1153150 (1)

Technical Bulletin Issue Date February 28, 2006

M-Password

M-Password ...........................................................................................3

Introduction......................................................................................................... 3

Key Concepts...................................................................................................... 4

M-Password ...................................................................................................................... 4 Password *.sec File Tips................................................................................................... 5 Secured Items ................................................................................................................... 5 Security System Administrator .......................................................................................... 6 Advanced Mode ................................................................................................................ 6 Users and Groups ............................................................................................................. 7 Global Settings................................................................................................................10 Critical Operational Data (COD)...................................................................................... 11 Integrated NT Security .................................................................................................... 14 Default Group..................................................................................................................15 User and Group Properties ............................................................................................. 17 M-Password Login Utility................................................................................................. 19 Login Utility Preferences ................................................................................................. 21 Wildcards and Pattern Matching ..................................................................................... 21 Application Actions.......................................................................................................... 23 Security Login Reminder................................................................................................. 24 Auto Login to Security Server from the Windows NT/Windows 2000 Operating System Logon ................................................................................................................. 25 M-Password Worksheet Example ................................................................................... 25 Default Group Analysis ................................................................................................... 26

Detailed Procedures......................................................................................... 27

Logging in as Administrator............................................................................................. 27 Editing the Default Security File ...................................................................................... 28 Adding a User or Group .................................................................................................. 30 Editing a User or Group .................................................................................................. 43

2006 Johnson Controls, Inc. www.johnsoncontrols.com Code No. LIT-1153150 Software Release 5.4

M-Password Technical Bulletin 2

Deleting a User or Group ................................................................................................ 43 Editing the Default Group................................................................................................ 43 Associating Users and Groups........................................................................................ 43 Removing Associations................................................................................................... 44 Assigning Application Actions ......................................................................................... 44 Removing Application Actions......................................................................................... 45 Logging In as a User ....................................................................................................... 45 Changing a Password as a User..................................................................................... 46 Editing the Default Group to Allow Auto NT Login .......................................................... 47 Enabling a User for Auto NT Login ................................................................................. 48 Logging Out..................................................................................................................... 49


M-Password

Introduction M-Password provides restricted access to application functions based on the concept of a logged-in user. A security system administrator configures the system by adding users and assigning them specific privileges. In addition, administrators may associate users with certain groups that also have assigned privileges. Thus, users have the effective rights of all the groups to which they belong, plus their own private rights. This document describes how to:

log in as administrator edit the default security file add a user or group edit a user or group delete a user or group edit the Default Group associate users and groups remove associations assign application actions remove application actions log in as a user change a password as a user edit the Default Group to allow Auto NT Login enable a user for Auto NT Login log out


Key Concepts M-Password

M-Password controls the user capabilities on an M-Series Workstation. There are two components to M-Password:

Configuration applicationused by administrators to set up the users rights and privileges

Login applicationused by the user to log into the system with the assigned user name and password

The Password Administrator determines the access for all users. Figure 1 is an example of the usage sequence.

Use the M-Password Worksheet found in this document.

Identify all users of the M-Series Workstation. Define which Users need similar user privileges.

Create the Groups and User identifications.

Assign Applications and Privileges to the Groups and Users.

Delete unwanted actions from the Default Group.Remember actions in the Default Group

supersede all other Group actions.

Flowchart

Figure 1: M-Password Flow Chart


Password *.sec File Tips The following list contains helpful tips for using M-Password:

M-Series Workstations use the last *.sec file saved. M-Password configuration prompts the user to create a password

file when making a change to the configuration, such as adding a user or a group, when M-Password is run with the M-Series Workstation. The default file name is untitled.sec, and it is located in the M-Data folder. We recommend changing the location and file name when saving. If this security file is deleted and a request is made to create the file again, the new file is created with no access given to the Default Group. The system administrator must manually add access rights for all users.

Since the security system is file based, we recommend the following:

When you launch M-Password the first time, save the default file (change the default name) and make a copy of the file. This process retains a copy of the original security file in case passwords are compromised.

Start with the default file and save all changes. Ensure the *.sec files are backed up away from the

M-Series Workstation.

All passwords and security levels are stored in the *.sec file. If more than one M-Series Workstation uses M-Password, make sure the *.sec file is copied to all other M-Series Workstations or is accessible by all workstations from a common network drive.

When you OK the windows in the M-Password feature, the changes are automatically saved in the *.sec file.

Secured Items M-Password can control access to point (OLE for Process Control [OPC] tags) names and file names for enabled applications. To confirm access for the logged-in user, the application passes the point name or file name to the password for confirmation. The application controls access to points, alarms, and files depending on the M-Password response. For example, the M-Graphics application uses this information to determine read/write access restrictions.

The M-Password Application Actions Technical Bulletin (LIT-1153175) lists all application that are secured from within M-Password. The M-Password Default Security File Application Note (LIT-1201442) lists the users, groups, and application actions that are configured for the default security file.


M-Password can protect access to the following items within the Johnson Controls workstation system:

Application Actions - Each application supplies a list of functions to be secured (for example, saving a file).

Files - Single files or groups of files may be protected from access via the applications. For example, M-Graphics restricts access to these files at Runtime mode from both the File > Open menu and any Pick action that loads a new display.

Alarms - Single alarms may be protected from being acknowledged by unauthorized users.

Points (OPC tags) - Access to individual OPC tags may be protected, based on wildcards. In general, this protects write access.

Security System Administrator The Security System Administrator defines group and user access. When logging in as the administrator with a blank user name and the default password, full access rights are granted. Once the Security System Administrator box is checked on the Properties for User dialog box (Figure 18) and the new administrator is added, the default password is disabled. The default password remains disabled until all designated Security System Administrators are deleted.

Advanced Mode M-Password is available in two modes: Basic and Advanced. As the administrator, you can create a security file in Basic mode and convert it to Advanced mode, but you cannot convert Advanced to Basic. The default security file is in Advanced mode. We recommend that you always try to apply the default security file for your application. Note: Use Advanced mode. If you choose Basic mode, you can convert it to Advanced.

The Basic mode allows you to restrict the configuration capabilities to a basic set of features and does not provide access to some advanced security system configuration features. In Basic mode, you cannot:

edit the default group access the default group at runtime assign rights to users. In Basic mode you can only assign rights to

groups.

assign a user to more than one group. You must use the user properties dialog box to define of which group the user is a part.

Advanced mode allows you to access all features of M-Password.


To convert from Basic mode to Advanced mode, on the View menu, click Advanced Mode. Once you convert to Advanced mode, you cannot revert to Basic.

Users and Groups The main window for the M-Password configuration application consists of two panes: the left side is the group view and the right side is the user view.

Note: The first time you run the program, both sides are empty. for M5 SAES or SAOS

Figure 2: M-Password Configuration Screen


Table 1: M-Password Toolbar Buttons Toolbar Button Description

Creates a new document.

Opens a document.

Saves a document.

Adds a new user.

Adds a new group.

Associates selected user and group.

* Synchronizes users and groups with the Windows NT operating system security database.

Configures the default group and default policy.

Associates application actions with users and groups.

Not available

Displays the about dialog box.

* Supported for Metasys system for Validated Environments (MVE) installations only.


Table 2: M-Password Menus Menu Option Description File New Creates a new document. Open Opens a document. Save As Saves the current document. Recent File List Lists recently opened documents. Exit Closes M-Password. Edit Edit Edits selected user or group. Rename Renames selected user or group. Delete Deletes selected user or group. Duplicate Makes a copy of the selected user or group. Global Settings Configures the settings that define the behavior of the

security system for all users and the Critical Operational Data (COD) points.

Default Group Configures Default Group options. Application Actions

Associates application actions with users and groups.

Insert New User Adds a new user. New Group Adds a new group. Associate User & Group

Associates selected user and group.

View Toolbar Shows or hides toolbar. Status Bar Shows or hides status bar. Synchronize with NT

Synchronizes users and groups with the Windows NT operating system security database.

Basic Mode* Indicates that the configuration file is in the Basic configuration mode. (We do not support Basic mode.)

Advanced Mode*

Indicates that the configuration file is in the Advanced configuration mode. If the file is in Basic mode, you can select this option to convert it to Advanced mode.

Help Help Topics Opens online help. About Security Lists program version information. * A bullet beside the menu item indicates the mode of your security file.


Global Settings The Global Settings define the behavior of the security system for all users. The Global Settings consist of three tabs: the Policy tab (Figure 3), the Critical Points tab (Figure 5), and the Critical Alarms tab (Figure 6).

Table 3 describes the features of the Policy tab. The Critical Points and Critical Alarms tabs are described in the Critical Operational Data (COD) section. COD is only supported for Metasys system for Validated Environments (MVE) applications.

Figure 3: Global Settings Policy Tab


Table 3: Global Settings Fields Field Description Allow Auto NT Login* Enables users with matching user names and

domain names to be automatically logged in to the security server when the login application is run. This feature eliminates the need for users who have already logged in to a Windows NT Operating System (OS) domain to enter a user name and password a second time to gain access to M-Password.

Allow User Lists Allows the Login Dialog in the Login Application to display a list of all users. This feature allows users to log in by selecting the user name from a list instead of typing it in. This is useful for touch screen systems.

Display Last User Allows the Login dialog to display the name of the last user who successfully logged in.

Include Users Full Name in Events

Records the users full name (Full Name field) in the Alarm and Event database.

Simultaneous Logins Allows multiple users to be logged in at the same time from the same node. The rights granted are the sum of the rights of all the logged in users. If this feature is not selected, when a new user logs in when another user is already logged in, the original user is logged out. This option is not currently supported.

NT Domain* Indicates the Domain with which M-Password synchronizes users and Groups.

NT Synchronization Period*

Indicates how often M-Password synchronizes the names of users and groups with the Windows Operating System (OS). A value of 0 disables the automatic synchronization with Windows NT.

Critical Points Login Period

Indicates the length of time that the user is permitted to modify the COD value. After this COD modification time expires, the user has to log in again to modify the point.

Auto Logout Recovery The number of minutes after all security related requests from a node have ceased (in the event that a client node crashes) that users from that node are logged out. Range is 0 to 99 minutes, default is 2. A value of 0 disables this feature.

* These fields are only available if the Integrated NT Security feature is active. The Integrated NT Security feature is supported for MVE installations only.

Critical Operational Data (COD) Note: The COD feature is supported for MVE installations only. M-Password provides an additional level of security for selected points called COD that requires the users to log in again to verify their identity using the M-Password Login dialog box (Figure 27).


The COD feature is a part of the Global Settings on the Edit menu. Using the Critical Points and Critical Alarms tabs, you can create a list of points and alarms that require the user to log in again. Even if the user (with permission to access the COD) is already logged in, he or she is forced to log in again. The first dialog box (Figure 4) informs the user that he or she needs to log in to M-Password. After selecting Yes or No, the M-Password login dialog box appears (Figure 27). If you click No, the initial dialog box does not appear again.

Figure 4: COD Dialog Box The Critical Points tab (Figure 5) and the Critical Alarms tab (Figure 6) allow you to define COD points and alarms in your system. The two property pages are divided into two sections: Include and Exclude. Each section contains an edit field and a list box. Press Enter with the cursor in the edit field or click the Add button to add text to the list box. Use the Browse button to scan OPC data points.

Refer to the Wildcards and Pattern Matching section in this document for details on using wildcards.

Type a specific point in the test string field to see if the current user has access. If the user has access, a check mark appears in the Considered Critical field. If it is not considered critical, the field remains empty.

The COD feature affects users trying to access COD points in the following software:

M-Graphicsyou cannot command a COD point without logging in to M-Password.

M-Alarmyou cannot acknowledge a COD point without logging in to M-Password.

N1 Scheduleyou cannot enter the edit mode of the schedule of a COD point without logging in to M-Password. If the time it takes you to edit the schedule exceeds the COD login period, you must log in to M-Password again to save your changes.


Figure 5: Global Settings Critical Points Tab


Figure 6: Global Settings Critical Alarms Tab

Integrated NT Security Note: The Integrated NT Security feature is supported for MVE installations only.

M-Password allows you to synchronize users and password policies with a Windows 2000 computer or domain and the M-Series Workstation. This feature provides central password management and saves you time.

When you create a new security configuration in Advanced mode, an Integrated NT Security dialog box (Figure 16) prompts you to choose the computer or Domain with which to synchronize.

If you choose to synchronize M-Password with the Windows OS users and groups, you cannot add or remove users and groups from within M-Password. Since the operating system controls the user policy, most of the account policy settings are hidden in this mode (Figure 7).


M-Password queries the Windows OS and keeps the users and groups up to date. You can manually synchronize users and groups by selecting Synchronize with NT from the View menu or by clicking the Refresh button on the toolbar.

Figure 7: Account Policy Tab

Default Group The system Default Group is used to assign access rights that are granted whether any users are logged in or not. When M-Password is first installed, the Default Group has full access to everything (all points, alarms, files, and application actions). The first step in configuring M-Password is to remove most, if not all, access rights assigned to the Default Group.

Note: Configure the Default Group with minimal access rights. All users and groups are granted all rights available in the Default Group, plus the set of rights defined for an individual user and the set of rights defined for any groups with which the user is associated. This is true even when no one is logged into the system.


For example, if you exclude a point in Wills properties, but the Default group has access to that point, Will can still access that point. When defining a user, if the users group has higher access rights than that user and the default group, the access rights of the users group take priority over all other access rights. Similarly, if the access rights of the users group and default group are lower than the access rights defined for the user, the users access rights take priority.

When assigning access rights, consider the following:

Once you have defined users and groups, the group or user with the highest access rights takes priority. Compare the users access rights to the group access rights and the default group access rights; whichever has the highest access rights takes priority.

Exclude definitions override include definitions within an individual assignment for any group or user.

Example: If a point is both included and excluded within a single group or individual users rights, it is excluded. Points included in the group cannot be excluded for individual users within the group. Only points included for the individual user can be excluded in the exclude list for that user.

Access rights for defined groups apply only in those areas not assigned by the Default Group. Access rights for users apply only in those areas not assigned by the Default Group or groups to which the users belong. In other words, the rights granted by the Default Group cannot be taken away by any other group or user. The rights granted by a group cannot be taken away by a user.

Example: If access to all points in Building 1 are included in the Default Group, access to Building 1 cannot be excluded by a user-defined group or an individual users rights.

If a user belongs to multiple groups, the users rights are the union of the assignments of the groups, plus the individual assignments in areas outside those defined in the groups.

Example: No rights are assigned in the Default Group. The rights for the Blue Group include all points but exclude Building 2, 3, and 4. The rights for the Red Group include all points but exclude Buildings 1, 3, and 4. If User A belongs to the Blue and the Red Groups, the total rights for User A include individual assignments and Buildings 1 and 2.


User and Group Properties When the system administrator defines a group or user, the fields in each tab listed in Table 4 must be configured in either the Properties for User dialog box (Figure 8) or the Properties for Group dialog box (Figure 9).

Figure 8: Example of Properties for User Dialog Box


Figure 9: Example of Properties for Group Dialog Box


Table 4: User and/or Group Property Dialog Box Tabs Tab Description User Properties The User Properties tab contains information about the user name, password changes,

and if this user is a security system administrator. Group Properties The Group Properties tab contains the group name and description. Points The Points Tab controls access to points (OPC tags) users may want to monitor and

command. Before an M-Series Workstation software application outputs a value to a networked supervisory controller via OPC DA Server, the string that identifies the OPC point is sent to M-Password to determine if the intended action should be allowed, based on the current logged in users and/or the groups to which they belong.

Alarms The Alarm Tab controls whether users can acknowledge particular alarms and messages. Before a user can acknowledge an alarm message that is displayed in the M-Alarm Viewer, the string that identifies the alarm message is sent to the M-Password security server to determine if this action should be allowed, based on the current logged in users and/or the groups to which they belong.

Files The Files tab controls access to files users may open. Currently, only M-Graphics and Screen Manager files can be protected. For example, entries here would typically be used to restrict certain users and/or groups from picking certain graphic displays from M-Graphics.

Time Sheet The Time Sheet tab allows time-of-day restrictions on an hourly basis for users and groups. For selected hours, access is allowed. For non-selected hours, users can log in, but access is denied for protected objects.

Account Policy The Account Policy tab defines how passwords are used by all user accounts, if user accounts are automatically locked out after a series of incorrect login attempts, and if Auto Login to M-Password through NT Login is enabled. (The system administrator must unlock a user after a lockout.) The base policy for the system is set in the Default Group. For users and groups other than the Default Group, each policy can selectively be enabled and set for that user or group. If more than one policy setting is in effect, the least restrictive is used. For this reason, the policy set in the Default Group must be the most restrictive. Individual users and groups can be made less restrictive than the Default but never more restrictive.

Note: Currently, Custom and Stations tabs are not used.

M-Password Login Utility The Johnson Controls M-Password window (Advanced View) is divided into two panes. The upper pane contains the status of the Security Server to which the Login Utility is connected. The lower pane contains a list of currently logged in users.


Figure 10: Johnson Controls M-Password Login Utility Window (Advanced View) Table 5 describes the display-only fields in the upper pane of the Johnson Controls M-Password Login Utility Window. The Logging in as a User procedure shows the M-Password Basic view window (Figure 27).

Table 5: Johnson Controls M-Password Window Field Description Security Server Location The name of the workstation where the security

server is running and to which the Login Utility is connected. It is if the security server is running on the same workstation as the Login Utility.

Server Start Time Date and time the security server was started. Time is converted to the local time of the user workstation if the security server is in a different time zone.

Server Current Time Current date and time as reported by the security server on the last update. Time is converted to the local time of the user workstation if the security server is in a different time zone.

Server Configuration File Name and path of the configuration file currently being used by the security server.


Login Utility Preferences The Preferences dialog box allows the user to configure login options. Refer to Table 6 for field descriptions.

Figure 11: Preferences Dialog Box

Table 6: Preferences Field Description Primary Enter the name of the primary workstation to which the

Login Utility should connect in order to run the security server. The default is .

Backup Enter the name of the backup workstations to which the Login Utility should connect in order to run the security server. The default is . Note: Expanding the drop-down list causes a search of all nodes on the network for installed security servers. This may be time consuming. If known, it is faster to enter the name of the workstation.

Auto Logout Reminder

The number of minutes prior to a security server auto logout that a user is reminded to log in again. The range is 0 to 60 minutes. Enter 0 for no pop-up reminder window.

Status Update Period The period between updates of the Server Status in the main window. The range is 1 to 60 seconds.

Splash Screen Suppresses the initial M-Password screen that shows company logos and trademarks.

Wildcards and Pattern Matching The entries in the include and exclude lists on the Points, Alarms, and Files tabs allow pattern matching. Pattern matching allows the use of wildcard characters, character lists, or character ranges, in any combination.


Table 7 shows the characters allowed in patterns and what they match:

Table 7: Wildcards and Pattern Matching Characters in Pattern Matches: ? Any single character * Zero or more characters # Any single digit (0-9) [charlist] Any single character in charlist [!charlist] Any single character not in charlist

Type a specific point or file in the test string field (Figure 21) to see if the selected user has access. If the user has access, a check mark appears in the Access Granted field. If the user does not have access, the field remains empty.

A group of one or more characters (charlist) enclosed in brackets ([ ]) is used to match any single character in string and includes almost any character code, including digits.

Note: The special characters left bracket ([), question mark (?), number sign (#), and asterisk (*) can be used to match themselves directly only by enclosing them in brackets. The right bracket (]) cannot be used within a group to match itself, but it can be used outside a group as an individual character.

In addition to a simple list of characters enclosed in brackets, charlist can specify a range of characters by using a hyphen (-) to separate the upper and lower bounds of the range. For example, [A-Z] in pattern results in a match if the string contains any of the uppercase letters in the range A through Z. Multiple ranges are included within the brackets without any delimiters.

Other important rules for pattern matching include the following:

An exclamation point (!) at the beginning of charlist means that a match is made if any character except the ones in charlist is found in string. When using outside brackets, the exclamation point matches itself.

The hyphen (-) can appear either at the beginning (after an exclamation point if one is used) or at the end of charlist to match itself. In any other location, the hyphen is used to identify a range of characters.

When a range of characters is specified, they must appear in ascending sort order (from lowest to highest). [A-Z] is a valid pattern, but [Z-A] is not.

The character sequence [] is ignored.


Pattern matching is done on the file extension, separate from the file name, to match the Disk Operating System (DOS) wildcard semantics. For example, the wildcard *.* indicates all files.

Application Actions M-Password allows system administrators to grant or deny access to specific applications and applications functions.

Figure 12 is an example of the Actions/Users Association dialog box. The items on the left tree control are the Johnson Controls application names. The child items of the application names are the application functions that can be protected. The items in the tree control on the right are the users and groups defined in the M-Password database. The child items of the users and groups are the application names and actions enabled for that user or group.

Note: When M-Password is first installed, the Default Group has full access to everything. You must configure the Default Group with minimal access rights. Remove all, if not most, access rights assigned to the Default Group.

All users and groups are granted all rights available in the Default Group, plus the set of rights defined for an individual user.

Figure 12: Actions/Users Association Dialog Box Note: Each Johnson Controls client provides a list of application functions that can be protected through M-Password. Refer to M-Password Application Actions Technical Bulletin (LIT-1153175) for specific application actions that are protected.


Security Login Reminder The Johnson Controls M-Password Reminder dialog box (Figure 13) indicates the amount of time remaining before auto logout occurs. This dialog box appears at an interval determined by subtracting the time entered in the Logout In minutes field of the Properties for User Dialog Box: Account Policy Tab (Figure 25), from the number of minutes entered in the Auto Logout Reminder field in the Login Utility Preferences dialog box (Figure 11). For example, if 20 is entered in the Logout In minutes field and 12 is entered in the Auto Logout Reminder field, the reminder appears 8 minutes before Auto Logout occurs.

Figure 13: M-Password Reminder Dialog Box

Table 8: M-Password Reminder Dialog Box Field Description Dismiss Close dialog box, user is not reminded again. Postpone Postpone reminder by the time entered by user. Login Now Allow system login to reset the auto logout timer. Click Postpone to be reminded again in x minutes

Enter number of minutes until reminder reappears.


Auto Login to Security Server from the Windows NT/Windows 2000 Operating System Logon

M-Password supports auto login to M-Password from Windows NT/Windows 2000 Operating System Logon. To use this feature, the Windows NT Workstation must be a member of a Windows NT Domain. Verify that the M-Password username is synchronized with the username in Windows NT Security Account Manager (SAM) database. The administrators are responsible for making sure the usernames in both M-Password and Windows NT SAM are the same. It is not necessary for the passwords to match.

When a Windows NT domain user is logged in to a Windows NT workstation and a matching username and domain name exist in the M-Password database for that user, the user is automatically logged in to M-Password when launching the Login application.

Note: Once a user is granted the Allow Auto NT Logon option, he/she must log out using Windows NT Logout. If the M-Password logout is used, the Auto Logon is not disabled, which leaves the workstation unsecured, and anyone can log in to M-Password when launching the Login application.

M-Password Worksheet Example The following example of an M-Password worksheet is used to record and manage user access.

Security File Name *.SEC File Name: .SEC

Name Analysis Persons Name User Name Password* Group Name Administrator: * Passwords are case sensitive and spaces are not allowed. M-Password has no association to the passwords in the N30 Supervisory Controller or in the Network Control Module (NCM) Supervisory Controller.

Access and Privileges Analysis Account policy tips:

Follow your Information Technology departments login account standards.

Keep options the same for all users and groups. Keep in mind that M-Password uses the least restrictive of all

options when users log in. Set groups as most restrictive and then set users as least restrictive.


User Name and Group

Application Associations

User Properties

Points Alarms Files Time Sheet

Account Policy (Blank indicates unchecked)

BACnet_OPC = CF-Connect = M3HCI = M-Authorize = M-Collector = M-Explorer = M-Graphics = M-Terminal = M-Trend =

Change P/W on Login [ ] User can not change P/W [ ] Security Administrator [ ]

Max P/W Age = __ Days P/W Length = __ Characters Account Lockout = __ Bad Attempts Min P/W Age = __ Days P/W Uniqueness = __ Unique P/Ws Auto Logout = __ Minutes Account Lockout = _3_ Bad Attempts

BACnet_OPC = CF-Connect = M3HCI = M-Authorize = M-Collector = M-Explorer = M-Graphics = M-Terminal = M-Trend =

Change P/W on Login [ ] User can not change P/W [ ] Security Administrator [ ]

Max P/W Age = __ Days P/W Length = __ Characters Account Lockout = __ Bad Attempts Min P/W Age = __ Days P/W Uniqueness = __ Unique P/Ws Auto Logout = __ Minutes

Default Group Analysis M-Password uses the least restrictive (group or user) option when users log in. We recommend setting on groups with more restrictions and setting users with lesser restrictions.

Applications Properties Points Alarms Files Account Policy BACnet_OPC = CF-Connect = M3HCI = M-Authorize = M-Collector = M-Explorer = M-Graphics = M-Terminal = M-Trend =

Max P/W Age = __ Days P/W Length = __ Characters Account Lockout = __ Bad Attempts Min P/W Age = __ Days P/W Uniqueness = __ Unique P/Ws Auto Lockout = __ Minutes Account Logout = _3_ Bad Attempts Simultaneous P/Ws = [ ] yes/no


Detailed Procedures When configuring M-Password options, the security system administrator must log in first. We recommend: adding users and groups, editing the Default Group so it has minimum access rights, and selecting at least one new user as the security system administrator.

Logging in as Administrator To log in as administrator:

1. Select Start > Programs > Johnson Controls > M-Password > Configuration. The Johnson Controls M-Password Administrator Login dialog box appears (Figure 14).

Figure 14: Johnson Controls M-Password Administrator Login Dialog Box

2. Leave the user name blank, and enter JCI as the password (password is case-sensitive), which is the default administrator password. Currently the Challenge field is not being used.

3. Click OK. Notes: Passwords are case sensitive. Once a new administrator is defined, the default password is disabled.

When you save changes into the M-Password configuration file (.sec), we recommend picking a new name for the file. Future sessions automatically load this file on startup.


Editing the Default Security File Note: For standard M-Series Workstation applications (M3, M5, and Metasys system Web Access [MWA]), we recommend that you use the default security file that is provided with the M-Series Workstation software to set up the security system for your application.

Table 9: Default Security File Names Application Default Security File Name MVE default.sec M5 SAES or SAOS default.sec M3 or M5 Workstation mseries.sec MWA mseries.sec

To edit the default security file:

1. On the Start menu click Programs > Johnson Controls > M-Password > Configuration. The Johnson Controls M-Password Administrator Login dialog box appears.

2. Enter user name and password. The Configurator program appears. 3. Edit the Users and Groups as necessary as described in this

document.

4. On the File menu, click Save As. The Save As dialog box appears. 5. Type the desired file name, and click Save. If you cannot edit the default security file, create a new file using the steps in the next section.

Creating a New Security File Note: Use the default file, unless it is necessary to create a new file. To create a new security file:

1. On the File menu, click New. The Security Server dialog box appears (Figure 15).

Figure 15: Security Server Dialog Box


2. Click No to create it in Advanced mode. The Integrated NT Security dialog box appears (Figure 16).

Note: Use Advanced mode. If you choose Basic mode, you can convert it to Advanced.

Figure 16: Integrated NT Security Dialog Box 4. Click Cancel. The Save As dialog box appears (Figure 17). Note: If you are creating a new security file for an MVE installation, complete the dialog box by performing one of the options according to Table 10.

Table 10: Integrate NT Security Options Option Results Click Cancel Creates a new security file without

synchronizing users and groups between M-Password and the Windows OS.

Select Local Computer Synchronizes the users and groups between M-Password and the Windows OS. Note: Auto login with NT User ID can only be done with Domain users accounts.

Select Domain and Type the Domain Name

Synchronizes the users and groups between M-Password and the network domain you type.


Figure 17: Save As Dialog Box 3. Type a name for the file and click Save.

Adding a User or Group To add a user or group:

1. Select Insert > New User or Insert > New Group. A new entry appears in M-Password with the name New User or New Group. The Properties dialog box appears for a new user (Figure 18) or group (Figure 20).


Figure 18: Properties for User Dialog Box: User Properties Tab 2. Click Preferences. The User Preference Properties dialog box

appears (Figure 19).


Figure 19: User Preference Properties Dialog Box Note:

Notes:

Note:

Only the M5 Workstation software uses the Screen Manager tab.

3. On the M5 Workstation only, select a default layout for Screen Manager. M5 Workstation software loads this default layout when this user logs in to the system.

This is the default layout used when a user logs in to the workstation and is different from the default layout or slide show used when no user is logged in.

On all M-Series Workstations, if you are using a language other than English, select the language tab. Choose the language preference from the drop-down list.

The Language Installation Program installs appropriate language files. The drop-down list is populated with the installed languages.

4. Fill in the fields in each of the tabs. Refer to the User Properties Tab, Group Properties Tab, Points Tab, Alarms Tab, Files Tab, Time Sheet Tab, and Account Policy Tab sections for detailed descriptions of the fields in each tab.

M-Password does not support the Custom and Stations tabs.

5. Click OK.


User Properties Tab Figure 18 shows an example of the User Properties Tab. Refer to Table 11 for details.

Table 11: User Properties Field Description User Name Short name (no spaces) the user types when logging on

to the system Full Name Users full name, optional Description For information only, optional Password Password the user must type to log in. The default is

blank. Note: This field is case sensitive. Use caution when typing the password. The software will allow the entry of spaces; however, no spaces are allowed.

Verify password If you change the Password field, you must retype the exact password in this field.

NT Domain If the security system supports Auto Login to the Security Server from NT Login feature, use this field to identify the NT Domain name where the user belongs.

User Must Change Password at Next Logon

When checked, the user must change his/her password at the time of the next logon. This is often used when a new user is created. The administrator enters a default password for the new user and checks this field to require a real password to be entered on first logon.

User Cannot Change Password

When checked, only the M-Password administrator can change the users password from this dialog box.

Account Disabled Checking this field has the same effect as deleting the user without the permanence of an actual delete. This could be used to temporarily disable a user due to a holiday or extended leave of absence.

Account Locked Out This field is normally unchecked and disabled. Should the account become locked out, the field would be enabled and checked. From here, the administrator can uncheck the field to re-enable the user login.

Security System Administrator

When checked, this user is allowed to log in as a security system administrator to configure all aspects of the security system. Once an administrator is defined, the default administrator password is disabled.

Preferences Button Opens the User Preference Properties dialog box. Users can choose default layouts and language type.


Group Properties Tab Figure 20 shows an example of the Group Properties tab. Refer to Table 12 for details.

Figure 20: Properties for Group Dialog Box: Group Properties Tab

Table 12: Group Properties Tab Field Description Group Name Short name (no spaces) that uniquely identifies this group within

the system. Full Name Full name for this group. For information only, optional. Description For information only, optional.


Points Tab The Points property page is divided into two sections: Include and Exclude (Figure 21). Each section contains an edit field and a list box. Pressing Enter with the cursor in the edit field or clicking the Add button adds text to the list box. Use the Browse button to scan OPC data points.

Note:

Note:

Note:

If you leave the fields blank, no access is granted. Typing * and clicking Add grants access to everything.


When an application sends an OPC point string to M-Password for access testing (granted or denied), the include/exclude lists are compared as follows for each active user and group until access is granted:

Compare the OPC point string with each string in the include list until a match is found. If no match is found, access is denied.

The exclude list entries can only remove rights granted in their corresponding include list. For example, if user Glenn belongs to group operators and operators grants access to OPC point xy*, adding point xyz to Glenns exclude list does not take away the access rights to the point for Glenn. Glenns include list should have points xy*, then adding xyz to the exclude list takes away access rights to point xyz.

If you wish to restrict access to specific points, enter *.* in the Include list and enter the restricted points in the Exclude list. But, if you have *.* in the Include list, and enter the Metasys software and M-Explorer executable files in the Exclude list, you will not be able to access these software programs from the M5 Screen Manager command bar. If you have *.* in the Include list and enter nothing in the Exclude list, you will have access to all points and software programs.

Excluding points has the following effects:

In M-Graphics, the Exclude command removes only write access to those points. Read access is not excluded.

M-Explorer cannot launch M-Inspector for a restricted OPC point. Type a specific point in the test string field to see if the current user has access. If the user has access, a check mark appears in the Access Granted field. If the user does not have access, the field remains empty.


Note: All users and groups, including system users that are not logged in, are granted all rights available in the Default Group, plus the set of rights defined for an individual user. The highest access rights, either of the user or group, supersede all other rights.

Figure 21: Properties for User Dialog Box: Points Tab

Alarms Tab The Properties for Users dialog box: Alarms Tab (Figure 22) is used to control access to which alarms users or groups can acknowledge.

Notes: If you leave the fields blank, no access is granted. Typing * and clicking Add grants access to everything.

All users and groups, including system users that are not logged in, are granted all rights available in the Default Group, plus the set of rights defined for an individual user. The highest access rights, either of the user or group, supersede all other rights.



Figure 22: Properties for User Dialog Box: Alarms Tab

Files Tab The Properties for Users dialog box: Files Tab (Figure 23) is used to control access to files.

Note:

Note:

M-Graphics and Screen Manager restrict access to these files at Runtime mode from both the File > Open menu and any Pick action that loads a new display. No other M-Series Workstation applications currently support the file option.

If you leave the fields blank, no access is granted. Typing *.* and clicking Add grants access to everything.


Note: If you wish to restrict access to specific files, enter *.* in the Include list and enter the restricted points in the Exclude list. But, if you have *.* in the Include list, and enter the Metasys software and M-Explorer executable files in the Exclude list, you will not be able to access these software programs from the M5 Screen Manager command bar. If you have *.* in the Include list and enter nothing in the Exclude list, you will have access to all files and software programs.

Refer to the Wildcards and Pattern Matching section in this document for details on using wildcards. The wildcard pattern matching applies to files with the following differences:

The pattern matching is done on the file extension, separate from the file name to match the DOS wildcard semantics. For example, the wildcard *.* indicates all files.

File names entered without a path are considered a match, regardless of the directory in which they are located.

Note: All users and groups, including system users that are not logged in, are granted all rights available in the Default Group, plus the set of rights defined for an individual user. The highest access rights, either of the user or group, supersede all other rights.


Figure 23: Properties for User Dialog Box: Files Tab


Time Sheet Tab The Time Sheet tab allows time-of-day restrictions on an hourly basis for users and groups. For hours selected (highlighted), access is allowed. For deselected hours, access is denied. Figure 24 depicts a configuration that allows access from 7 A.M. to 5 P.M., Monday through Friday.

Notes: Click on an hour to select or deselect all but that hour. Then hold down the Ctrl key and click on the remaining hour to deselect that hour.

The user is allowed to log in during the specified time. M-Password controls access to restricted objects during this time.

Figure 24: Properties for User Dialog Box: Time Sheet Tab


Account Policy Tab The Account Policy tab fields control how passwords are used by user accounts, and whether user accounts are automatically locked out after a series of incorrect login attempts (Figure 25). Table 13 describes the Account Policy tab fields.

The base policy (that is, the most restrictive) for the system is set in the Default Group. For users and groups other than the Default Group, each policy can be selectively enabled and set for that user or group.

Note: Each user has at least two policy settings, the Default Group and the User, and the least restrictive policy setting is used. For this reason, the policy set in the Default Group must be the most restrictive. You can make individual users and groups less restrictive than the Default Group, but never more restrictive.

Figure 25: Properties for User Dialog Box: Account Policy Tab


Table 13: Account Policy Tab Fields Field Description Maximum Password Age The time limit for a password, after which the user must change to a new

password. The range is 1 to 999 days. Minimum Password Age The period of time a password must be in effect before the user can change it.

The range is 1 to 999 days. Note: Do not allow immediate changes if a Password uniqueness value is entered.

Minimum Password Length

The fewest number of characters a password can contain. The range is 5 to 14 characters.

Password Uniqueness The number of new passwords used by a user account before an old password can be reused. The range is 1 to 24 passwords. Note: For uniqueness to be effective, specify an age value for Minimum Password Age (do not select Allow Immediate Changes).

Account Lockout If selected and if too many incorrect login attempts are made on a user account, the account is locked out. A locked account cannot log in. If you select Account Lockout, do the following: In Lockout After, enter the number of incorrect login attempts that cause

the account to be locked. The range is 1 to 999. In Reset Count After, enter the number of minutes that must pass

between any two login attempts to ensure that a lockout does not occur. The range is 1 to 99999.

No Account Lockout When selected, never locks out user accounts, no matter how many incorrect login attempts are made on a user account.

Lockout Duration Click Duration and enter a number of minutes locked accounts remain

locked before automatically becoming unlocked. The range is 1 to 99999. or

Select Forever in Lockout Duration, to keep locked accounts locked out until an administrator unlocks them.

Auto Logout If selected, the number of minutes from the time of user login, before the system automatically logs the user off. The range is 1 to 999 minutes. Note, this is based on when the user logs in, not on user inactivity at the workstation. Note: Make sure the Auto Logout time period set for the Default Group is less than the Auto Logout time period set for the users.

Password Complexity Allows M-Password to mimic Windows NT OSs test for password complexity. If you select Password Complexity, the users or groups password must: not contain all or part of the users name be at least 6 characters long contain at least one character from three of the following four categories,

at the users discretion: 1. Alphabetic uppercase (A through Z) 2. Alphabetic lowercase (a through z) 3. Base 10 digits (0 through 9) 4. Non-alphanumeric characters (for example, !, $,#,%)

Logout Password If selected, the user must enter a password to log out.


Editing a User or Group To edit a user or group:

1. Select a user or group. 2. Either press Enter, double-click on the user, right-click and select

Edit, or select Edit > Edit. The Properties dialog box appears for the selected user (Figure 18).

3. Fill in the fields in each of the tabs. Refer to the User Properties Tab, Points Tab, Alarms Tab, Files Tab, Time Sheet Tab, and Account Policy Tab sections for detailed descriptions of the fields in each tab.

4. Click OK. Note:

Note:

Note:

Currently M-Password does not use the Custom or Stations tabs.

Deleting a User or Group To delete a user or a group:

1. Select a user or group. 2. Either press the Delete key, right-click and select Delete, or select

Edit > Delete.

If you delete a user in the group tree or a group in the user tree, you disassociate the group from the user but do not actually delete it.

Editing the Default Group When M-Password is first installed, the Default Group has

full access to everything. You must configure the Default Group with minimal access rights. Remove all, if not most, access rights assigned to the Default Group.

To edit the Default Group:

Select Edit > Default Group. The same property sheets to edit ordinary groups are used for the Default Group with the following differences:

There is no Time Sheet tab. Default access is valid for all hours. Account Policy must be set in the Default Group, and there is

one additional field: Simultaneous Logins. Currently simultaneous logins are not supported in M-Password.

Associating Users and Groups To associate users and groups:


1. Select a Group in the left pane of the main window. Select a User in the right pane of the main window.

2. Select Insert > Associate User and Group, or right-click and select Associate User and Group.

When a user and group are associated, the user appears as an item under the group in the left pane and the group appears under the user in the right pane.

Removing Associations Note: This operation never deletes the user or group. Only the association is removed.

To remove associations:

1. Select the user under the desired group in the left pane or select a group under the desired user in the right pane.

2. Press the Delete key.

Assigning Application Actions To assign application actions:

1. Select Edit > Application Actions. The Actions/Users Association dialog box appears (Figure 26).

Figure 26: Actions/Users Association Dialog Box Note: Each Johnson Controls application provides a list of application functions that can be protected through M-Password. Refer to M-Password Application Actions Technical Bulletin (LIT-1153175)


for specific applications actions that are protected. This list may display applications that are not installed on your system. Adding or removing actions that belong to uninstalled applications does not affect your system.

2. From the list of applications on the left, select a specific function or entire application. Click on the + sign to expand the details of each application.

3. From the list on the right, select the user or group that should have access. Click on the + sign to show all allowed actions currently assigned to the user or group.

4. Click the Move button to assign the selected applications. Note:

Notes:

To add all application actions, right-click on the user or group name, and select add all actions from the pop-up menu.

5. Click OK.

Removing Application Actions To remove application actions:

1. In M-Password, select Edit > Application Actions. 2. Select a user or group name or select the application name or

function and press the Delete key.

To remove all application actions, right-click on the user or group name and select remove all actions from the pop-up menu.

This operation never deletes the User, Group, or application function. Only the association is removed.

Logging In as a User To log in as a user:

1. Select Start > Programs > Johnson Controls > M-Password > Login. The Johnson Controls M-Password Login dialog box appears (Figure 27).

Figure 27: Johnson Controls M-Password Security Login Dialog Box (Basic View)

5. Enter the User Name and Password.


Notes:

Note:

Note:

Passwords are case sensitive; no spaces are allowed.

Click Keypad to display a keypad that can be used to enter the user name and password.

To see who is currently logged in, click the Advanced button.

The Advanced button can be enabled/disabled from the Application Actions option by adding/removing the Login action.

If the currently logged in user has access to the Login application, it takes a few seconds to enable the Advanced button when launching the Login utility

6. Click OK. After a successful login, this dialog box becomes hidden.

Changing a Password as a User This procedure is for users. Security system administrators

change passwords in the User Properties dialog box.

To change a password as a user:

1. Select Start > Programs > Johnson Controls > M-Password > Login. The Johnson Controls M-Password Login dialog box appears (Figure 27).

2. Click Change Password. The Change Password dialog box appears (Figure 28).

Figure 28: Change Password Dialog Box 3. Enter the old password, new password, and confirmation of the

new password.

4. Click OK.


Editing the Default Group to Allow Auto NT Login To edit the Default Group to allow Autologin:

1. Verify that the Windows NT workstation is a member of a domain. On the Start menu, click Control Panel. Open the Network property sheet, click the Change button. The Identification Changes dialog box (Figure 29) appears. If the workstation is a member of a domain, the domain name appears in the Member of Domain field.

Figure 29: Identification Changes Dialog Box 2. On the Edit menu, select Global Settings. The Global Settings

dialog box appears (Figure 3).

3. On the Policy tab, select Allow Auto NT Login. 4. Click Apply.


Enabling a User for Auto NT Login To enable a user for Auto NT Login:

1. Add a User following the instructions in the Adding a User or Group section of this document.

2. On the User Properties tab, the NT Domain name appears in the NT Domain field. The Domain name must match the Domain in the Identification Changes dialog box (Figure 29).

Figure 30: Properties for User Dialog Box: User Properties Tab 3. Enter the User Name. This name must match the Windows NT

User Name.

4. Continue the instructions in the Adding a User or Group section of this document.


Logging Out To log out:

Note: You can also log out from the M-Password Login dialog box in the Basic view (Figure 27).

1. On the User Menu of the Johnson Controls M-Password window in the advanced view (Figure 10), click Logout. The M-Password Window remains open.

2. To exit M-Password, on the User Menu, click Exit.

Controls Group 507 E. Michigan Street P.O. Box 423 www.johnsoncontrols.comMilwaukee, WI 53201 Published in U.S.A.

Metasys is a registered trademark of Johnson Controls, Inc. All other marks herein are the marks of their respective owners. 2006 Johnson Controls, Inc.

M-PasswordIntroductionKey ConceptsM-Password Password *.sec File TipsSecured ItemsSecurity System AdministratorAdvanced ModeUsers and GroupsGlobal SettingsCritical Operational Data (COD)Integrated NT SecurityDefault GroupUser and Group PropertiesM-Password Login UtilityLogin Utility PreferencesWildcards and Pattern MatchingApplication Actions Security Login Reminder Auto Login to Security Server from the Windows NT/Windows 2000 Operating System LogonM-Password Worksheet ExampleSecurity File NameName AnalysisAccess and Privileges Analysis

Default Group Analysis

Detailed ProceduresLogging in as AdministratorEditing the Default Security FileCreating a New Security File

Adding a User or GroupUser Properties Tab Group Properties Tab Points TabAlarms TabFiles Tab Time Sheet Tab Account Policy Tab

Editing a User or GroupDeleting a User or GroupEditing the Default GroupAssociating Users and GroupsRemoving AssociationsAssigning Application ActionsRemoving Application ActionsLogging In as a UserChanging a Password as a User Editing the Default Group to Allow Auto NT LoginEnabling a User for Auto NT LoginLogging Out

1153150 (1)

Documents

password login utility

security login reminder

default security file

security server

security system administrator

password worksheet example

auto login

integrated nt security