Controller Account Managment and Mosaic 2.9
Description
Mosaic 2.9 adds a new level of security to controllers within a project. Controllers now have a re-designed account system, allowing for a site to easily manage who has access and what those users can do when interacting with the controllers. Accounts are only available via the network tab and are managed on a controller-by-controller basis (and are subsequently NOT stored with the configuration). All web interface account management has been removed from the sub-Web Interface screen found within the Project parent tab. If no accounts are created, then the controllers will function as normal, and all security features will be disabled.
Permissions
As in previous Designer versions, accounts can be assigned different permissions.
Admin level accounts have full permissions to edit, configure, and upload to a controller. Admin level permissions are required for uploading and downloading a configuration from a security enabled controller.
Guests accounts can be created to limit user interaction with a controller. These accounts can be given Status or Control permissions.
Status allows a user to view, but not interact with any aspect of the controller. Status permissioned users can still download logs, assign filters, change temporary verbosity, and change the log line level from a controller’s WebUI. These users cannot clear a controller’s log.
Control only allows a user to access the Control and File Manager tabs. Users permissioned at this level can play timelines or upload/download from the internal File Manager. They cannot upload or download configuration.
Account Creation
Accounts can be created by clicking the “Add” button outlined in red in the below image.
Guest permissions, that is, users who are not using a listed account can be managed by clicking on the “Edit guest user permissions” outlined in yellow. Accounts are not shared across controllers, so if multiple controllers exist within a configuration, all controllers will require individual accounts.
After clicking “Add”, the user will see the “Create New User” screen. Start by entering a Username.
Next, enter a password. Passwords must be at least six characters in length but require no other complexities.
ETC does not have a backdoor password to any Mosaic controller. If a user forgets their password, the controller MUST be restored.
The first account created in this screen is automatically given Admin level privileges.
You can rescind account permissions by unchecking the appropriate box under permissions. If only one account exists on a controller, you will be unable to uncheck the “Admin” checkbox. Admin accounts that given neither Status or Control permissions will be unable to access or change any information within the controller’s Web interface.
Account Tracking
You can see what users have logged in and out of the controller by navigating to the controller’s log. Your log level must be set to a verbosity of “Normal” or higher to see this information. Any user who can see the log will be able to see any other user’s login and logout sessions regardless of their account permissions. No password information is ever printed in the log.
A controller will always display the current logged in user in the top right corner of the WebUI. To logout, click the username and choose “Log Out”.
If no user is logged in, the account field will be empty.
If no accounts exist on the controller, no symbol will appear
Account Management
Accounts can be managed on the “Account Creation” screen. To edit an accounts permission, select the username and choose “Edit”.
Choosing “Delete” will remove the selected account without confirmation. This action cannot be undone.
Editing an account does not allow a user to see the password that was set. Instead, the password field will appear empty to prevent brute force attempts.
Passwords can be reset on an unlocked by entering a new password into field and choosing “Commit”. An upload is not required for this change.
Note that the controller must be unlocked for this change to occur.
Interacting with a Locked Controller
A locked controller will be indicated in the Network tab with a closed green padlock in the status column.
Any unlocked controller will show with a yellow open padlock.
A controller’s Network, Clock, Log, Storage, and Watchdog settings can all be viewed via “Configure” regardless of a controller’s security settings.
These settings cannot be viewed via the WebUI of any locked controller.
Any changes to a controller’s information, including uploading and downloading, will require the controller’s Admin password.
Logging In
When a password is required to access or change a controller’s information via Mosaic Designer the below black prompt will be shown, when accessing a locked controller via the Web Interface the white prompt will be shown.
A controller will remain unlocked until the current Designer session is closed. If an unlocked controller is rebooted manually and the current Designer session stays active, the controller will not require credentials to be re-entered.
However, if an unlocked controller is rebooted via the web interface, credentials must be re-entered when accessing the controller again via the WebUI.
Legacy Security Features and 2.9 Software
Showfiles that contain legacy security features will warn users when those files are opened in MD 2.9 or above.
WebUI credentials from these controllers will be removed once firmware is reloaded to the controller.
Controllers that have a controller level password will have that password removed once firmware is reloaded to the controller.
In both instances, legacy security credentials may need to be entered to update a controller’s firmware. MD 2.9 does not provide any type of account migration.
Locked Controllers and Forgotten Passwords
As mentioned above, if a user forgets their password and locks themselves out of a controller, the controller will need to be restored to defaults to resolve this issue.
This is an involved process and should only be used in a situation when there is no hope of recovering a password.
Mosaic Designer and local (non-networked) access to the controller are required for this process.
Information on restoring defaults can be found here, titled “Restoring Defaults on an MTPC or MSC”.
Keep in mind that running this process requires a controller’s network settings to be restored too.