Skip to content

Security#

🔒 Administration.Security

The Security page in the Administration page group provides access to the Critical Manufacturing security configuration.

security_landing_page

Security Levels#

Critical Manufacturing comes with three independent security levels which can be turned on and turned off individually. The exact configuration will depend on the security requirements of the customer organization, but it must be noted that the the more sophisticated the security mechanism, the more effort consuming will be the overhead in maintaining the security configuration.

The three security levels available in Critical Manufacturing are:

  • GUI Feature Level - functionality is protected at the GUI level. If the user does not have permissions on a particular GUI feature, the feature will not be available for the user. Across this guide, the names of the features associated with a particular functionality are indicated with a remark that stars with the key icon.
  • Object Level - each object instance can be assigned a Data Group. More information on the Data Group page.
  • Service Level - each individual service (API level) is protected. At the Service Level there are some services which are generic and therefore additional context need to be supplied to qualify the exact object that needs to be protected at the API level.

Enabling and Disabling the Security Levels#

The security levels are configured in the application configuration, specifically in the following configuration paths:

Security Level Configuration entry
GUI Feature Level /Cmf/System/Configuration/SecurityLevel/FunctionalityLevel/
Object Level /Cmf/System/Configuration/SecurityLevel/ObjectLevel/
Service Level /Cmf/System/Configuration/SecurityLevel/ServiceLevel/

Table: Security levels

A value of True means that the level is active, and a value of False means that the level is inactive.

It's always possible to check the current active security levels by going to the Security page in Administration and taking a look at the bottom-left corner of the page as shown in the next picture. A red light indicates that the level is inactive whereas a green light indicate that the security level is active. Changing the current security levels can be done by selecting the Set Levels button in the top ribbon and setting the appropriate flags.

Info

If the Security level configuration changes during a session, the GUI will only see the correct levels the next time it's restarted.

security_set_levels

Users and Roles#

The security feature is used to manage users, roles and services permissions. Permissions are always defined at the role level. A user can belong to multiple roles. A role consists of a set of users and other roles. A role can be copied and synchronized from Active Directory.

graph LR
    A1[Employee] -.- Main2[User] --- Main[Role] --- L1[Service]
    N1[Active Directory Group] -.- Main
    Main --- L2[Data Group]
    Main --- L3[Feature]
    Main --- |Sub-Role| Main

classDef mermaid_title color:#000, fill:#fafafa, stroke:#fafafa, stroke-width:0x, font-size:100%, font-weight:200;
classDef mermaid_start color:#000, fill:#fafafa, stroke:#fafafa, color:#fafafa, stroke-width:0x, font-size:100%, visibility: hidden;
classDef mermaid_businessdata color:#000, fill:#65CDE8, stroke:#65CDE8, stroke-width:0px, font-size:100%;
classDef mermaid_nonbusinessdata color:#000, fill:#B7DEE8, stroke:#B7DEE8, stroke-width:0px, font-size:100%;
classDef mermaid_entity color:#000, fill:#FB9F53, stroke:#FB9F53, stroke-width:0px, font-size:100%;
classDef mermaid_entitylinked color:#000, fill:#FCD5B5, stroke:#FCD5B5, stroke-width:0px, font-size:100%;
classDef mermaid_context color:#000, fill:#B9CDE5, stroke:#B9CDE5, stroke-width:0px, font-size:100%;
classDef mermaid_optional color:#000, fill:#B7DEE8, stroke:#65CDE8, stroke-width:1px, font-size:100%, stroke-dasharray: 5 5;
classDef mermaid_state color:#000, fill:#d7e4bd, stroke:#000, stroke-width:1px, font-size:100%, font-weight:300;
class Main,Main2 mermaid_entity
class A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12 mermaid_businessdata
class L1,L2,L3,L4,L5,L6,L7,L8,L9 mermaid_entitylinked
class C1,C2,C3,C4,C5,C6 mermaid_context
class N1,N2,N3,N4,N5,N6 mermaid_nonbusinessdata

click Main "../../administration/security/roles"
click Main2 "../../administration/security/users"
click L1 "../../administration/security/services"
click A1 "../../business-data/employee"
click L2 "../../administration/security/data_groups"
click L3 "../../administration/security/features"

Some important information:

  • A User will always have the most broad set of permissions from all the Roles that he belongs to. For example, if a User U1 belongs to Role R1 and Role R2, and if Role R1 has no permission on Track-In and no-access to object Material M1; and if Role R2 has permission on Track-In and write-access on object Material M1, the user will be able to Track-In Material M1.
  • It's possible to define an Administration Role that will always have permissions to do everything in the system. Such role is defined by name in the /Cmf/System/Configuration/AdministrationRole/ configuration path of the application.

Synchronization with Active Directory#

🔒 Role.SynchronizeWithActiveDirectory

The system allows Active Directory Groups to be used as Roles in the system. Those roles must match the Active Directory group name and they must be marked with the Active Directory property. The system also allows synchronization of users from Active Directory to Critical Manufacturing Roles so that the relationship between users and groups is maintained only in Active Directory.

Info

Changes in Active Directory are not automatically reflected in Critical Manufacturing, since synchronization always has to be manually triggered in Critical Manufacturing.

To synchronize an Active Directory role it is necessary to go to the Security page in Administration and then select Roles. Active Directory Roles are visually identifiable with a distinct icon. Choose the Active Directory Roles you want to synchronize and then select the Synchronize with AD button to synchronize the current selected Role. For each Role, all users belonging to the corresponding Active Directory group will be added. If the Role contains users that are not members of the corresponding Active Directory group, they will not be removed from the Role in Critical Manufacturing.

It is also possible to perform a full synchronization of a Role with Active Directory. In this case, all users which are not a member of the corresponding Active Directory group will be unassigned from the Role in Critical Manufacturing. After a full synchronization, the Role in Critical Manufacturing should have the same members as the corresponding Active Directory group. To perform a full synchronization, select the Synchronize completely with AD button in the Roles page, as shown below:

security_role_sync_ad

Warning

The PrimaryGroup defined for each user in Active Directory is not taken into account when synchronizing Roles. Critical Manufacturing only considers standard group membership in Active Directory.

Cache Invalidation#

🔒 Security.InvalidateCache

Security information is cached for performance reasons. If a client gets disconnected from the network and needs to synchronize the security information, the user should select the Invalidate Cache button.

security_invalidate_cache

Available Pages#

Dive into the pages below to explore more about Security:

Main Page#

Specific Operations#