M-Password for M5 SAES or SAOS Technical Bulletinvikingcontrols.com/_documents/product/1201616.pdfM-Password for M5 SAES or SAOS Technical Bulletin 5 Password *.sec File Tips The following

Technical BulletinIssue Date February 10, 2003

© 2003 Johnson Controls, Inc. www.johnsoncontrols.comCode No. LIT-1201616 Software Release 5.2

M-Password for M5 SAES or SAOS

M-Password for M5 SAES or SAOS.....................................................3

Introduction......................................................................................................... 3

Key Concepts...................................................................................................... 4

M-Password ...................................................................................................................... 4Password *.sec File Tips................................................................................................... 5Secured Items ................................................................................................................... 5Security System Administrator .......................................................................................... 6Basic and Advanced Mode ............................................................................................... 6Users and Groups ............................................................................................................. 7Global Settings................................................................................................................10Critical Operational Data (COD)...................................................................................... 11Integrated NT Security .................................................................................................... 14Default Group..................................................................................................................15User and Group Properties ............................................................................................. 17M-Password Login Utility................................................................................................. 19Login Utility Preferences ................................................................................................. 21Wildcards and Pattern Matching ..................................................................................... 21Application Actions.......................................................................................................... 23Security Login Reminder................................................................................................. 24Auto Login to Security Server from the Windows NT Logon........................................... 25M-Password Worksheet Example ................................................................................... 25Default Group Analysis ................................................................................................... 27

Detailed Procedures......................................................................................... 28

Logging in as Administrator............................................................................................. 28Creating a New Security File........................................................................................... 29Adding a User or Group .................................................................................................. 30Editing a User or Group .................................................................................................. 43

M-Password for M5 SAES or SAOS Technical Bulletin2

Deleting a User or Group ................................................................................................ 43Editing the Default Group................................................................................................ 43Associating Users and Groups........................................................................................ 44Removing Associations................................................................................................... 44Assigning Application Actions ......................................................................................... 44Removing Application Actions......................................................................................... 45Logging In as a User ....................................................................................................... 45Changing a Password as a User..................................................................................... 46Editing the Default Group to Allow Auto NT Login .......................................................... 47Enabling a User for Auto NT Login ................................................................................. 48Logging Out..................................................................................................................... 49

M-Password for M5 SAES or SAOS Technical Bulletin 3

M-Password for M5 SAES orSAOS

IntroductionM-Password for M5 Secure Architecture Engineering Station orOperator Station (SAES or SAOS) provides restricted access toapplication functions based on the concept of a logged-in user. Asecurity system administrator configures the system by adding usersand assigning them specific privileges within Metasys® for ValidatedEnvironments (MVE). In addition, administrators may associate userswith certain groups that also have assigned privileges. Thus, usershave the effective rights of all the groups to which they belong, plustheir own private rights. This document describes how to:

• log in as administrator

• create a new security file

• add a user or group

• edit a user or group

• delete a user or group

• edit the Default Group

• associate users and groups

• remove associations

• assign application actions

• remove application actions

• log in as a user

• change a password as a user

• edit the Default Group to allow Auto NT Login

• enable a user for Auto NT Login

• log out


Key ConceptsM-Password

M-Password controls the user capabilities on an M-SeriesWorkstation. There are two components to M-Password:

• Configuration application–used by administrators to set up theusers rights and privileges

• Login application–used by the user to log into the system with theassigned user name and password

The Password Administrator determines the access for all users.Figure 1 is an example of the usage sequence.

Use the M-Password Worksheet found in this document.

Identify all users of the M-Series Workstation. Define which Users need similar user privileges.

Create the Groups and User identifications.

Assign Applications and Privileges to the Groups and Users.

Delete unwanted actions from the Default Group.Remember actions in the Default Group

supersede all other Group actions.

Flowchart

Figure 1: M-Password Flow Chart


Password *.sec File TipsThe following list describes helpful tips when using M-Password:

• M-Series Workstations use the last *.sec file saved.

• M-Password configuration prompts the user to create a passwordfile the first time M-Password is run with the M-SeriesWorkstation. The default file name is untitled.sec and is located inthe M-Password program files folder. We recommend changingthe location and file name when saving. If this security file isdeleted and a request is made to create the file again, the new fileis created with no access given to the Default Group. The systemadministrator must manually add access rights for all users.

• Since the security system is file based, we recommend thefollowing:

- When you launch M-Password the first time, save the defaultfile (change the default name) and make a copy of the file. Thisprocess retains a copy of the original security file in casepasswords are compromised.

- Start with the default file and save all changes.

- Ensure the *.sec files are backed up away from theM-Series Workstation.

• All passwords and security levels are stored in the *.sec file.If more than one M-Series Workstation uses M-Password, makesure the *.sec file is copied to all other M-Series Workstations oris accessible by all workstations from a common network drive.

• When you OK the windows in the M-Password feature, thechanges are automatically saved in the *.sec file.

Secured ItemsM-Password can control access to point (OLE for Process Control[OPC] tags) names and file names for other applications. To confirmaccess for the logged-in user, the application passes the point name orfile name to the password for confirmation. The application controlsaccess to points, alarms, and files depending on the M-Passwordresponse. For example, the M-Graphics application uses thisinformation to determine read/write access restrictions.


M-Password can protect access to the following items within theJohnson Controls® workstation system:

• Application Actions - Each application supplies a list of functionsto be secured (for example, saving a file).

• Files - Single files or groups of files may be protected from accessvia the applications. For example, M-Graphics restricts access tothese files at Runtime mode from both the File > Open menu andany Pick action that loads a new display.

• Alarms - Single alarms may be protected from beingacknowledged by unauthorized users.

• Points (OPC tags) - Access to individual OPC tags may beprotected, based on wildcards. In general, this protects writeaccess.

Security System AdministratorThe Security System Administrator defines group and user access.When logging in as the administrator with a blank user name and thedefault password, full access rights are granted. Once the SecuritySystem Administrator box is checked on the Properties for User dialogbox (Figure 18) and the new administrator is added, the defaultpassword is disabled. The default password remains disabled until alldesignated Security System Administrators are deleted.

Basic and Advanced ModeM-Password is available in two modes: Basic and Advanced. As theadministrator, you can create a security file in Basic mode and convertit to Advanced mode, but you cannot convert Advanced to Basic. Thedefault security file is in Advanced mode.

Note: Once you convert to Advanced mode, you cannot revert toBasic.

The Basic mode, which was added to the M-Password security systemsince Release 5.x, allows you to restrict the configuration capabilitiesto a basic set of features and does not provide access to some advancedsecurity system configuration features. In Basic mode, you can not:

• edit the default group

• access the default group at runtime

• assign rights to users. In Basic mode you can only assign rights togroups.

• assign a user to more than one group. You must use the userproperties dialog box to define of which group the user is a part.

Advanced mode allows you to access all features of M-Password.


Users and GroupsThe main window for M-Password configuration application consistsof two panes: the left side is the group view and the right side is theuser view.

Note: The first time you run the program, both sides are empty.for M5 SAES or SAOS

Figure 2: M-Password Configuration Screen


Table 1: M-Password Toolbar ButtonsToolbar Button Description

Creates a new document.

Opens a document.

Saves a document.

Adds a new user.

Adds a new group.

Associates selected user and group.

Synchronizes users and groups with theWindows NT® security database.Configures the default group and default policy.

Associates application actions with users and groups.

Not available

Displays the about dialog box.


Table 2: M-Password MenusMenu Option DescriptionFile

New Creates a new document.Open Opens a document.Save As Saves the current document.Recent File List Lists recently opened documents.Exit Closes M-Password.

EditEdit Edits selected user or group.Rename Renames selected user or group.Delete Deletes selected user or group.Duplicate Makes a copy of the selected user or group.Global Settings Configures the settings that define the behavior of the

security system for all users and the CriticalOperational Data (COD) points.

Default Group Configures Default Group options.Application Actions

Associates application actions with users and groups.

InsertNew User Adds a new user.New Group Adds a new group.Associate User & Group

Associates selected user and group.

ViewToolbar Shows or hides toolbar.Status Bar Shows or hides status bar.Synchronize with NT

Synchronizes users and groups with the Windows NTsecurity database.

Basic Mode* Indicates that the configuration file is in the Basicconfiguration mode.

Advanced Mode*

Indicates that the configuration file is in the Advancedconfiguration mode. If the file is in Basic mode, youcan select this option to convert it to Advanced mode.

HelpHelp Topics Opens online help.About Security Lists program version information.

* A bullet beside the menu item indicates the mode of your security file.


Global SettingsThe Global Settings define the behavior of the security system for allusers. The Global Settings consist of three tabs: the Policy tab(Figure 3), the Critical Points tab (Figure 5), and the Critical Alarmstab (Figure 6).

Table 3 describes the features of the Policy tab. The Critical Points andCritical Alarms tabs are described in the Critical Operational Data(COD) section.

Figure 3: Global Settings – Policy Tab


Table 3: Global Settings FieldsField DescriptionAllow Auto NT Login Enables users with matching user names and

domain names to be automatically logged in to thesecurity server when the login application is run.This feature eliminates the need for users whohave already logged in to a Windows NT domain toenter a user name and password a second time togain access to M-Password.

Allow User Lists Allows the Login Dialog in the Login Application todisplay a list of all users. This feature allows usersto log in by selecting their user name from a listinstead of typing it in. This is useful for touchscreen systems.

Display Last User Allows the Login dialog to display the name of thelast user who successfully logged in.

Include User’s Full Namein Events

Records the user’s full name (Full Name field) inthe Alarm and Event database.

Simultaneous Logins Allows multiple users to be logged in at the sametime from the same node. The rights granted arethe sum of the rights of all the logged in users. Ifthis feature is not selected, when a new user logsin when another user is already logged, the originaluser is logged out. This option is unavailable.

NT Domain* Indicates the Domain with which M-Passwordsynchronizes users and Groups.

NT SynchronizationPeriod*

Indicates how often M-Password synchronizes thenames of users and groups with the Windows®Operating System (OS). A value of 0 disables theautomatic synchronization with NT.

Critical Points LoginPeriod

Indicates the length of time that the user ispermitted to modify the COD value. After this CODmodification time expires, the user has to log inagain to modify the point.

Auto Logout Recovery The number of minutes after all security relatedrequests from a node have ceased (in the eventthat a client node crashes) that users from thatnode are logged out. Range is 0 to 99 minutes,default is 2. A value of 0 disables this feature.

* These fields are only available if the Integrated NT Security feature is active.

Critical Operational Data (COD)M-Password provides an additional level of security for selected pointscalled COD that requires the users to log in again to verify theiridentity using the M-Password Login dialog box (Figure 27).


The COD feature is a part of the Global Settings on the Edit menu.Using the Critical Points and Critical Alarms tabs, you can create a listof points and alarms that require the user to log in again. Even if theuser (with permission to access the COD) is already logged in, he orshe is forced to log in again. The first dialog box (Figure 4) informsthe user that he or she needs to log in to M-Password. After selectingYes or No, the M-Password login dialog box appears (Figure 27). Ifyou click No, the initial dialog box does not appear again.

Figure 4: COD Dialog BoxThe Critical Points tab (Figure 5) and the Critical Alarms tab(Figure 6) allow you to define COD points and alarms in your system.The two property pages are divided into two sections: Include andExclude. Each section contains an edit field and a list box. Press Enterwith the cursor in the edit field or click the Add button to add text tothe list box. Use the Browse button to scan OPC data points.

Refer to the Wildcards and Pattern Matching section in this documentfor details on using wildcards.

Type a specific point in the test string field to see if the current userhas access. If the user has access, a check mark appears in theConsidered Critical field. If it is not considered critical, the fieldremains empty.

The COD feature affects users trying to access COD points in thefollowing software:

• M-Graphics–you cannot command a COD point without logging into M-Password.

• M-Alarm–you cannot acknowledge a COD point without loggingin to M-Password.

• N1 Schedule–you cannot enter the edit mode of the schedule of aCOD point without logging in to M-Password. If the time it takesyou to edit the schedule exceeds the COD login period, you mustlog in to M-Password again to save your changes.


Figure 5: Global Settings – Critical Points Tab


Figure 6: Global Settings – Critical Alarms Tab

Integrated NT SecurityThe M5 SAES or SAOS allows you to synchronize users andpassword policies with a Windows 2000 computer or domain and theM5 SAES or SAOS. This feature provides central passwordmanagement and saves you time.

When you create a new security configuration in Advanced mode, anIntegrated NT Security dialog box (Figure 16) prompts you to choosethe computer or Domain with which to synchronize.

If you choose to synchronize M-Password with the Windows OS usersand groups, you cannot add or remove users and groups from withinM-Password. Since the operating system controls the user policy, mostof the account policy settings are hidden in this mode (Figure 7).

M-Password queries the Windows OS and keeps the users and groupsup to date. You can manually synchronize users and groups byselecting Synchronize with NT from the View menu or by clicking theRefresh button on the toolbar.


Figure 7: Account Policy Tab with Integration with NT Security Feature

Default GroupThe system Default Group is used to assign access rights that aregranted whether any users are logged in or not. When M-Password isfirst installed, the Default Group has full access to everything (allpoints, alarms, files, and application actions). The first step inconfiguring M-Password is to remove most, if not all, access rightsassigned to the Default Group.

IMPORTANT: You must configure the Default Group with minimal accessrights. All users and groups are granted all rights available in the DefaultGroup, plus the set of rights defined for an individual user.

The rights of the Default Group supercede all other rights (the rights ofthe user and the user’s group). For example, if you exclude a point inWill’s properties, Will can still access the point if the Default Grouphas access to it.


When assigning access rights, consider the following:

• Exclude definitions override include definitions within anindividual assignment for any group or user.

Example: If a point is both included and excluded within a singlegroup or individual user's rights, it is excluded.

• Access rights for defined groups apply only in those areas notassigned by the Default Group. Access rights for users apply onlyin those areas not assigned by the Default Group or groups towhich the users belong. In other words, the rights granted by theDefault Group cannot be taken away by any other group or user.The rights granted by a group cannot be taken away by a user.

Example: If access to all points in Building 1 are included in theDefault Group, access to Building 1 cannot be excluded by auser-defined group or an individual user’s rights.

• If a user belongs to multiple groups, the user’s rights are the unionof the assignments of the groups, plus the individual assignmentsin areas outside those defined in the groups.

Example: No rights are assigned in the Default Group. The rightsfor Groups 1 include Building 1 and exclude Building 3. The rightsfor Group 2 include Building 2 and exclude Building 4. User Abelongs to both Group 1 and Group 2. User A’s rights includeBuilding 1, Building 2, and any other individual assignments, butnot Building 3 or Building 4.


User and Group PropertiesWhen the system administrator defines a group or user, the fields ineach tab listed in Table 4 must be configured in either the Propertiesfor User dialog box (Figure 8) or the Properties for Group dialog box(Figure 9).

Figure 8: Example of User Property Dialog Box


Figure 9: Example of Group Property Dialog Box


Table 4: User and/or Group Property Dialog Box TabsTab DescriptionUser Properties The User Properties tab contains information about the user name, password changes,

and if this user is a security system administrator.Group Properties The Group Properties tab contains the group name and description.Points Before a client outputs a process value to an OPC Server, the unique string that

identifies the OPC output point is sent to the M-Password to determine if the actionshould be allowed, based on the current logged in users and/or the groups to which theybelong. This action could be read or write, based on how the application usingM-Password interprets the Points tab.

Alarms Before a client outputs a process value to an OPC Server, the unique string thatidentifies the OPC Alarm is sent to the M-Password to determine if the action should beallowed, based on the current logged in users and/or the groups to which they belong.

Files The Files tab controls access to files users may open. Currently, only M-Graphics andScreen Manager files can be protected. For example, entries here would typically beused to restrict certain users and/or groups from picking certain graphic displays fromM-Graphics.

Time Sheet The Time Sheet tab allows time-of-day restrictions on an hourly basis for users andgroups. For selected hours, access is allowed. For non-selected hours, users can log in,but access is denied for protected objects.

Account Policy The Account Policy tab defines how passwords are used by all user accounts, if useraccounts are automatically locked out after a series of incorrect logon attempts, and ifAuto Login to M-Password through NT Login is enabled. (The system administrator mustunlock a user after a lockout.)The base policy for the system is set in the Default Group. For users and groups otherthan the Default Group, each policy can selectively be enabled and set for that user orgroup. If more than one policy setting is in effect, the least restrictive is used. For thisreason, the policy set in the Default Group must be the most restrictive. Individual usersand groups can be made less restrictive than the Default but never more restrictive.

Note: Currently Custom and Stations tabs are not used.

M-Password Login UtilityThe Johnson Controls M-Password window (Advanced View) isdivided into two panes. The upper pane contains the status of theSecurity Server to which the Login Utility is connected. The lowerpane contains a list of currently logged in users.


Figure 10: Johnson Controls M-Password Window (Advanced View)Table 5 describes the display-only fields in the upper pane of theJohnson Controls M-Password Window. The Logging in as a Userprocedure shows the M-Password Basic view window(Figure 27).

Table 5: Johnson Controls M-Password WindowField DescriptionSecurity Server Location The name of the workstation where the security

server is running and to which the Login Utility isconnected. It is <local> if the security server isrunning on the same workstation as the LoginUtility.

Server Start Time Date and time the security server was started.Time is converted to the local time of the userworkstation if the security server is in a differenttime zone.

Server Current Time Current date and time as reported by the securityserver on the last update. Time is converted to thelocal time of the user workstation if the securityserver is in a different time zone.

Server Configuration File Name and path of the configuration file currentlybeing used by the security server.


Login Utility PreferencesThe Preferences dialog box allows the user to configure login options.Refer to Table 6 for field descriptions.

Figure 11: Preferences Dialog Box

Table 6: PreferencesField DescriptionPrimary Enter the name of the primary workstation to which the

Login Utility should connect in order to run the securityserver. The default is <local>.

Backup Enter the name of the backup workstations to which theLogin Utility should connect in order to run the securityserver. The default is <local>.Note: Expanding the drop-down list causes a search of

all nodes on the network for installed securityservers. This may be time consuming. If known, itis faster to enter the name of the workstation.

Auto LogoutReminder

The number of minutes prior to a security server autologout that a user is reminded to log in again. The rangeis 0 to 60 minutes. Enter 0 for no pop-up reminderwindow.

Status Update Period The period between updates of the Server Status in themain window. The range is 1 to 60 seconds.

Splash Screen Suppresses the initial M-Password screen that showscompany logos and trademarks.

Wildcards and Pattern MatchingThe entries in the Points and Files include and exclude lists allowpattern matching. Pattern matching allows the use of wildcardcharacters, character lists, or character ranges, in any combination.

Table 7 shows the characters allowed in patterns and what they match:


Table 7: Wildcards and Pattern MatchingCharacters in Pattern Matches:

? Any single character* Zero or more characters# Any single digit (0-9)

[charlist] Any single character in charlist[!charlist] Any single character not in charlist

Type a specific point or file in the test string field (Figure 21) to see ifthe selected user has access. If the user has access, a check markappears in the Access Granted field. If the user does not have access,the field remains empty.

A group of one or more characters (charlist) enclosed in brackets ([ ])is used to match any single character in string and includes almost anycharacter code, including digits.

Note: The special characters left bracket ([), question mark (?),number sign (#), and asterisk (*) can be used to match themselvesdirectly only by enclosing them in brackets. The right bracket (])cannot be used within a group to match itself, but it can be usedoutside a group as an individual character.

In addition to a simple list of characters enclosed in brackets, charlistcan specify a range of characters by using a hyphen (-) to separate theupper and lower bounds of the range. For example, [A-Z] in patternresults in a match if the string contains any of the uppercase letters inthe range A through Z. Multiple ranges are included within thebrackets without any delimiters.

Other important rules for pattern matching include the following:

• An exclamation point (!) at the beginning of charlist means that amatch is made if any character except the ones in charlist is foundin string. When using outside brackets, the exclamation pointmatches itself.

• The hyphen (-) can appear either at the beginning (after anexclamation point if one is used) or at the end of charlist to matchitself. In any other location, the hyphen is used to identify a rangeof characters.

• When a range of characters is specified, they must appear inascending sort order (from lowest to highest). [A-Z] is a validpattern, but [Z-A] is not.

• The character sequence [] is ignored.


Application ActionsM-Password allows system administrators to grant or deny access tospecific applications and applications functions.

Figure 12 is an example of the Actions/Users Association dialog box.The items on the left tree control are the Johnson Controls applicationnames. The child items of the application names are the applicationfunctions that can be protected. The items in the tree control on theright are the users and groups defined in the M-Password database.The child items of the users and groups are the application names andactions enabled for that user or group.

IMPORTANT: The system Default Group assigns access rights grantedwhether any users are logged on or not. When M-Password is first installed,the Default Group has full access to everything. The first step in configuringM-Password is to remove all, if not most, access rights assigned to theDefault Group.

You must configure the Default Group with minimal access rights. Allusers and groups are granted all rights available in the Default Group,plus the set of rights defined for an individual user.

Figure 12: Actions/Users Association Dialog BoxNote: Each Johnson Controls client provides a list of applicationfunctions that can be protected through the M-Password. Refer toM-Password Application Actions Technical Bulletin (LIT-1153175) forspecific application actions that are protected.


Security Login ReminderThe Johnson Controls M-Password Reminder dialog box (Figure 13)indicates the amount of time remaining before auto logout occurs. Thisdialog box appears at an interval determined by subtracting the timeentered in the Logout In … minutes field of the Properties for UserDialog Box: Account Policy Tab (Figure 25), from the number ofminutes entered in the Auto Logout Reminder field in the LoginUtility Preferences dialog box (Figure 11). For example, if 20 isentered in the Logout in … minutes field and 12 is entered in the AutoLogout Reminder field, the reminder appears 8 minutes before AutoLogout occurs.

Figure 13: M-Password Reminder Dialog Box

Table 8: M-Password Reminder Dialog BoxField DescriptionDismiss Close dialog box, user is not reminded again.Postpone Postpone reminder by the time entered by user.Login Now Allow system login to reset the auto logout timer.Click Postpone to bereminded again in x minutes

Enter number of minutes until reminderreappears.


Auto Login to Security Server from the Windows NT LogonNote: This feature is based on the Windows NT security model andis supported for MVE running on the Windows 2000 platform.

M-Password supports auto login to M-Password from Windows NTLogon. To use this feature, the Windows NT Workstation must be amember of a Windows NT Domain. Verify that the M-Passwordusername is synchronized with the username in Windows NT SecurityAccount Manager (SAM) database. The administrators are responsiblefor making sure the usernames in both M-Password and Windows NTSAM are the same. It is not necessary for the passwords to match.

When a Windows NT domain user is logged on to a Windows NTworkstation and a matching username and domain name exist in theM-Password database for that user, the user is automatically logged onto M-Password when launching the Login application.

IMPORTANT: Once a user is granted the Allow Auto NT Logon option, theymust log out using Windows NT Logout. If the M-Password logout is used,the Auto Logon is not disabled. This leaves the workstation unsecured, andanyone can log on to M-Password when launching the Login application.

M-Password Worksheet ExampleThe following example of an M-Password worksheet is used to recordand manage user access.

Security File Name*.SEC File Name: .SEC

Name AnalysisPerson’s Name User Name Password* Group NameAdministrator:*Note: Passwords are case sensitive and spaces are not allowed. M-Password has no association to thepasswords in the N30/N31 Supervisory Controller or in the Network Control Module (NCM) SupervisoryController.


Access and Privileges AnalysisAccount policy tips:

• Follow your Information Technology department’s login accountstandards.

• Keep options the same for all users and groups.

• Keep in mind that M-Password uses the least restrictive of alloptions when users log in. Set groups as most restrictive and thenset users least restrictive.

UserNameandGroup

ApplicationAssociations

UserProperties

Points Alarms Files TimeSheet

Account Policy(Blank indicatesunchecked)

BACnet_OPC =CF-Connect =M3HCI =M-Authorize =M-Collector =M-Explorer =M-Graphics =M-Terminal =M-Trend =

Change P/W onLogin [ ]User can notchange P/W [ ]SecurityAdministrator [ ]

Max P/W Age = __ DaysP/W Length = __CharactersAccount Lockout = __ BadAttemptsMin P/W Age = __ DaysP/W Uniqueness = __Unique P/WsAuto Logout = __ MinutesAccount Lockout = _3_Bad Attempts

BACnet_OPC =CF-Connect =M3HCI =M-Authorize =M-Collector =M-Explorer =M-Graphics =M-Terminal =M-Trend =

Change P/W onLogin [ ]User can notchange P/W [ ]SecurityAdministrator [ ]

Max P/W Age = __ DaysP/W Length = __CharactersAccount Lockout = __ BadAttemptsMin P/W Age = __ DaysP/W Uniqueness = __Unique P/WsAuto Logout = __ Minutes


Default Group AnalysisM-Password uses the least restrictive (group or user) option whenusers log in. We recommend setting on groups with more restrictionsand setting users with lesser restrictions.

Applications Properties Points Alarms Files Account PolicyBACnet_OPC =CF-Connect =M3HCI =M-Authorize =M-Collector =M-Explorer =M-Graphics =M-Terminal =M-Trend =

Max P/W Age = __ DaysP/W Length = __ CharactersAccount Lockout = __ Bad AttemptsMin P/W Age = __ DaysP/W Uniqueness = __ Unique P/WsAuto Lockout = __ MinutesAccount Logout = _3_ Bad AttemptsSimultaneous P/Ws = [ ] yes/no


Detailed ProceduresWhen configuring M-Password options, the security systemadministrator must log in first. We recommend: adding users andgroups, editing the Default Group so it has minimum access rights, andselecting at least one new user as the security system administrator.

Logging in as AdministratorTo log in as administrator:

1. Select Start > Programs > Johnson Controls > M-Password >Configuration. The Johnson Controls M-Password AdministratorLogin dialog box appears (Figure 14).

Figure 14: Johnson Controls M-Password Administrator Login DialogBox

2. Leave the User Name blank and enter JCI, which is the defaultadministrator password. Currently the Challenge field is not beingused.

3. Click OK.

IMPORTANT: Once a new administrator is defined, the default password isdisabled.

Notes: Passwords are case sensitive.

The first time you log in, you are prompted to specify a file name andlocation for the M-Password configuration file with an .sec fileextension. We recommend picking a new name for the file. Futuresessions automatically load this file on startup.


Creating a New Security FileTo create a new security file:

1. On the File menu, click New. The Security Server dialog boxappears (Figure 15).

Figure 15: Security Server Dialog Box2. Click Yes to create the security file in Basic mode or No to create

it in Advanced mode.

If you clicked Yes, the Save As dialog appears (Figure 17). Go toStep 4.

If you clicked No, the Integrated NT Security dialog box appears(Figure 16). Go to the next step.

Figure 16: Integrated NT Security Dialog Box3. Complete the dialog box by performing one of the options

according to Table 9. The Save As dialog box appears (Figure 17).


Table 9: Integrate NT Security OptionsOption ResultsClick Cancel Creates a new security file without

synchronizing users and groups betweenM-Password and the Windows OS.

Select Local Computer Synchronizes the users and groups betweenM-Password and the Windows OS.

Select Domain and Type theDomain Name

Synchronizes the users and groups betweenM-Password and the network domain you type.

Figure 17: Save As Dialog Box4. Type a name for the file and click Save.

Adding a User or GroupTo add a user or group:

1. Select Insert > New User or Insert > New Group. A new entryappears in M-Password with the name New User or New Group.The Properties dialog box appears for a new user (Figure 18) orgroup (Figure 20).


Figure 18: Properties for User Dialog Box: User Properties Tab2. Click Preferences. The User Preference Properties dialog box

appears (Figure 19).


Figure 19: User Preference Properties Dialog BoxNote: The Screen Manager tab is used only by the M5 Workstationsoftware.

3. On the M5 Workstation only, select a default layout for ScreenManager. M5 Workstation software loads this default layout whenthis user logs in to the system.

Notes: This is the default layout used when a user logs in to theworkstation and is different from the default layout or slide show usedwhen no user is logged in.

On all M-Series Workstations, if you are using a language other thanEnglish, select the language tab. Choose the language preference fromthe drop-down list.

4. Fill in the fields in each of the tabs. Refer to the User PropertiesTab, Group Properties Tab, Points Tab, Alarms Tab, Files Tab,Time Sheet Tab, and Account Policy Tab sections for detaileddescriptions of the fields in each tab.

Note: M-Password does not support the Custom and Stations tabs.

5. Click OK.


User Properties TabFigure 18 shows an example of the User Properties Tab. Refer toTable 10 for details.

Table 10: User PropertiesField DescriptionUser Name Short name (no spaces) the user types when logging on

to the systemFull Name User’s full name, not requiredDescription For information only, not requiredPassword Password the user must type to log on. The default is

blank.Note: This field is case sensitive, no spaces allowed.

Verify password If you change the Password field, you must retype theexact password in this field.

NT Domain If the security system supports Auto Login to theSecurity Server from NT Login feature, use this field toidentify the NT Domain name where the user belongs.

User Must ChangePassword at NextLogon

When checked, the user must change his/her passwordat the time of the next logon. This is often used when anew user is created. The administrator enters a defaultpassword for the new user and checks this field torequire a “real” password to be entered on first logon.

User Cannot ChangePassword

When checked, the user’s password can only bechanged by the M-Password administrator from thisdialog box.

Account Disabled Checking this field has the same effect as deleting theuser without the permanence of an actual delete. Thiscould be used to temporarily disable a user due to aholiday or extended leave of absence.

Account Locked Out This field is normally unchecked and disabled. Shouldthe account become locked out, the field would beenabled and checked. From here, the administrator canuncheck the field to re-enable the user logon.

Security SystemAdministrator

When checked, this user is allowed to log on as asecurity system administrator to configure all aspects ofthe security system. Once an administrator is defined,the default administrator password is disabled.

Preferences Button Opens the User Preference Properties dialog box.Users can choose default layouts and language type.


Group Properties TabFigure 20 shows an example of the Group Properties tab. Refer toTable 11 for details.

Figure 20: Properties for Group Dialog Box: Group Properties Tab

Table 11: Group Properties TabField DescriptionGroup Name Short name (no spaces) that uniquely identifies this group within

the systemFull Name Full name for this group. For information only, not required.Description For information only, not required


Points TabThe Points property page is divided into two sections: Include andExclude (Figure 21). Each section contains an edit field and a list box.Pressing Enter with the cursor in the edit field or clicking the Addbutton adds text to the list box. Use the Browse button to scan OPCdata points.

IMPORTANT: If you leave the fields blank, no access is granted. Typing *and clicking Add grants access to everything.


When an application sends an OPC point string to M-Password foraccess testing (granted or denied), the include/exclude lists are stringscompared as follows for each active user and group until access isgranted:

Compare the OPC point string with each string in the include list untila match is found. If no match is found, access is denied.

Note: The exclude list entries can only remove rights granted intheir corresponding include list. For example, if user Glenn belongs togroup operators and operators grants access to OPC point xyz,adding point xyz to Glenn’s exclude list takes away all access rights tothe point for Glenn.

Excluding points has the following effects:

• In M-Graphics, the Exclude command removes only write accessto those points. Read access is not excluded.

• M-Explorer cannot launch M-Inspector for a restricted OPC point.

Type a specific point in the test string field to see if the current userhas access. If the user has access, a check mark appears in the AccessGranted field. If the user does not have access, the field remainsempty.

IMPORTANT: The rights of the Default Group supercede the rights of usersand groups.


Figure 21: Properties for User Dialog Box: Points Tab


Alarms TabThe Alarms property sheet (Figure 22) is used to control access to theusers that can acknowledge alarms.

IMPORTANT: If you leave the fields blank, no access is granted. Typing*.* and clicking Add grants access to everything.



Figure 22: Properties for User Dialog Box: Alarms Tab


Files TabThe Files property sheet (Figure 23) is used to control access to files.

Note: M-Graphics and Screen Manager restrict access to these filesat Runtime mode from both the File > Open menu and any Pick actionthat loads a new display. No other M-Series Workstation applicationscurrently support the file option.

IMPORTANT: If you leave the fields blank, no access is granted. Typing*.* and clicking Add grants access to everything.

Refer to the Wildcards and Pattern Matching section in this documentfor details on using wildcards. The wildcard pattern matching appliesto files with the following differences:

• The pattern matching is done on the file extension, separate fromthe file name to match the DOS wildcard semantics. For example,the wildcard string *.* indicates all files.

• File names entered without a path are considered a match,regardless of the directory in which they are located.



Figure 23: Properties for User Dialog Box: Files Tab


Time Sheet TabThe Time Sheet tab allows time-of-day restrictions on an hourly basisfor users and groups. For hours selected (highlighted), access isallowed. For nonselected hours, access is denied. Figure 24 depicts aconfiguration that allows access from 7 A.M. to 5 P.M., Mondaythrough Friday.

Notes: Click on an hour to select or deselect all but that hour. Thenhold down the Ctrl key and click on the remaining hour to deselect thathour.

The user is allowed to log in during this time. M-Password controlsaccess to restricted objects during this time.

Figure 24: Properties for User Dialog Box: Time Sheet Tab


Account Policy TabThe Account Policy tab fields control how passwords are used by alluser accounts, and whether user accounts are automatically locked outafter a series of incorrect login attempts (Figure 25). Table 12describes the Account Policy tab fields.

The base policy (that is, the most restrictive) for the system is set inthe Default Group. For users and groups other than the Default Group,each policy can be selectively enabled and set for that user or group.

IMPORTANT: If more than one policy setting is in effect, the leastrestrictive is used. For this reason, the policy set in the Default Group mustbe the most restrictive. Individual users and groups can be made lessrestrictive than the Default Group, but never more restrictive.

Figure 25: Properties for User Dialog Box: Account Policy Tab


Table 12: Account Policy Tab FieldsField DescriptionMaximum Password Age The time limit for a password, after which the user must change to a new

password. The range is 1 to 999 days.Minimum Password Age The period of time a password must be in effect before the user can change it.

The range is 1 to 999 days.Note: Do not allow immediate changes if a Password uniqueness value is

entered.Minimum PasswordLength

The fewest number of characters a password can contain. The range is 1 to14 characters.

Password Uniqueness The number of new passwords used by a user account before an oldpassword can be reused. The range is 1 to 24 passwords.Note: For uniqueness to be effective, specify an age value for Minimum

Password Age (do not select Allow Immediate Changes).Account Lockout If selected and if too many incorrect login attempts are made on a user

account, the account is locked out. A locked account cannot log in.If you select Account Lockout, do the following:• In Lockout After, enter the number of incorrect login attempts that cause

the account to be locked. The range is 1 to 999.• In Reset Count After, enter the number of minutes that must pass

between any two login attempts to ensure that a lockout does not occur.The range is 1 to 99999.

No Account LockoutWhen selected, never locks out user accounts, no matter how many incorrectlog in attempts are made on a user account.Lockout Duration• Click Duration and enter a number of minutes locked accounts remain

locked before automatically becoming unlocked. The range is 1 to 99999.or

• Select Forever in Lockout Duration, to keep locked accounts locked outuntil an administrator unlocks them.

Auto Logout If selected, the number of minutes from the time of user login, before thesystem automatically logs the user off. The range is 1 to 999 minutes. Note,this is based on when the user logs in, not on user inactivity at the workstation.

Password Complexity Allows M-Password to mimic Windows NT OS’s test for password complexity.If you select Password Complexity, the user’s or group’s password must:• not contain all or part of the user’s name• be at least 6 characters long• contain at least one character from 3 of the following 4 categories, at the

user’s discretion:1. Alphabetic uppercase (A through Z)2. Alphabetic lowercase (a through z)3. Base 10 digits (0 through 9)4. Non-alphanumeric characters (for example, !, $,#,%)

Logout Password If selected, the user must enter a password to log out.


Editing a User or GroupTo edit a user or group:

1. Select a user or group.

2. Either press Enter, double-click on the user, right-click and selectEdit, or select Edit > Edit. The Properties dialog box appears forthe selected user (Figure 18).

3. Fill in the fields in each of the tabs. Refer to the User PropertiesTab, Points Tab, Alarms Tab, Files Tab, Time Sheet Tab, andAccount Policy Tab sections for detailed descriptions of the fieldsin each tab.

4. Click OK.

Note: Currently M-Password does not use the Custom or Stationstabs.

Deleting a User or GroupTo delete a user or a group:

1. Select a user or group.

2. Either press the Delete key, right-click and select Delete, or selectEdit > Delete.

Note: If you delete a user in the group tree or a group in the usertree, you disassociate the group from the user but do not actuallydelete it.

Editing the Default GroupIMPORTANT: The system Default Group assigns access rights grantedwhether any users are logged on or not. When M-Password is first installed,the Default Group has full access to everything. The first step in configuringM-Password is to remove all, if not most, access rights assigned to theDefault Group.

You must configure the Default Group with minimal access rights. All usersand groups are granted all rights available in the Default Group, plus the setof rights defined for an individual user.

To edit the Default Group:

Select Edit > Default Group. The same property sheets to edit ordinarygroups are used for the Default Group with the following differences:

• There is no Time Sheet tab. Default access is valid for all hours.

• Account Policy must be set in the Default Group, and there isone additional field: Simultaneous Logins. Currently simultaneouslogins are not supported in M-Password.


Associating Users and GroupsTo associate users and groups:

1. Select a Group in the left pane of the main window. Select a Userin the right pane of the main window.

2. Select Insert > Associate User and Group, or right-click and selectAssociate User and Group.

When a user and group are associated, the user appears as an itemunder the group in the left pane and the group appears under the userin the right pane.

Removing AssociationsNote: This operation never deletes the user or group. Only theirassociation is removed.

To remove associations:

1. Select the user under the desired group in the left pane or select agroup under the desired user in the right pane.

2. Press the Delete key.

Assigning Application ActionsTo assign application actions:

1. Select Edit > Application Actions. The Actions/Users Associationdialog box appears (Figure 26).

Figure 26: Actions/Users Association Dialog Box


Note: Each Johnson Controls application provides a list ofapplication functions that can be protected through M-Password. Referto M-Password Application Actions Technical Bulletin (LIT-1153175)for specific applications actions that are protected.

2. From the list of applications on the left, select a specific functionor entire application. Click on the + sign to expand the details ofeach application.

3. From the list on the right, select the user or group that should haveaccess. Click on the + sign to show all allowed actions currentlyassigned to the user or group.

4. Click the Move button to assign the selected applications.

Note: To add all application actions, right-click on the user orgroup name and select add all actions from the pop-up menu.

5. Click OK.

Removing Application ActionsTo remove application actions:

1. In M-Password, select Edit > Application Actions.

2. Select a user or group name or select the application name orfunction and press the Delete key.

Notes: To remove all application actions, right-click on the user orgroup name and select remove all actions from the pop-up menu.

This operation never deletes the User, Group, or application function.Only their association is removed.

Logging In as a UserTo log in as a user:

1. Select Start > Programs > Johnson Controls > M-Password >Login. The Johnson Controls M-Password Login dialog boxappears (Figure 27).

Figure 27: Johnson Controls M-Password Security Login Dialog Box(Basic View)

2. Enter the User Name and Password.


Notes: Passwords are case sensitive: no spaces allowed.

Click Keypad to display a keypad that can be used to enter the username and password.

To see who is currently logged in, click the Advanced button.

3. Click OK. After a successful login, this dialog box becomeshidden.

Changing a Password as a UserNote: This procedure is for users. Security system administratorschange passwords in the User Properties dialog box.

To change a password as a user:

1. Select Start > Programs > Johnson Controls > M-Password >Login. The Johnson Controls M-Password Log in dialog boxappears (Figure 27).

2. Click Change Password. The Change Password dialog box appears(Figure 28).

Figure 28: Change Password Dialog Box3. Enter the old password, new password, and confirmation of the

new password.

4. Click OK.


Editing the Default Group to Allow Auto NT LoginTo edit the Default Group to allow Autologin:

1. Verify that the Windows NT workstation is a member of a domain.On the Start menu, click Control Panel. Open the Networkproperty sheet, click the Change button. The IdentificationChanges dialog box (Figure 29) appears. If the workstation is amember of a domain, the domain name appears in the Member ofDomain field.

Figure 29: Identification Changes Dialog Box2. On the Edit menu, select Global Settings. The Global Settings

dialog box appears (Figure 3).

3. On the Policy tab, select Allow Auto NT Login.

4. Click Apply.


Enabling a User for Auto NT LoginTo enable a user for Auto NT Login:

1. Add a User following the instructions in the Adding a User orGroup section of this document.

2. On the User Properties tab, the NT Domain name appears in theNT Domain field. The Domain name must match the Domain inthe Identification Changes dialog box (Figure 29).

Figure 30: Properties for User Dialog Box: User Properties Tab3. Enter the User Name. This name must match the Windows NT

User Name.

4. Continue the instructions in the Adding a User or Group section ofthis document.


Logging OutTo log out:

Note: You can log out from the M-Password Login dialog box inthe Basic view (Figure 27).

1. On the User Menu of the Johnson Controls M-Password window inthe advanced view (Figure 10), click Logout. The M-PasswordWindow remains open.

2. To exit M-Password, on the User Menu, click Exit.

Controls Group507 E. Michigan StreetP.O. Box 423 www.johnsoncontrols.comMilwaukee, WI 53201 Published in U.S.A..

Documents

M-Password for M5 SAES or SAOS Technical Bulletinvikingcontrols.com/_documents/product/1201616.pdfM-Password for M5 SAES or SAOS Technical Bulletin 5 Password *.sec File Tips The following