Access Control

The PICS Access Control package was created to allow limited access to plant data from an external network. It is currently implemented as a pair of programs, one running on the access point (ACB) and one on the client (ACC).

Access Control Bridge (ACB)

The current implementation of ACB has ACB performing both the bridge and server roles, in that it is not only responsible for providing things like a localized PICS task directory, but it also validates user credentials. ACB is capable of using either a plain ASCII file for a user database, or utilizing the built-in Windows NT user database to validate accounts and indicate permissions.

The Access Control Bridge (ACB) application is now capable of using the NT security system to validate PICS user accounts. The previous security system (now referred to as ACB security) is still available, and is the default mode of operation. ACB may be switched between using the NT and ACB security systems while running — no software restart is required to change modes. This is possible because ACB only accesses the security system during the short period of time it takes to validate a user account.

When using NT security, the ACB node may be a member of either a workgroup or a domain. When a member of a workgroup, all user accounts are validated using the ACB node's local security data base. When a member of (and logged in to) a domain, user accounts are validated using the domain controller's security database. Therefore, a domain is desirable any time there is to be more than one ACB node configured into a system, in order to allow a single point of management for user accounts. Also, a domain controller should allow some sort of standard access method (in addition to that provided by ABC/ACC) for users to change their own passwords, without help from the PICS system administrator (as is necessary in both workgroup and ACB security mode).

PicsRPG NOTE

The PICS Report Generator (PicsRPG) program does not currently provide any means of user authorization. Therefore, users accessing PICS data through their web browsers are currently unrestricted by PICS. However, a customer may interpose their own security through use of a firewall/gateway machine that may be placed between the PicsRPG machine and the general user population. Using this method, the firewall/gateway's security control mechanisms could be used to determine if access should be granted to PicsRPG. Alternately, an intelligent proxy could potentially be used to restrict access on at a folder-by-folder or possibly even page-by-page level of granularity, depending on the capabilities of the software used.

Requirements

1. The user account that is executing ACB (typically the PICS automated account) must be given the advanced user right, "Act as part of the operating system." This right is assigned by using the standard NT User Manager application, under the Policies | User Rights menu.


2. The PICS security groups must be created. These groups are used by ACB to assign the PICS access rights that are used by PICS applications to determine what services and/or data to provide to a user. The following groups must be created (the names must match exactly, including case and spaces):
   
   

   Group Name	Typical Members
   PICS User	General users
   PICS Technician
   PICS Operator	Plant Operators
   PICS Administrator
   PICS Developer

   
   
3. The entries from the ACB security database (PICSUser.dat) must be [manually] imported into the NT security system. If the NT security provider is an NT Server system, then all of the functionality found in the ACB security database is available, on NT Workstations account expiration is not supported.

Operation

Uusage of the NT security system by ACB is enabled (or disabled) from the ACB Properties dialog. There is a checkbox labelled, "Use NT Security." When checked, ACB will validate all subsequent logins using the NT security functions. When unchecked, ACB will validate logins using its own [ASCII file] database.

Other New Features

• The active users dialog now includes a new button when NT security is enabled. The new button brings up information about the global account policy settings, including maximum password age, lockout detection parameters, etc.


• Double-clicking on an active user's name brings up a new dialog listing specific information about the user's account from the NT security database, including password age, last logon date, etc.

Notes about using NT Security

There are still some questions about how to correctly access an NT domain security system. At the current time, it appears that the machine running ACB must be logged in to the domain in order to validate a user in that domain. The simplest way to acheive this is to make the NT server machines (the ones that are running the PDC/BDC roles) into PICS Bridge nodes, where ACB runs. When this is done, no other PICS nodes are required to be members of the domain (although they may be, if desired). Some potential benefits to this configuration are that the RAS modem banks could also be hung on the PDC/BDC and access through the NTS machines from the WAN to the PICS LAN should be more protected and controllable than with NTW running the bridges. It is also possible that we might be able to configure NTS to route some information (at a low IP level) between the LAN and WAN.

File Formats (link)

Screen Shots

Access Control Client (ACC)

PICS III

Basic Operating Sequence

The following operating sequence shows the normal steps taken when using ACC. Possible errors and exceptions are not mentioned in the basic sequence in order to provide a clearer picture of normal operations.

• Read ACC.INI file for saved logon and config settings.
   
• If NOT auto-logon, display the PICS Logon dialog:
  
   
• Start PICS logon procedure:
  • Connect to the selected ACB
  • Receive config data
  • Run the PICS Verification Client (may require a reboot and restart of this sequence)
  • Start the Task Monitor
  • Load the AccTask.INI configuration
     
• Display the main ACC program window:
  

Once logged in to PICS, ACC, TaskMon and necessary core applications (typically SDClient and RTClient) will be running. If any tasks are defined to autostart in the AccTask.INI file, they will also be running. Double-clicking on an application icon will execute the application using the default command line. Right-clicking on an application icon will display a menu allowing the app to be started (or stopped, as appropriate) and access to the app's properties.

Application icons may include a small overlay on the lower right quadrant of the icon.  The overlay indicates the status of the application:

	busy	the only allowed instance is currently running. Double-clicking on a busy app icon will activate the existing instance of the application.
	running	at least one instance is currently running. Double-clicking on a busy app icon will execute the next defined command for the application. If no defined command exists, then the user is prompted to enter a command line (or to select the components of a command line using a 3rd party DLL).
	starting	an instance of the application is currently starting. Double-clicks on this icon will be ignored.
	stopping	the only allowed instance is currently stopping. Double-clicks on this icon will be ignored.
	undefined	the task is probably configured incirrectly in the INI or PCF file. Contact the system administrator to resolve this.