An end user's browser connects to the Plant Optimizer client through the HTTPS protocol. The HTTPS protocol encrypts password data in transit using TLS 1.2. Passwords at rest are not stored in Plant Optimizer. User accounts and their passwords are stored either in the Metasys Extended Application and Data Server with or without Active Directory (AD) integration, or in the CUPO Network Automation Engine at plants that use an alternative automation system. Each user has their own unique logon credentials and identifiers. An administrator adds Plant Optimizer users and each individual user is assigned roles based on their needs.
Two authentication services are available for Plant Optimizer software that runs on an on-premise server:
- Use the existing Metasys local system authentication database for a Metasys building automation system network. All Plant Optimizer users must first be set up as users in the Metasys system. Use the same local system credentials to log on to Metasys and Plant Optimizer.
- Integrate with AD through Metasys components. This option is only available if Metasys is part of the AD domain. AD users are configured on the Metasys system before they access Plant Optimizer. Plant Optimizer does not currently support sites that use AD alternate UPN authentication for single sign on. To confirm that the authentication works, enter your credentials in the Metasys Launcher dialog box when you log on or log off.
- The password must include a minimum of 8 characters and a maximum of 50 characters.
- The password cannot include spaces or a word or phrase that is in the Blocked Words list.
- The password and the username cannot share the same three consecutive characters.
- The password must meet the four following conditions:
- Include at least one number.
- Include at least one special character
(-, ., @, #, !, ?, $, %)Note: Only the special characters in the above list can be used; all other special characters are invalid.
- Include at least one uppercase character.
- Include at least one lowercase character.
In Metasys ADX or CPO-NAE, the password for all user accounts is set to expire in 60 days by default. The maximum password age, password uniqueness, and account lockout properties are not configurable for systems where the ADX is integrated with AD and RADIUS users. You can configure the account policy parameters in either the ADX for Metasys sites, or in the CPO-NAE for plants that use other automation systems.
Field | Description | Default Value |
---|---|---|
Password never expires | The password never expires. | Unselected |
Expires in days | You must enter the number of days until the password expires. | 60 days for users selected |
Do not keep password history | The system does not remember the password history. | Unselected |
Remember passwords | The system remembers the number of passwords indicated. The system does not allow the user to repeat the same password. | 10 previous passwords selected |
Never terminate | The session does not terminate as long as the operating system that hosts the Metasys system is not suspended or terminated to shut down, sleep, or hibernate. Make sure the options to suspend the operating system are disabled. | Unselected |
Terminate in minutes | The amount of time the system allows the user to remain in active before the session terminates and automatically logs the user off from the Metasys system. | 30 minutes selected |
No account lockout | The account does not lock out. | Unselected |
Lockout after bad attempts | The account locks out after the designated number of sequential failed logon attempts. | 3 failed login attempts for users selected |
Lockout in minutes | The account locks out after the designated number of sequential failed logon attempts within the designated time frame. Users are presented with the opportunity to re-enter their password once every five minutes thereafter. | 15 minutes selected |
Do not check user account for dormancy | The account never becomes dormant. The user has access to the account regardless of the number of days after the last logon. | Unselected |
Dormant after days | The account becomes dormant after the designated number of days after the last logon. | 365 days selected |
Create dormant user account event | An event
message displays to alert the administrator that the dormant user
account has not been accessed in the designated number of Dormant After
(Days). Note: For a report of all accounts, dormancy settings, and
status, click Query and
select Dormant User Account
Report in SMP. Dormant user account events are also
included in the Audit Viewer
and the Event
Viewer.
|
Selected |
Lock out user account when dormant | The account is locked out after the designated number of dormant days. | Unselected |