InTouch for System Platform: Section 4.3.1: ArchestrA Security

Section 4.3.1: ArchestrA Security

ArchestrA-Based Security

The ArchestrA security system is a global function that applies to every object in the Galaxy database. It is a relationship-based security system between users and the objects and functions of the Galaxy. ArchestrA security is designed to allow system administrators to easily define users and assign the operations they are allowed to perform. The security permissions are defined in terms of the operations the users can perform using automation objects.
Key Points
- ArchestrA-based security is based on security roles (configuration, system administration, and run-time permissions) and security groups, which determine a particular security role’s run-time permissions on an object-level basis.
- When you configure a node to use ArchestrA security, the InTouch HMI uses methods and dialog boxes from Application Server for logon and logoff operations. Users are configured on the Application Server IDE.
- ArchestrA-based security includes advanced security mechanisms that also affect InTouch, such as:
  - Secured Write: writing data to a Galaxy attribute from InTouch requires operators to re- enter their passwords to complete the writeback.
  - Verified Write: writing data to a Galaxy attribute from InTouch requires operators to re- enter their passwords and also authorization of a second operator to complete the writeback.

System Tags in InTouch Related to Security
- The following system tags are available to deal with security.

Tagname	Type	Valid Values	Access
$AccessLevel	System Integer	0-9999	Read Only
$ChangePassword	System Discrete	1 or 0	Read Write
$InactivityTimeout	System Discrete	1 or 0	Read Only
$InactivityWarning	System Discrete	1 or 0	Read Only
$Operator	System Message	16-characters max	Read Only
$OperatorName	System Message	131-characters max	Read Only
$OperatorEntered	System Message	16-characters max	Write Only
$PasswordEntered	System Message	16-characters max	Write Only
$VerifiedUserName	System Message	16-characters max	Read Only

InTouch Script Functions
- The following InTouch functions are available to work with ArchestrA security from an InTouch script:
  - Logoff
  - AttemptInvisibleLogon
  - ChangePassword
  - InvisibleVerifyCredentials
  - LogonCurrentUser
  - PostLogonDialog
Logoff() Function
- Logs off the currently logged on user and sets the current user status to the default None operator.
AttemptInvisibleLogon() Function
- The AttemptInvisibleLogon() function can be used in a script to log on a user to InTouch using the supplied credentials. The user is not required to enter a password or user ID.
- If the logon attempt succeeds, then TRUE is returned and the, $OperatorName, $AccessLevel, and $Operator system tags are updated accordingly.
- If the log on attempt fails, then FALSE is returned, and the currently logged on user (if any) continues to be the current user.
- The Domain argument must be an empty string. If the ArchestrA security mode is using operating system-based security, the UserId argument should contain the fully qualified user name with domain name or computer name.
ChangePassword() Function
- Shows the Change Password dialog box, allowing the logged on operator to change his/her password.
Configuring ArchestrA Security for Symbols
- You can set ArchestrA security permissions so that at design time, the user cannot:
  - Import or export symbols.
  - Create, modify or delete symbols in the Graphic Toolbox.
  - Create, modify or delete symbols in any Automation object template.
  - Create, modify or delete symbols in any Automation object instance.
  - Create, modify or delete View Applications, such as the InTouch View Applications.
  - Deploy or undeploy View Applications, such as InTouch View Applications.
  - Edit the configuration of the Quality and Status Display.