Index | Prev | Next

Basic platform authentication

In , a Windows-based platform can use either digest or basic (native Windows OS user based) authentication for Niagara platform access.
  • Digest platform authentication provides good protection against password eavesdropping. However, there is only one level of platform login access, using a single platform user account.
  • Basic platform authentication provides integration with existing Windows installations, and provides two levels of platform access. However, it does not protect against password eavesdropping.

For any Windows-based host, when you update platform authentication a dialog asks you to select one of the two methods, as shown.

Figure 49.   Authentication dialog for Windows Niagara host
Image
  • If you select digest authentication, upon clicking Next you go to the authentication dialog to set the single platform login account. There is no linkage between Windows OS user accounts and the platform administrator.
  • If you select basic authentication, a dialog opens where you can assign one existing Windows user group to each of the two possible levels of platform access.
 
NOTE: If the host platform is currently configured for digest authentication, and you change to basic authentication, you first see a login dialog, as shown here. If already configured for basic authentication, you go directly to the basic authentication dialog.
 
Figure 50.   Login dialog when changing from digest to basic authentication
Image

Use your standard Windows login credentials — if the host is on a Windows domain, login using the credentials you use when logging into that domain. This is necessary to limit the number of possible domain groups to only those groups in which you are a member. Such groups will be selectable in the next dialog for Basic Platform Authentication, shown below.

Figure 51.   Basic platform authentication dialog, group selection
Image

This basic authentication dialog lets you select one Windows group for each of the two levels of platform access. In addition, the "Stations" checkbox determines certain platform writes from a station.

Stations access

A "Stations" checkbox in the basic authentication dialog allows you to disable any station user from changing TCP/IP settings, system time, or rebooting the host by accessing the station's PlatformServices.

 
NOTE: In general, if a Windows-based JACE, you should leave the Stations checkbox enabled. However, if a Supervisor (PC) platform, you may wish to clear this checkbox, particularly if the local IT department has host access concerns.
 

Levels of platform access

Basic platform authentication provides two levels of platform access, which are determined by a user's group membership(s). The levels of platform access are:

  • User - Platform access at this level allows full use of most Workbench platform views. This includes the ability to change platform daemon HTTP port, install or delete licenses and stations (including the one running), also to install, re-install, or upgrade the platform dist file and/or modules, and to start, re-start, or stop a station.
  • Admin - Full access. This includes all user-level platform operations, plus the ability to configure host TCP/IP settings and dialup configuration, change platform authentication, change host date/time settings, use the File Transfer Client, and reboot the host.

 
NOTE: When platform-connected at the user level (vs. admin), some platform views are read only. This includes views for TCP/IP Configuration and User Manager. In addition, some Platform Administration view buttons are unavailable, as shown.
 
Figure 52.   Platform Administration view if user-level platform login
Image

Platform access to a remote Windows-based host also provides a User Manager view in which you can manage Windows users and groups local to that host.

Privileged group selections

For platform admin level access, you can select from a list of user groups known to Windows on that host, as shown here.

Figure 53.   Group selections include Windows built-in user groups
Image

Groups include Windows "built-in" user groups (include "BUILTIN" or "NT AUTHORITY" prefix), as well as any locally-defined user groups. If the remote host has been added to a Windows domain, groups defined in that domain are also listed and available.

 
NOTE: Domain groups are limited to only those in which the login user is a member.
 

If a user has membership in both assigned Windows user groups, upon successful platform login they have admin-level platform access.

 
NOTE: Default group selections for a Niagara Windows installation (either Workbench/Supervisor installation or a factory-shipped JACE-NXS) are as follows:
  • User Group -- BUILTIN/Users
  • Admin Group -- BUILTIN/Administrators

 

Related Links

  • Update Authentication (Parent Topic)

    • Index | Prev | Next

    Copyright © 2000-2016 Tridium Inc. All rights reserved.