Managing FactoryTalk™ Security for

Multiple FactoryTalk™ View Studio

Applications
________________________________________________________________________

Relevant Products
- FactoryTalk View Machine Edition 5.0
- RSView Machine Edition 4.0

- FactoryTalk View Supervisory Edition 5.0 (Stand-alone only)

- RSView Supervisory Edition 4.0 (Stand-alone only)

About This Document

There are two main usage categories for FactoryTalk Security in a FactoryTalk
View Studio application; Runtime and Development. This document will focus on
how to maintain the security settings for both categories. It will not discuss how to
configure the actual security settings.

Runtime security relates to who can be authenticated to view a running

application and what actions/displays they are authorized for. An example action
would be to start a FactoryTalk View application into runtime or which displays an
operator has access to.

Development security relates to who can be authenticated to edit an application

and what actions they are authorized to do. An example action would be
archiving or restoring a FactoryTalk View application.

Issues Covered in this Document

When multiple applications are being configured on the same computer, great
care must be taken when dealing with the FactoryTalk Security directory.

The runtime security user list and settings are contained within each application
itself. However, the runtime user list actually references the users and groups
within the FactoryTalk directory. There can only be one active FactoryTalk
directory on a computer (development or runtime).

Issues occur when multiple applications exist on the same computer, and each
application has a different set of users (ex. For different end customers).

This document covers the following issues:

Issue: Editing different applications on the same computer

Issue: Locked out of FactoryTalk Security after an Application Restore (or FTD
restore)
Issue: FactoryTalk Security for an Application was Lost (no backup)
Issue: Administrator account is locked out

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 2

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

Introduction
In order to understand the obstacles with multiple applications on the
same computer, one must first understand how the FactoryTalk directory works
with the applications. This section will help describe connection between the
FactoryTalk View application and the Factory Talk directory.

1 - Application Backup
The FactoryTalk directory contains a list of users/groups. This is where the users
and groups are created, modified or deleted.

The FactoryTalk View application does not actually contain users or groups. It
simply contains a list of references to the FactoryTalk directory users/groups.
The FactoryTalk View application also holds the runtime security rights for the
referenced users/groups.

When an application backup is performed the FactoryTalk View application files,

the user accounts runtime access rights and the FactoryTalk directory are
compiled into the APA backup file.

Figure 1 Application Backup to an APA File

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 3

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

2 – Application Backup Files

Each APA backup file will contain a copy of the FactoryTalk directory, at the time
of backup. It is very common for different applications to have a different set of
users and groups for each application. This will result in a different FactoryTalk
directory for each APA backup file.

In Figure 2, several different APA

backup files are shown.

The first application “Baggage”

references the users Administrator,
Alisha and Allan. The FactoryTalk
directory contains these users.

The second application “BizBikes”

references the users Administrator,
Bill and Brenda. The FactoryTalk
directory in this backup contains
these users.

It is important to note that the

FactoryTalk directories in these two
applications are quite different. For
example, the “Baggage” application
would not allow a user login if the
FactoryTalk directory from “Bizbikes”
was made active on the computer.

It is important to ensure the correct

FactoryTalk directory is active on the
computer when using an application
in development or runtime.

Figure 2 - APA Backup Files

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 4

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

3 – Application Restore

When you perform an application restore, the Application Manager provides you
with the option to restore the FactoryTalk directory from the APA file.

If you choose to restore the FactoryTalk directory, this will overwrite the currently
loaded directory on the local computer.

In Figure 3, the “Baggage” application is restored with the FactoryTalk directory.

This will ensure that the “Baggage” application can be used with its correct
directory. However, none of the other applications reference this newly loaded
directory. Before you edit the other applications, you will need to backup the
“Baggage” FactoryTalk directory and then restore the desired application.

Figure 3 - Application Restore with the FactoryTalk directory

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 5

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

Recommended Procedures
This section will show you one methodology to avoid the issues listed in this
document. The recommended procedure shown here does not implement
development security beyond the installed defaults (i.e. No additional deny/permit
permissions are configured).

FactoryTalk Configuration Wizard (Install)

The configuration Overview window is intended to pre-configure FactoryTalk

Security settings before any user launches FactoryTalk View Studio 4.0.

If the FactoryTalk Directory is not configured before running FactoryTalk View

Studio the user will be unable to Log into FactoryTalk View Studio. The
FactoryTalk Configuration must be completed in order to use the software.

Note: Select all defaults for the FactoryTalk Configuration Wizard.

1. Select FactoryTalk Local Directory and click Next.

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 6

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

2. Configure an Administrator Account. This account will be used to setup

and configure other accounts for FactoryTalk View Studio (development
and runtime).

Enter user name: Administrator

Enter a password: (leave blank)

3. Click “Next”

Note: It is not recommended to change the default administrator password. The

Administrator password cannot be reset if forgotten. For this reason, it is
recommended to use the default blank password here.

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 7

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

4. At the “Configure a local computer account” click next.

5. Select “All Users on the “Set initial access permissions” screen.

This will allow any user to have full access to the FactoryTalk Security
setup. If you wish to limit the access of users, do this after you have completed
the install. It is highly recommended that you thoroughly read and understand the
security settings before making any changes.

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 8

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

6. Read the Finalized Summary and click “Next”

The FactoryTalk Directory has now been configured on this PC.

It is recommended that you create a 2nd account and add this new user to the
Administrators group of the Local FactoryTalk Directory. This will act as a backup
account, in the event the “Administrator” account is locked out or the password is
lost.

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 9

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

Required steps after using the FTD Configuration Wizard

(1) Open the FactoryTalk Administration Console, for the Local directory.
(2) Right-click the System Folder and select “Backup”.

(3) Save this backup as “Default” on the local computer.

(4) Use Windows Explorer to save a copy of the “Default.bak” file to another
location off the local computer (ex. CD, network PC, USB memory stick,
etc).

You will restore and use this default FactoryTalk Directory file each time you
create a new application. This will ensure that a known Administrator account
exists and that you start with a clean directory (no other users have been
added).

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 10

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

To Create a new application

(1) Use the “Application Manager” tool to backup the application associated
with the currently loaded FactoryTalk security directory.

(2) Open the FactoryTalk Administration Console, for the Local directory.
(3) Right-click on the Local text in the explorer window, and select Restore.

(4) Select the Default.bak you created just after using the FTD Configuration
Wizard.
(5) Press Next and Finish to complete the restore operation.
(6) Run FactoryTalk View Studio and configure the FactoryTalk security users
as needed. Do not change settings for the user “Administrator” or change
the access for the Administrators group.

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 11

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

To switch between applications for development

(1) Use the Application Manager to backup the application associated with the
currently loaded FactoryTalk security directory.

NOTE: It is highly recommended that you backup to a new filename each

time to create versions of your backups (ex. “Application_001.apa”,
Application_002.apa”, etc). This will allow you to go back to older versions if
needed.

(2) Use the Application Manager to restore the desired new application to
edit. Be sure to select “Restore... application and FactoryTalk Local
Directory”.

To edit an application on a different computer

Use the following steps when an application created on computer ‘A’ needs to be
edited on a different computer ‘B’.

(1) Use the Application Manager to backup the application on computer ‘A’.

NOTE: It is highly recommended that you backup to a new filename each

time to create versions of your backups (ex. “Application_001.apa”,
Application_002.apa”, etc). This will allow you to go back to older versions if
needed.

(2) Copy the application backup file *.APA from computer ‘A’ onto computer
‘B’.
(3) On computer ‘B’, follow the procedure in the above section “To switch
between applications for development”.

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 12

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

Issue: Editing different applications on the same computer

FactoryTalk View Machine Edition User Accounts with incorrect FactoryTalk directory

Scenario:
1) Backup created for an application when incorrect FactoryTalk Directory
was loaded.
2) Created runtime application when incorrect FactoryTalk Directory was
loaded (ME only)
3) Added/configured users to application with incorrect FactoryTalk
Directory loaded
4) Modified an application when the incorrect FactoryTalk Directory was
loaded.

Result:
1) a) Cannot identify the required administrator access to edit the FTD
after a restore
b) Cannot identify the required runtime users list, as all are GUID’s
2) Will have access to common user accounts, however access is not
possible with unique user accounts
3) User accounts are mismatched over multiple FTD’s. Runtime access
will be limited.
4) Creating a backup of the application will result in a mismatched FTD
and application. A future restore will lead to issues 1-3.

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 13

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

Solution:
1) Restore a System Folder with known administrator access. Recreate
users in the FTD and application.
2) Restore the correct System Folder for the application. Recreate
runtime application.
3) Restore the correct System Folder for the application. Delete invalid
user accounts and recreate replacement accounts in FTD and
application.
4) Backup the application as is, to a temporary file name. Restore an
older and valid backup of the application along with its local FTD.
Finally, restore the newly saved temp backup, but do not restore its
FTD.

Incorrect FactoryTalk Directory backed up with the application

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 14

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

Issue: Locked out of FactoryTalk directory after an application

restore (or FTD restore)

Password is unknown for restored FactoryTalk directory

Scenario:
1) After restoring an application or System Folder, the
username/password cannot be located for administrator access

Result:
1) Cannot edit applications or the current FTD. Not possible to revert out
of this scenario to a known FTD backup.

Solution:
1) Restore default FTD security (call Technical Support for this). Recreate
users in the FTD and the restored application.

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 15

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

Issue: FactoryTalk directory for an application was lost (no

backup)

Incorrect FactoryTalk Directory for the FactoryTalk View Application

Incorrect FactoryTalk directory backed up with FactoryTalk View application

Scenario:
1) A backup of the Application or System Folder was not done before a
restore operation.

Result:
1) Runtime user accounts are lost for the original application. Not
possible to restore the configured user accounts. The FactoryTalk
View users are displayed in hexadecimal.

Solution:
1) Recreate users in the FTD and application
_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 16

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications
________________________________________________________________________

Issue: Administrator account is locked out

Scenario:
1) An administrator account is locked-out due to the FactoryTalk
Security policy (ex. Too many failed login attempts).

Result:
1) a) The correct username and password is known for the account,
but it is not possible to login to the FactoryTalk Administration
Console because of the lockout.
b) The correct username or password is not known for an
administrator account.

Solution:
1) a) Run the FactoryTalk Configuration Wizard for the Local directory.
Use a known administrator username and password (even if it is
locked out).
b) Restore default FTD security (you will need to call Technical
Support for this). Recreate users in the FTD and the restored
application.

FactoryTalk Directory Wizard to reset an administrator account

_________________________________________________________________________________________________

© Rockwell Automation, Inc. December 2006 17

White Paper – Managing FactoryTalk™ Security for Multiple FactoryTalk™ View Studio Applications