Windows User Administration
Choosing the "OS Auth." User Administration
If you change from WinCC OA user administration to OS Auth. user administration, all WinCC OA (except the user ROOT) users and local groups are deleted.
After the user logs in, the appropriate groups are created in WinCC OA on the server. To create all necessary groups in WinCC OA, we recommend that the user who switches to the OS Auth User Administration must possess Active Directory Administrator rights, meaning it is a user who has rights to enumerate users and groups in that domain.
Note also that the server must be started with Active Directory Administrator rights. This means that the user who logs on to the server must possess Active Directory Administrator rights.
A project cannot be run as a non-domain user, i.e. as a local user, on a computer, even if this computer is part of the domain. The local user does not have the rights to list the domain users/groups. If WinCC OA is run as a service, the account used must still be a domain account.
The authorization for the user groups , however, has to be defined in WinCC OA.
- The OS Auth. user administration is chosen via the OS Auth. user administration button of the User administration panel.
Note: The user root must be used to switch from the WinCC OA user administration to OS Auth User Administration!
- After selecting the OS Auth. user administration, confirmation prompts are displayed. Confirm that you want to use the OS Auth. User Administration:
Note: The user ROOT is not deleted!
- To configure the groups, click "Yes". You must import groups from the Windows Active Directory or Linux User Administration so that the users are able to log in. To import the groups, open the panel "Operating System Group Selection" via the Add button. See chapter Groups.
- Configure the authorizations for the adopted user groups by double-clicking on the group in the Group administration window. See figure below.
Note: You have to set the authorization bit number 1 (visualization) for the intended WinCC OA users group. This is very important since otherwise the WinCC OA users are not able to log in. You can find the user group in the Groups view of the group administration panel.Note: The users used for the WinCC OA login must have read access to the AD (every AD user has read access by default).Note: The active directory account options are not transferred to WinCC OA .
Login
- Log in to WinCC OA as a new user. Note that you can log in only after the administrator has imported the necessary user groups and assigned the necessary
permissions.
Note: Login attempts for new users take longer because no user groups exist yet.Note: When logging in for the first time, the internal structures are prepared.Note: A Windows must be a registered user in the domain (domain user) in order to log into WinCC OA.
- The user "JohnDoe" was created and is shown in the user administration panel. This means that the when the users logs in the first time on a WinCC OA host, the user is automatically created in the local configuration database as well as the assigned groups. Via the authorization bits, the members of the same group can possess different authorization bits for each WinCC OA host, for example, full rights on the system 1 and 2 and only acknowledgement rights on the system 3.