Authorization Management

You can use authorization management to define specifically which PCo services you want external callers to be able to access.

Use

Plant Connectivity provides a number of services that can be used by remote computers:

Management Services

Using the management services, you can call PCo functions via Web services. You can configure, start, or stop agent instances and query configurations, status information, or protocols.
Remote Client

The remote client enables you to monitor PCo from a remote computer, to start or stop agent instances, to export and import configurations, and to query protocols.
PCo Web Server

The PCo Web server provides configurable methods in the form of Web service endpoints.

The services simply require that the user can log on to the Windows computer on which PCo is installed. If you want to control in a more restrictive way which PCo services can be accessed by external callers, you can use authorization management in PCo.

Procedure

You can call authorization management in the PCo Management Console under Start of the navigation path Tools Next navigation step Authorization Management End of the navigation path or by choosing the relevant icon in the taskbar.

The dialog provides you with a multilevel list of available PCo services. You can define the authorizations for the services at each level and thereby control access in a more detailed way as required.

PCo's authorization management uses Windows user groups to control access to PCo services. There are four options in the Access Mode column for configuring access to a specific service:

No Access

External callers cannot access this service.
Unrestricted Access

Each user who can log on to the Windows computer with the PCo installation has access to the service in question. This setting corresponds to the system behavior until now but is not recommended.
Access Depending on User Group

Only users who are members of the specified Windows user group can use the service in question. You maintain user groups and the assignment of users in Computer Management under Local Users and Groups. You can also use the Active Directory for this task.
Access Inherited from Superordinate Service

With this setting the access rights to a specific service are inherited from the superordinate level of the hierarchy. This is the standard setting for newly added agent instances or methods and you only need to change this setting if you want to maintain different access rights.

Note

This setting is not possible for the services at the topmost level.

In the last column of the dialog (Effective Authorization), PCo displays for each service how the settings affect how the service is executed.

Standard Settings

After installing PCo, only users that belong to the Administrators user group have access to the services provided by the management services. The PCo Web server can be called by users that belong to the PCoWebServer user group provided this user group existed at the time of installation. Otherwise, and for all other services, the default setting is No Access for the topmost level and Access Inherited from Superordinate Service for the lower levels. After installation, you can revert at any time to these standard settings by choosing the relevant pushbutton.

Notes for the Configuration

If you have configured the endpoint of a PCo Web server so that no authentication is required when services stored there are called, no authorization check can take place when the services are called. Each caller who knows the URL of the service can use the service. The settings in authorization management are not effective for a Web server configured in this way and this is shown accordingly in the Effective Authorization column.

If you configure authorizations for the remote client, you need to bear in mind that authorization configuration only has an effect on the functions of the remote client of the current computer. If you are managing remote computers using the remote client, the authorization settings of the remote computer are also effective.

If you change the authorization settings for the management services, you must restart the main service after saving the configuration, in order for these changes to take effect. You can call the management services from the menu in the Management Console under Start of the navigation path Tools Next navigation step Options Global Settings Main Service End of the navigation path . The same applies to the authorization settings for the Remote Client and the Web server. To take account of the current authorization configuration, you have to exit these two applications and restart them.