You can enable Legacy Security, Granular Security, or both simultaneously. Security access from these two sets of Security Groups is additive. Meaning if a user is granted certain access from Legacy, and other different access from Granular, that user will have all of that granted security combined. By default, or if you are migrating from an older version of Monitoring prior to v23, you would only have Legacy Security enabled. You can enable Granular security and set up all of the user access prior to disabling Legacy access, just so that none of your users are locked out of sections they need to access.
If you are considering managing your FactoryWiz user login usernames/passwords through your company's Microsoft Active Directory (AD) through the Lightweight Directory Access Protocol (LDAP) interface, you would enable the LDAP / Active Directory checkbox.
Please note that this is an advanced feature and requires a significant amount of configuration and maintenance of your corporate network systems outside of just the FactoryWiz application configuration.
Also note that, while it is possible to integrate FactoryWiz authentication/authorization with AD/LDAP through the default unencrypted port, we recommend that you enable SSL for LDAP in your AD environment so that the FactoryWiz server is not sending unencrypted credentials across your network.
Configuring your Active Directory environment for Secure LDAP is beyond the scope of this document and should be performed by your company's IT team.
If your IT team would like additional guidance on how to enable Secure LDAP, please have them reach out to support at FactoryWiz.com
Also, if not already enabled, we would recommend adding DNS naming, and SSL encryption to the FactoryWiz monitoring website by adding a valid SSL Certificate from a trusted Certificate Authority, so that credentials are submitted over a secure port to the FactoryWiz web server, which would subsequently communicate with the LDAP server for authentication and authorization.
When you check the LDAP/AD checkbox option, you will be presented with additional configuration fields
In the Server Name or IP configuration field, you should put the IP address of your AD Domain Controller. If you have a Backup Domain Controller, you can put that IP address in the Alternate Server field.
For the FactoryWiz system to be able to query your Active Directory's LDAP interface, it must pre-authenticate with the AD system, using this "service account". Therefore, you will need to create a "service account" user in Active Directory. This AD "service account" can be a weak user and does not need any special access rights.
The default unencrypted LDAP port is typicall 389
If you have enabled Secure LDAP on your AD server, that port is typically 636
Once you have successfully configured FactoryWiz to communicate with AD, you can simply use AD for Authentication of FactoryWiz (FW) user names and passwords. If you only want to use AD for Authentication, and not security Authorization, you must add each username in the FactoryWiz Users section (the AD username and FW username must match identically).
You can then configure each FW user with the Legacy and/or Granular security groups.
If you want to take the FW LDAP configuration a step further and manage security rights in AD/LDAP, then you must configure all of the security groups in AD and add your users to those groups.
Then you would "map" those AD security group names to the FW group names in the Mappings sections.
Note: configuring Active Directory users and security groups is beyond the scope of this document and is usually handled by your IT team at your company.
If your IT team require additional guidance on how to set up AD users and security groups, please have them reach out to support at FactoryWiz.com