Book Contents

Create User Management buttons

These buttons work for any user that can access them, except DEFAULT user. DEFAULT user cannot operate these User Management buttons.

HMI designers must be careful to use security to limit access to the User Management buttons in the application(s).

The administrator mentioned below is any user that has access to the display(s) containing the User Management buttons.

Click the links for more information.

Add User/Group button

  • The administrator can use the Add User/Group button to add a FactoryTalk security user, a Windows-linked user, or a Windows-linked group to the current running application.
  • A newly added user does not belong to any user group and has no run-time security code. The user cannot log in the system before the user is moved to an existing group that is configured with run-time security code(s).
  • On PanelView Plus 6, and PanelView Plus 7 terminals, there is a five-minute threshold when adding a Windows-linked user, or a Windows-linked user group.
    • When you add a Windows-linked user, or a Windows-linked user group for the first time, a window prompts you to enter an authorized user name and password.
    • Within five minutes after a Windows-linked user, or a Windows-linked user group is successfully added, you can add another Windows-linked user, or Windows-linked user group without entering an authorized user name and password.
    • Beyond five minutes after a Windows-linked user, or a Windows-linked user group is successfully added, a window will prompt you to enter an authorized user name and password again before you can add another Windows-linked user, or Windows-linked user group.

Delete User/Group button

  • The administrator can use the Delete User/Group button to delete a FactoryTalk security user, a Windows-linked user, or a Windows-linked group from the current running application.
  • The last FactoryTalk administrator, and current logged-in user cannot be deleted.
  • If a Windows-linked user is deleted, the user will be removed from the current running application, but will not be removed from Windows.

Modify Group Membership button

  • The administrator can use the Modify Group Membership button to change a FactoryTalk user, a Windows-linked user, or a Windows-linked group membership in the current running application.
  • When a user is added to a group, the user will inherit the A-P security code(s) of the group.
  • When a user is deleted from a group, the user will not have the A-P security code(s) of the group
  • If a user is a member of multiple groups
    • The user will inherit the A-P security code(s) shared by the multiple groups. For example, if a user belongs to both Group One and Group Two; Group One has the security codes of A, B, C, and Group Two has the security codes of B, C, D; the user will only inherit the security codes of B, C.
    • When the user is removed from one group, the user is still a member of other groups.

Unlock User button

  • The administrator can use the Unlock User button to unlock a FactoryTalk user account, which has been locked.
  • When a FactoryTalk user exceeds incorrect password login attempts, the user account will be locked. When the user account is locked, the user cannot log in to the system even with correct password before the user account is unlocked.
  • You can adjust the account lockout threshold and account lockout auto reset settings in FactoryTalk Security Policy Settings. For more information on FactoryTalk Security Policy Settings, refer to "Setting up security policies" in FactoryTalk Help.
  • You cannot use this button to unlock a Windows-linked user. Only a Windows Domain administrator can unlock a Windows-linked user from a domain computer.

Enable User button

  • The administrator can use the Enable User button to enable a disabled FactoryTalk user account from the current running application.
  • When a disabled user is enabled, the user can log in the system again.
  • You cannot use this button to enable a Windows-linked user. Only a Windows Domain administrator can enable a Windows-linked user from a domain computer.

Disable User button

  • The administrator can use the Disable User button to disable a FactoryTalk user account from the current running application.
  • When a user is disabled, the user cannot log in the system.
  • You cannot use this button to disable a Windows-linked user. Only a Windows Domain administrator can disable a Windows-linked user from a domain computer.

Login button

  • When the operator presses the Login button at run time, the Login dialog box opens. To log in to the system, the operator is either configured with run-time security code(s), or belong to a group that is configured with run-time security code(s). If security is set up, the operator must also have a password.
  • Only the users who are configured in ME run-time security, or belong to the group that is configured in ME run-time security can log in.
  • If a user account is disabled, or locked, the user cannot successfully log in before the user account is enabled or unlocked.
  • If a PanelVeiw Plus 6 or PanelView Plus 7 terminal's time is not synchronized with the domain controller, domain users cannot log in on the terminal before the terminal's time is synchronized with the domain controller.
  • If you only add a user’s default primary group, Domain Users, to Runtime Security, user authentication fails via Lightweight Directory Access Protocol (LDAP) on terminals. Because the members attribute cannot be populated with the primary group.

    To log in a domain user successfully on terminals, do one of the following:

    • Add the domain user directly to Runtime Security at design time.
    • Create a domain group (non-primary), add the domain user to the group, and add the group directly to Runtime Security at design time.
    • Create a FactoryTalk group at design time. Add members, FactoryTalk users, domain users, or domain groups (non-primary) to the FactoryTalk group at design time and run time.
  • When a user logs in, the previous user is logged out.
  • If a user's password has expired and must change password at first logon, or the user's password will be expired, when the user logs in, the change password dialog box opens to prompt the user to change password.
  • If a Windows-linked user belongs to a Distribution type Windows-linked user group, the user cannot log in to the running application on desktops. To log in the user, change the group type of the Windows-linked user group to Security.

Logout button

  • When a logged in user presses the Logout button, the user will log out of the system.
  • When a user logs out, the DEFAULT user is logged in.

Password button

  • At run time, the Password button allows the currently logged-in user to change the current password, or the logged-in administrator to change any FactoryTalk user password.
  • The passwords for Windows-linked users can only be changed in Windows.
  • The passwords for domain users can only be changed on domain servers.

Change User Properties button

Keywords: user management