Your comments and suggestions on the operation of this software are

welcome. Please address them to:

ICONICS
100 Foxborough Blvd.
Foxborough, MA 02035
Tel: 508-543-8600
FAX: 508-543-1503
E-MAIL: support@[Link]
WEB: [Link]

ICONICS 1
Introduction
The ICONICS GENESIS32 Security System provides restricted access to
GENESIS32 functions based on the concept of a logged-in user. A Security
System Administrator configures the system by adding users and assigning them
specific GENESIS32 privileges. In addition, administrators may associate users
with certain administrator-defined groups that also have assigned privileges.
Thus, a user has the effective rights of all the groups to which he or she belongs
plus his or her own private rights.
Note: The user/group concept for security assignment is well established in
computer operating systems (such as Windows NT) and computer
networks (such as Novell Netware). This document assumes that the
reader has an understanding of these concepts.

Secured Items
Security will be applied to the following items within the GENESIS32 system:
• Application Actions
• Files
• Process Output Points
• Custom Strings

Application Actions
Each GENESIS32 application may supply a static list of functions to be secured.
For example, functions such as adding trend pens in TrendWorX32 or entering
configuration mode in GraphWorX32 are commonly disallowed for operators via
the security system.

Files
Single files or groups of files may be protected. File names with or without
wildcards are placed in include or exclude lists for each user or group. (Include
and exclude lists are commonly used by file backup programs to specify a
backup set.)
A GENESIS32 application will query the Security Server for file access before
opening a file. Typical files that will be secured are GraphWorX32 display files.

Process Output Points

A GENESIS32 application that is configured to send outputs to points in OPC

servers will disable them if denied by the Security Server. As with the file names,

ICONICS 2
 OPC point names with or without wildcards are placed in include or exclude lists
for each user or group.

Custom Strings
VBA Scripts may use custom defined strings as security tokens that are
evaluated by the Security Server. As with the file names, custom strings with or
without wildcards are placed in include or exclude lists for each user or group.

System Components
The security system consists of a Security Server and several security clients.
The clients communicate with the server via Microsoft COM/DCOM and therefore
can optionally execute on network nodes other than the Security Server Node.
The security system provides two special purpose security clients: one for user
login and another for remote administration of the security configuration. The rest
of the security system clients are the other applications in the GENESIS32 family
(GraphWorX32, TrendWorX32, AlarmWorX32, etc.). Any stimulus (e.g. a user
login or logout) that causes a change in security status will be immediately
posted to the affected clients.

GWX32 TWX32 AWX32

Login Admin
OLEexpress OLEexpress OLEexpress

Clients
Server

COM / DCOM

POLICY
Security USERS / GROUPS
Configuration Server • Application Actions
File • Files
• OPC Output Points

Security System Components

ICONICS 3
Installation
The security system is installed as part of the GENESIS32 installation. The user
login client is also installed as part of the Security Server installation.
You must specify a default administrator password. This is part of the installation.
This password defaults to "ICONICS" (in uppercase). Refer to the Security
Password dialog box that appears during the installation, as shown below. You
will use this password to gain administrator access to the Security Server for the
first time.
Note: When a new user is added to the system with Administrator privileges, the
default password is disabled. The default password remains disabled as long as
there is at least one user with administrator privileges.

Default Administrator Password

Security Server Configuration

Configuration of the security system is accomplished by running the Security
Server ("[Link]") in interactive mode. The Security Server may be launched
in interactive mode from the GENESIS32 program group, or from other
GENESIS32 applications while they are in configuration mode.

Administration Login
To start the ICONICS Security Configurator from the Windows Programs menu,
select ICONICS GENESIS32 - Tools - Security Configurator, as shown below.

ICONICS 4
 Starting ICONICS Security Configurator

This opens the ICONICS Security Server Administrator Login dialog box,
shown below. You must enter one of the following to proceed to configuration:
1. A user name and password for a user that has previously been
configured as a Security Administrator.
2. The default administrator password that was set when the Security
Server was installed.
3. An emergency password you received from ICONICS based on the
challenge code shown in the login dialog box.

ICONICS Security Server Administrator Login

When you log in, the ICONICS Security Server screen will open, as shown
below. Both panes of the view will be empty.

ICONICS 5
 ICONICS Security Server Screen

The first time you log in, you will be asked to specify a file name and location for
your security configuration file. Future sessions will automatically load this file on
startup. To change the name and/or location, choose Save As from the File
menu.

Save As Dialog Box

ICONICS 6
 You must save the security configuration in a file. Specify a file name in the Save
As dialog box. This file is saved in your GENESIS32 installation folder.

Users and Groups

The main window for configuration consists of two panes with a slider bar
between them. Each pane has a tree control. The left tree is the Group view.
Here the root nodes are groups, and the child nodes are the users that belong to
the group. The right tree is the User tree. Here the root nodes are users, and the
child nodes are the groups that have been assigned to each user.

Security Server Configuration Screen

Adding Users and Groups

To add a new user or group, do one of the following:
• Press the Insert key. This adds a new user or group depending on which
of the two trees is "active." A single left click in the desired view will make
it active.
• From the Insert menu, choose New User or New Group. You can also
click the New User or New Group buttons on the toolbar.

A new entry is placed in the tree with the name New User or New Group. The
name is highlighted. It is suggested that you change the name at this point before
further editing.

ICONICS 7
Deleting Users and Groups
To delete a user or a group, select the desired group in the group tree, or the
desired user in the user tree, and do one of the following:
• Press the Delete key.
• Right-click on the item and select Delete from the popup context menu.
• From the Edit menu, choose Delete.
You will then be asked to confirm the deletion.
Note: If you select a child item in the tree instead of a root item (i.e. you
select a user in the group tree or a group in the user tree) and
perform a delete as described above, you will remove the child item
from the parent (dissociate the group from the user) but not actually
delete it.

Editing Users and Groups

To edit the properties assigned to a user or a group, select the desired group in
the group tree, or the desired user in the user tree, and do one of the following:
• Double-click the item.
• Right-click on the item and select Edit from the popup context menu.
• Press the Enter key.
• From the Edit menu, choose Edit.

This opens the Properties dialog box, which is used to configure a user or
group. The Properties dialog box contains the following tabs:
• Properties
• Points
• Files
• Custom
• Stations
• Time Sheet
• Account Policy

Properties
The properties for users and groups vary slightly. The group fields are a subset
of the user fields. The following fields are for users:

Field Description
User Name Short name (no spaces) that the user types
when logging on to the system.
Full Name The user's full name for reference only
( ti l)

ICONICS 8
 Field Description
(optional).
Description Optional.
Password The password the user must type to log in.
This field is case-sensitive, no spaces are
allowed.
Verify Password If you change the Password field, you must
type the exact same password into this
field.
NT Domain If the user is logging on to an NT domain,
the NT domain name will be entered in this
field.
User Must Change When checked, the user must change his or
Password at Next her password at the time of the next logon.
Logon This is often used when a new user created.
The administrator enters a default password
for the new user and checks this field to
require a "real" password to be entered on
first logon.
User Cannot Change When checked, the user's password can
Password only be changed from this dialog, and not
from the Login Client.
Account Disabled Checking this field has the same effect as
deleting the user without the permanence of
an actual delete.
Account Locked Out This field is normally unchecked and
disabled. Should the account become
locked out (see account lockout description
in the Account Policy Page), the field would
be enabled and checked. From here, the
administrator can uncheck the field to re-
enable the user logon.
Security System When checked, this user is allowed to logon
Administrator as a Security System Administrator to
configure all aspects of the security system.

ICONICS 9
 User Properties

The following fields are for groups:

Field Description
Group Name Short name (no spaces) that uniquely
identifies this group within the system.
Full Name The full name for this group (optional).
Description Optional.

ICONICS 10
 Group Properties
Points
Before a GENESIS32 client outputs a process value to an OPC server, the
unique string that identifies the OPC output point is sent to the Security Server to
determine if the write should be allowed based on the currently logged-in user(s)
and or the groups to which they belong. The Points tab of the Properties dialog
box, shown below, is used to configure which OPC output points are allowed to
be written to.
The Points property page is divided into two sections, Include and Exclude.
Each section contains an edit field and a list box. You can select strings by using
the Browse buttons. Pressing the Enter key with the cursor in the edit field or
clicking the Add button will add the edit field text to the list box. When an entry in
the list box is selected, pressing the Delete key or clicking the Delete button will
delete the selected entry.
If you type a string in the Test String field, the Access Granted check box will
indicate if access would be given to the user if the access to the "test string" was
requested. The test is made using only the include and exclude lists that are
visible.
During runtime, when a GENESIS32 client sends an OPC point string to the
Security Server for access testing (granted or denied), the include and exclude

ICONICS 11
 lists are string compared as follows for each active user and group until access is
granted:
1. Compare the OPC point string with each string in the include list until a
match is found. If no match is found, access is denied.
2. If a match is found in the include list, compare the OPC point string with
every string in the exclude list. If no match is found in the exclude list,
access to the point is granted, and no further testing of active groups and
users is performed.
Note: The exclude list entries can only remove rights granted in their
corresponding include list. For example if user Larry belongs to group
Operators, and Operators grants access to OPC point xyz, adding
point xyz to Larry's exclude list has no effect.

Points Configuration

Wildcards and Pattern Matching

The entries in the include and exclude lists allow pattern matching similar to the
Visual Basic LIKE operator. Built-in pattern matching provides a versatile tool for
string comparisons. The pattern-matching features allow you to use wildcard

ICONICS 12
 characters, character lists, or character ranges, in any combination, to match
strings.
Text results in string comparisons are based on a case-insensitive textual sort
order determined by your system's locale, for example:
(A=a) < (À=à) < (B=b) < (E=e) < (Ê=ê) < (Z=z) < (Ø=ø)
The following table shows the characters allowed in patterns and what they
match:

Character(s) in pattern Matches in string

? Any single character.
* Zero or more characters.
# Any single digit (0 - 9).
[charlist] Any single character in charlist.
[!charlist] Any single character not in charlist.

A group of one or more characters (charlist) enclosed in brackets ([ ]) can be

used to match any single character in string and can include almost any
character code, including digits.
Note: The special characters left bracket ([), question mark (?), pound sign
(#), and asterisk (*) can be used to match themselves directly only by
enclosing them in brackets. The right bracket (]) cannot be used within
a group to match itself, but it can be used outside a group as an
individual character.
In addition to a simple list of characters enclosed in brackets, charlist can specify
a range of characters by using a hyphen (-) to separate the upper and lower
bounds of the range. For example, [A-Z] in pattern results in a match if the
corresponding character position in string contains any of the uppercase letters in
the range A-Z. Multiple ranges are included within the brackets without any
delimiters.
The meaning of a specified range depends on the character ordering valid at run
time (as determined by the locale setting of the system the code is running on).
The range [A - E] matches A, a, À, à, B, b, E, e. Note that it does not match Ê or
ê because accented characters fall after unaccented characters in the sort order.
Other important rules for pattern matching include the following:
• An exclamation point (!) at the beginning of charlist means that a match
is made if any character except the ones in charlist is found in string.
When used outside brackets, the exclamation point matches itself.
• The hyphen (-) can appear either at the beginning (after an exclamation
point if one is used) or at the end of charlist to match itself. In any other
location, the hyphen is used to identify a range of characters.
• When a range of characters is specified, they must appear in ascending
sort order (from lowest to highest). [A-Z] is a valid pattern, but [Z-A] is
not.
• The character sequence [] is ignored; it is considered a zero-length
string.

ICONICS 13
Files
The Files property page is used to control access to files that GENESIS32
clients may open during runtime. For example, entries here would typically be
used to restrict certain users or groups from viewing specific GraphWorX32
displays.
The runtime processing and wildcard pattern matching for the Points property
page apply here as well with the following differences:
• The pattern matching is done on the file extension, separate from the file
name, to match the DOS wildcard semantics. For example, the wildcard
string to indicate all files is *.*
• File names entered without a path are considered a match no matter
what directory they are in.

File Configuration

Custom

ICONICS 14
 The Custom property page, shown below, is used to include or exclude strings
that will be tested at runtime by VBA scripts executing within GENESIS32 clients.
The meaning of these strings and the functionality they protect are controlled
entirely by the author of the VBA script.
The runtime processing and wildcard pattern matching apply here as well.
For example, from a GraphWorX32 VBA script, a custom security item is tested
by calling the method TestCustomSecurityItem(BSTR customString) in the
GwxDisplay object.

Custom Configuration

Stations
The Stations property page is used to grant or restrict access from specific
nodes on the network. Each node on a Microsoft network is identified by a unique
computer name.

ICONICS 15
 Station Configuration

The wildcard pattern matching described for the Points property page also
applies here, but the runtime processing is slightly different, and the processing
differs for users and groups. When a GENESIS32 client passes a Point, File, or
Custom string to the Security Server for access testing, the station name where
the client is running is also passed. For the currently logged-in user(s), the
station include and exclude lists are searched for access from the client's station.
If access from that station is denied for that user, the access request is instantly
denied. The Point, File, or Custom string is never tested, nor are any of the
groups to which the user belongs. This has the same effect as if the user had
never logged in!
Unlike the user case, testing for station restrictions in groups only affects the
current group (i.e. if access is denied for a group, then other active groups are
still tested).

Time Sheet

ICONICS 16
 The Time Sheet property page allows time-of-day restrictions on an hourly basis
for users and groups. For hours that are selected (highlighted) in the lists, access
is allowed. For hours that are not selected, access is denied. The figure depicts a
configuration that allows access from 8AM to 4PM, Monday through Friday.

Time Configuration

Account Policy
The Account Policy property page is used to show how passwords must be
used, and whether user accounts are automatically locked out after a series of
incorrect login attempts. The base policy (i.e. the most restrictive) for the system
is set in the default group (see the "Editing the Default Group" section). For users
and groups other than the default group, each policy can selectively be enabled
and set for that user or group.
During runtime, if more than one policy setting is in effect, the least restrictive is
used. For this reason, the policy set in the default group must be the most
restrictive. Individual users and groups can be made less restrictive than the
default, but never more restrictive.

ICONICS 17
 Account Policy Configuration

Field Description
Maximum Sets a time limit for a password, after which the user must
Password Age change to a new password. If this is selected, the value can
range from 1 to 999 days.
Minimum Sets the period of time a password must be in effect before
Password Age the user can change it. If this is selected, the value can
range from 1 to 999 days.
Note: Do not allow immediate changes if a Password
Uniqueness value is entered.
Minimum The fewest number of characters a password can contain. If
Password this is selected, the value can range from 1 to 14 characters.
Length

ICONICS 18
 Field Description
Password The number of new passwords that must be used by a user
Uniqueness account before an old password can be reused. If this is
selected, the value can range from 1 to 24 passwords.
Note: For uniqueness to be effective, an age value should
be specified for Minimum Password Age (Allow
Immediate Changes should not be selected).
No Account When selected, user accounts are never locked out, no
Lockout matter how many incorrect login attempts are made on a
user account.
Account If selected, all user accounts are subjected to lockout. If too
Lockout many incorrect login attempts are made on a user account,
no more than a specified amount of time between these, the
account is locked out.
If you select Account Lockout, you should also do the
following:
1. In Lockout After, type the number of incorrect
login attempts that will cause the account to be
locked. The range is 1 to 999.
2. In Reset Count After, type the number of minutes
that must pass between any two login attempts to
ensure that a lockout will not occur. The range is 1
to 999.
3. Click Duration and type a number of minutes that
locked accounts will remain locked before
automatically becoming unlocked. The range is 1 to
999.

Or, select Forever in Lockout Duration to keep

locked accounts locked out until an administrator
unlocks them.
Auto Logout If selected, sets the number of minutes from the time of user
login, before the system automatically logs the user off. The
range is 1 to 999 minutes.

Associating Users and Groups

To associate a user with a group, select the group to be associated in the left-
hand pane of the main window. Select the user to be associated in the right-hand
pane of the main window, then do one of the following:
• Select Associate User & Group from the Insert Menu.
• Right-click the user or group and choose Associate User & Group from
the popup context menu.
• Click the Associate Users With Groups button on the toolbar.

ICONICS 19
 When a user and group are associated, The user will appear as a child item
under the group in the left pane, and the group will appear as a child item under
the user in the right pane, as shown below

User and Group Associations

Removing Associations
To remove the association between a user and a group, select the user child
item under the desired group in the left pane, or select the group child item under
the desired user in the right pane, then do one of the following:
• Press the Delete key.
• Right-click and choose Delete from the popup context menu.
• Select Delete from the Edit menu.

When the association is removed, the child user under the group in the left pane
is removed, and the child group under the user in the left pane is removed.
Note: This operation never deletes the selected user or group. Only their
association is removed.

Assigning Application Actions

Each GENESIS32 client provides a list of application functions that can be
protected through the security system. To configure which users and groups

ICONICS 20
 have access to specific application actions, select Application Actions from the
Edit menu. This opens the Actions/User Association dialog box, shown below.

Assigning Application Actions

The dialog box has two tree controls. The parent items in the Actions (left) tree
control are the GENESIS32 application names. The child items of the application
names are the application functions that can be protected. The child items of the
application functions are the users and groups that are granted access to the
function.
The parent items in the Users/Groups tree control on the right are the users and
groups defined in the security system. The child items of the users and groups
are the GENESIS32 application names. The child items of the application names
are the application functions that are allowed for the parent user or group.
To grant access to a single application function to a user or group:
1. From the left tree control, select the application function to be assigned.
2. From the right tree control, select the user or group that should have
access to the application function selected in the left tree.
3. Click the Move button.
To grant access to all application functions of a GENESIS32 client:
1. From the left tree control, select the application name.
2. From the right tree control, select the user or group that should have
access to the all of application's functions selected in the left tree.
3. Click the Move button.
To remove access rights to an application action, select the user or group name
in the left tree or select the application name or function in the right tree, and then
press the Delete key.

ICONICS 21
 Note: This operation never deletes the user, group or application function.
Only their association is removed.

Editing the Default Group

The system default group is used to assign access rights that are granted
regardless of whether any users are logged in. When the Security Server is first
installed, the default group has full access to everything. The first step in
configuring the security system is to remove most if not all access rights
assigned to the default group.
Note: You must configure the default group to have minimum access
rights, because individual users and groups can only add access
rights but can never remove rights already granted in the default
group.
To edit the default group, select Default Group from the Edit menu. This opens
the Properties dialog box for the default group, as shown below.

Properties for Default Group

ICONICS 22
 The same property pages used to edit ordinary groups are used for the default
group, with the following differences:
• There is no Stations property page. Default access is valid for all
stations.
• There is no Time Sheet property page. Default access is valid for all
hours.
• Account Policy must be set in the default group. There are two
additional check boxes in the Account Policy property page:
Simultaneous Logins and Allow Auto NT Login, as shown below.
Checking the Simultaneous Logins check box allows more than one
user to be logged in to a single station at the same time. The effective
access rights on that station become the sum of all rights of all logged in
users. When the Allow Auto NT Login check box is checked (the
default is unchecked), the user name and the domain name will be
recognized by the Security server. Thus, a second login through the
ICONICS Security Login Utility will not be necessary.

Note: The user name and the domain name must match.

Account Policy Page for the Default Group

ICONICS 23
 Clicking the Default Preferences button on the Group Properties page opens
the Default Preference Properties dialog box, shown below. In the Screen
Manager tab, you can browse for a default layout (.pwf) file. For more
information, please refer to the Screen Manager Help documentation.

Default Preferences Properties: Screen Manager Tab

The Language tab, shown below, allows you to select the language for the
default group.

Default Preferences Properties: Language Tab

User Login Utility

ICONICS 24
 To log in to the security system, start the ICONICS Security Login application
from the Windows Programs menu, select ICONICS GENESIS32 - Security
Login, as shown below. You can also start the Security Login Utility from other
GENESIS32 applications during runtime mode.

Starting ICONICS Security Login

This opens the ICONICS Security Login dialog box, shown below. Enter the
User Name and Password. You can use the Keypad if necessary.
Note: Passwords are case sensitive.

ICONICS Security Login Dialog Box

If the login is successful, the dialog will close and the Security Login Utility will
now be running.

Main Window

ICONICS 25
 The main window of the Login Utility is divided into two panes. The upper pane
contains the status of the Security Server to which the Login Utility is connected.
The following display-only fields are shown and updated:

Field Description
Security Server Location The name of the workstation where the
Security Server is running and to which the
Login Utility is connected. It is "<local>" if
the Security Server is running on the same
workstation as the Login Utility.
Server Start Time Date and time the Security Server was
started. Time is converted to the local time
of the user workstation if the Security Server
is in a different time zone.
Server Current Time Current date and time as reported by the
Security Server on the last update. Time is
converted to the local time of the user
workstation if the Security Server is in a
different time zone.
Server Configuration File Name and path of the configuration file
currently being used by the Security Server.

Login Utility Main Window

ICONICS 26
 The lower pane contains a list of users that are currently logged in. The list
includes the following information:
• The user name.
• The time the user last logged in.
• The time at which the Security Server will automatically log the user out.
If this field is blank, the user will never be logged out automatically.

Logout
To logout from the security system, select Logout from the User menu. If a
single user is logged in, the user will be logged out. If more than one user is
logged in, the ICONICS Security Logout dialog will open as shown below,
allowing you to select the user to be logged out.

User Logout Dialog

Change Password
To change the password, by select Change Password from the User menu.
This opens the Change Password dialog box, shown below. Enter the user
name, the current password, and the new password. Then retype the password
to confirm it. Click OK.
Note: Users may be restricted from changing their passwords from the
Login Utility.

ICONICS 27
 Change Password Dialog Box

Login Utility Preferences

The Preferences on the User menu may vary. The preferences apply only if
applications that require configuration of preferences have registered property
preferences.
Choosing Preferences from the Options menu opens the Preferences dialog
box, shown below.

Preferences Dialog Box

Field Description
Security Server Location Enter the names of the primart and backup
workstations to which the Login Utility
should connect in order to run the Security
Server. This is "<local>" by default.
Note: Expanding the drop-down list will
cause all nodes on the network to be
searched for installed Security
Servers. This can take a long time. If
you know the name of the
workstation, it is much faster to type
it in.

Auto Logout Reminder The number of minutes prior to a Security

Server auto logout that a user should be
reminded to re-login. The range is 0 to 60
minutes. Enter 0 for no popup reminder
window.
Status Update Period The period between updates of the Server
Status in the main window. The range is 1
to 60 seconds.

ICONICS 28
 Field Description
Minimize Window When checked, the Login Utility window is
minimized after a user successfully logs in.
Hide Window When checked, the Login Utility window is
hidden after a user successfully logs in. To
see the Login Utility window again, the user
must restart the Login Utility.

ICONICS 29