that you use Permission Sets to improve the efficiency of the FactoryTalk
Directory cache synchronization.
Prerequisites
Setting Permissions Sets requires these security permissions:
• Common > Read
• Common > Configure Security
Set logical name Starting from version 12.00, RSLogix 5000 supports Logical Names. You can
use Logical Names to configure permissions for users and user groups to
permissions perform specific tasks in RSLogix 5000 and Studio 5000 Logix Designer
software.
Note: We recommend that you use Permission Sets to improve the efficiency of the FactoryTalk
Directory cache synchronization in Studio 5000 Logix Designer version 28.00 or later.
RSLogix 5000 is known as Studio 5000 Logix Designer starting from version 21.00.
Prerequisites
Setting logical name permissions requires these security permissions:
• Common > Read
• Common > Configure Security
See also
Secure resources on page 185
Allow a resource to inherit Permissions determine which users can perform which actions on specific
resources in the system from which computers. Set Allow and Deny
permissions permissions on resources.
Allow a resource to inherit permissions when the selected resource has the
same permissions as its parent resource. For example, if assigning security to
an area in an application, all of the items in the area inherit the security
settings of the area. By default, the area inherits security settings from the
application. The top of the hierarchy is the network directory or local
directory.
See also
Prevent a resource from inheriting permissions on page 204
Secure resources on page 185
Effective permission icons on page 206
Permissions on page 185
Prevent a resource from When the chain of inheritance is broken, the resource no longer inherits
permissions from its parent resources. For example, when setting up security
inheriting permissions for an area, selecting Do not inherit permissions stops the area from
inheriting permission from the application in which it is located
See also
Allow a resource to inherit permissions on page 203
View effective permissions To determine what permissions are currently in effect for a resource, use the
Effective Permissions tab in Security Settings. View the permissions in effect
for:
• a user or group of users, and
• a computer or group of computers
For example, in Security Settings for an area, the Effective Permissions tab
can show whether the selected users and computers can read the contents of
the area.
To view the permissions in effect for a computer or group of computers, use a
FactoryTalk network directory, because a FactoryTalk local directory is
restricted to a single computer.
Prerequisites
Viewing effective permissions requires these security permissions for the
resource (for example, an application) or the container (for example, an area)
the resource is located in:
• Common > Read
• Common > Configure Security
See also
Permissions on page 185
Secure resources on page 185
Effective permission icons Security Settings indicate which permissions are in effect for an action.
Icon Description
Cleared box beside an action means that no permissions are assigned. If both Allow and Deny are cleared beside an action, Deny is implied for the action.
A cleared option shown beside the name of a group of actions, for example, All Actions or Common, means that some of the actions within that group do
not have permissions assigned. If collapsed, expand the group to see which actions do not have permissions assigned.
A black check mark means that Allow or Deny permissions were assigned explicitly.
A gray check mark means that Allow or Deny permissions were inherited.
These examples show how the Allow and Deny columns indicate what
permissions were set for the resource.
Inherited permissions
The gray check marks show that Allow permissions are inherited for all
actions.
Explicit permissions
If Allow is selected beside All Actions, black check marks appear. This means
the inherited values are overridden and Allow on All Actions is explicitly
granted. If the inherited permissions change later, the change does affect this
security setting.
In this example, the resource does not inherit permissions from its parent
(this illustration shows configuring security for the FactoryTalk network
directory, which has no parent). If all actions are set to Allow, and then Deny
beside Read is selected:
• All Actions and Common are cleared. Because they represent groups of
actions, the cleared options beside All Actions and Common mean that
not all of the actions within those groups are selected in the Allow
column. Expand the group to see which actions do not have Allow
permissions.
• For the Read action, Allow is cleared.
In this example, the resource inherits permissions from its parent (for
example, an area might inherit permissions from an application). If all actions
are set to Allow, and Deny beside Read is selected:
See also
Allow a resource to inherit permissions on page 203
Prevent a resource from inheriting permissions on page 204
Secure resources on page 185
Upgrade FactoryTalk In a distributed FactoryTalk System, all computers must run the same
FactoryTalk Services Platform major release, referred to as Coordinated
Services Platform Product Release (CPR). While not required, Rockwell Automation also
recommends that all computers run the same FactoryTalk Services Platform
minor release and patch levels. For the latest compatibility information, refer
to the Product Compatibility and Download Center.
During the upgrade, the installer automatically:
• Creates a backup file for any FactoryTalk Directory already configured
on the computer.
• Updates existing Local Directory and Network Directories with
support for new product policies, system policies, and features.
• Leaves existing settings unchanged, including user and group
accounts, security settings, and policy settings.
Prerequisites
• Obtain the installation disc of a FactoryTalk-enabled product
or
• Obtain the standalone FactoryTalk Services Platform installation file
downloaded from the Rockwell Automation Product Compatibility and
Download Center.
See also
Product Compatibility and Download Center
Back up a FactoryTalk Directory on page 141
Restore a FactoryTalk Directory on page 154
Identify the installed Identify the installed FactoryTalk Services Platform version to determine if an
upgrade of FactoryTalk Services Platform is necessary.
FactoryTalk Services
Platform version
To identify the installed FactoryTalk Services Platform version
1. Open the Windows Control Panel.
2. Open Add or Remove Programs.
3. In the list of installed programs, FactoryTalk Services Platform
appears, with the version number shown beside it.
See also
Install FactoryTalk Web Services on page 213
Add an HTTPS site binding for FactoryTalk Web Services on page 214
Install FactoryTalk Web FactoryTalk Web Services is installed from any FactoryTalk-enabled product
CD that includes FactoryTalk Services Platform, version 2.10.02 (CPR 9
Services Service Release 2) or later. It is an optional component and is not installed
automatically with FactoryTalk Services Platform.
For most applications, install FactoryTalk Web Services on the computer that
is the FactoryTalk Network Directory server. Specific FactoryTalk-enabled
products using FactoryTalk Web Services might also have additional
installation requirements. For details, see the documentation supplied with
your FactoryTalk-enabled product.
See also
Add an HTTPS site binding for FactoryTalk Web Services on page 214
Add an HTTPS site binding If deploying FactoryTalk Web Services in an environment where privacy of
the network communications might be at risk, add an HTTPS site binding to
for FactoryTalk Web encrypt all client connections to FactoryTalk Web Services.
Services
Prerequisites
• Install FactoryTalk Web Services.
• Configure Internet Information Services (IIS) to use web server
security.
See also
Microsoft TechNet: Configure Web Server Security (IIS 7)
See also
How to change the TCP port for IIS services
FactoryTalk Web Services • User account does not have permission to log into FactoryTalk Web
Services
1. On the FactoryTalk Web Services host computer, open a browser
and connect to the login URL. Replace the port number with the
port number configured in Internet Information Services (IIS)
Manager:
HTTP:
http://localhost:80/FactoryTalk/Security/WebService/200810.asmx
HTTPS:
https://localhost:443/FactoryTalk/Security/WebService/200810.asm
x
2. Select Login.
3. In userName, enter the user name for an account already
configured in the FactoryTalk Network Directory.
4. In password, enter the password for the account.
5. In encryptionAlgorithm, type ClearText then click the Invoke
button.
If the page returns an XML string, the user account is valid for use
with FactoryTalk Web Services.
• User account has been disabled or locked in FactoryTalk Directory.
Contact the FactoryTalk administrator to verify account status.
See also
Client computers unable to connect to FactoryTalk Web Services on
page 215
Index
A
accounts 18, 19
action groups 185, 199
actions 214
audit policies 90
C
client computer 116, 211
common actions 185
D
devices 185
G
groups 82
L
list children 117
N
networks 185
P
permissions 117, 185, 199
policies 73, 90, 102, 116, 117, 121, 185, 211
ports 216
R
resource groups 135, 185
resources 135, 185
restore 141, 165, 166
S
server 116, 165, 211, 213, 214
single sign-on 102, 116
system folder 185
U
upgrade 211, 212
W
write 199
Literature Library Find installation instructions, manuals, brochures, and technical data publications. rok.auto/literature
Product Compatibility and Download Center Get help determining how products interact, check features and capabilities, and find rok.auto/pcdc
(PCDC) associated firmware.
Documentation feedback
Your comments help us serve your documentation needs better. If you have any suggestions on how to improve our content, complete the form at
rok.auto/docfeedback.
Rockwell Automation maintains current product environmental information on its website at rok.auto/pec.
Allen-Bradley, expanding human possibility, Logix, Rockwell Automation, and Rockwell Software are trademarks of Rockwell Automation, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Rockwell Otomayson Ticaret A.Ş. Kar Plaza İş Merkezi E Blok Kat:6 34752, İçerenkÖy, İstanbul, Tel: +90 (216) 5698400 EEE YÖnetmeliğine Uygundur