Вы находитесь на странице: 1из 49

Technical Bulletin

Issue Date February 28, 2006



M-Password

M-Password ........................................................................................... 3
Introduction......................................................................................................... 3
Key Concepts...................................................................................................... 4
M-Password......................................................................................................................4
Password *.sec File Tips...................................................................................................5
Secured Items...................................................................................................................5
Security System Administrator..........................................................................................6
Advanced Mode................................................................................................................6
Users and Groups.............................................................................................................7
Global Settings................................................................................................................10
Critical Operational Data (COD)......................................................................................11
Integrated NT Security....................................................................................................14
Default Group..................................................................................................................15
User and Group Properties .............................................................................................17
M-Password Login Utility.................................................................................................19
Login Utility Preferences .................................................................................................21
Wildcards and Pattern Matching.....................................................................................21
Application Actions..........................................................................................................23
Security Login Reminder.................................................................................................24
Auto Login to Security Server from the Windows NT/Windows 2000 Operating
System Logon.................................................................................................................25
M-Password Worksheet Example...................................................................................25
Default Group Analysis ...................................................................................................26
Detailed Procedures......................................................................................... 27
Logging in as Administrator.............................................................................................27
Editing the Default Security File......................................................................................28
Adding a User or Group..................................................................................................30
Editing a User or Group..................................................................................................43
2006 J ohnson Controls, Inc. www.johnsoncontrols.com
Code No. LIT-1153150 Software Release 5.4
M-Password Technical Bulletin 2
Deleting a User or Group................................................................................................43
Editing the Default Group................................................................................................43
Associating Users and Groups........................................................................................43
Removing Associations...................................................................................................44
Assigning Application Actions .........................................................................................44
Removing Application Actions.........................................................................................45
Logging In as a User.......................................................................................................45
Changing a Password as a User.....................................................................................46
Editing the Default Group to Allow Auto NT Login..........................................................47
Enabling a User for Auto NT Login .................................................................................48
Logging Out.....................................................................................................................49
M-Password Technical Bulletin 3
M-Password
Introduction
M-Password provides restricted access to application functions based
on the concept of a logged-in user. A security system administrator
configures the system by adding users and assigning them specific
privileges. In addition, administrators may associate users with certain
groups that also have assigned privileges. Thus, users have the
effective rights of all the groups to which they belong, plus their own
private rights. This document describes how to:
log in as administrator
edit the default security file
add a user or group
edit a user or group
delete a user or group
edit the Default Group
associate users and groups
remove associations
assign application actions
remove application actions
log in as a user
change a password as a user
edit the Default Group to allow Auto NT Login
enable a user for Auto NT Login
log out

M-Password Technical Bulletin 4
Key Concepts
M-Password
M-Password controls the user capabilities on an M-Series
Workstation. There are two components to M-Password:
Configuration applicationused by administrators to set up the
users rights and privileges
Login applicationused by the user to log into the system with the
assigned user name and password
The Password Administrator determines the access for all users.
Figure 1 is an example of the usage sequence.
Use the M-Password Worksheet found in this document.
Identify all users of the M-Series Workstation.
Define which Users need similar user privileges.
Create the Groups and User identifications.
Assign Applications and Privileges to the Groups and Users.
Delete unwanted actions from the Default Group.
Remember actions in the Default Group
supersede all other Group actions.
Flowchart

Figure 1: M-Password Flow Chart
M-Password Technical Bulletin 5
Password *.sec File Tips
The following list contains helpful tips for using M-Password:
M-Series Workstations use the last *.sec file saved.
M-Password configuration prompts the user to create a password
file when making a change to the configuration, such as adding a
user or a group, when M-Password is run with the M-Series
Workstation. The default file name is untitled.sec, and it is located
in the M-Data folder. We recommend changing the location and
file name when saving. If this security file is deleted and a request
is made to create the file again, the new file is created with no
access given to the Default Group. The system administrator must
manually add access rights for all users.
Since the security system is file based, we recommend the
following:
When you launch M-Password the first time, save the default
file (change the default name) and make a copy of the file. This
process retains a copy of the original security file in case
passwords are compromised.
Start with the default file and save all changes.
Ensure the *.sec files are backed up away from the
M-Series Workstation.
All passwords and security levels are stored in the *.sec file.
If more than one M-Series Workstation uses M-Password, make
sure the *.sec file is copied to all other M-Series Workstations or
is accessible by all workstations from a common network drive.
When you OK the windows in the M-Password feature, the
changes are automatically saved in the *.sec file.
Secured Items
M-Password can control access to point (OLE for Process Control
[OPC] tags) names and file names for enabled applications. To
confirm access for the logged-in user, the application passes the point
name or file name to the password for confirmation. The application
controls access to points, alarms, and files depending on the
M-Password response. For example, the M-Graphics application uses
this information to determine read/write access restrictions.
The M-Password Application Actions Technical Bulletin
(LIT-1153175) lists all application that are secured from within
M-Password. The M-Password Default Security File Application Note
(LIT-1201442) lists the users, groups, and application actions that are
configured for the default security file.

M-Password Technical Bulletin 6
M-Password can protect access to the following items within the
J ohnson Controlsworkstation system:
Application Actions - Each application supplies a list of functions
to be secured (for example, saving a file).
Files - Single files or groups of files may be protected from access
via the applications. For example, M-Graphics restricts access to
these files at Runtime mode from both the File >Open menu and
any Pick action that loads a new display.
Alarms - Single alarms may be protected from being
acknowledged by unauthorized users.
Points (OPC tags) - Access to individual OPC tags may be
protected, based on wildcards. In general, this protects write access.
Security System Administrator
The Security System Administrator defines group and user access.
When logging in as the administrator with a blank user name and the
default password, full access rights are granted. Once the Security
System Administrator box is checked on the Properties for User dialog
box (Figure 18) and the new administrator is added, the default
password is disabled. The default password remains disabled until all
designated Security System Administrators are deleted.
Advanced Mode
M-Password is available in two modes: Basic and Advanced. As the
administrator, you can create a security file in Basic mode and convert
it to Advanced mode, but you cannot convert Advanced to Basic. The
default security file is in Advanced mode. We recommend that you
always try to apply the default security file for your application.
Note: Use Advanced mode. If you choose Basic mode, you can
convert it to Advanced.
The Basic mode allows you to restrict the configuration capabilities to
a basic set of features and does not provide access to some advanced
security system configuration features. In Basic mode, you cannot:
edit the default group
access the default group at runtime
assign rights to users. In Basic mode you can only assign rights to
groups.
assign a user to more than one group. You must use the user
properties dialog box to define of which group the user is a part.
Advanced mode allows you to access all features of M-Password.
M-Password Technical Bulletin 7
To convert from Basic mode to Advanced mode, on the View menu,
click Advanced Mode. Once you convert to Advanced mode, you
cannot revert to Basic.
Users and Groups
The main window for the M-Password configuration application
consists of two panes: the left side is the group view and the right side
is the user view.
Note: The first time you run the program, both sides are empty.
for M5 SAES or SAOS

Figure 2: M-Password Configuration Screen

M-Password Technical Bulletin 8
Table 1: M-Password Toolbar Buttons
Toolbar Button Description

Creates a new document.

Opens a document.

Saves a document.

Adds a new user.

Adds a new group.

Associates selected user and group.

* Synchronizes users and groups with the
Windows NToperating system security database.

Configures the default group and default policy.

Associates application actions with users and groups.

Not available

Displays the about dialog box.
* Supported for Metasyssystem for Validated Environments (MVE) installations
only.

M-Password Technical Bulletin 9
Table 2: M-Password Menus
Menu Option Description
File
New Creates a new document.
Open Opens a document.
Save As Saves the current document.
Recent File List Lists recently opened documents.
Exit Closes M-Password.
Edit
Edit Edits selected user or group.
Rename Renames selected user or group.
Delete Deletes selected user or group.
Duplicate Makes a copy of the selected user or group.
Global Settings Configures the settings that define the behavior of the
security system for all users and the Critical
Operational Data (COD) points.
Default Group Configures Default Group options.
Application
Actions
Associates application actions with users and groups.
Insert
New User Adds a new user.
New Group Adds a new group.
Associate User
& Group
Associates selected user and group.
View
Toolbar Shows or hides toolbar.
Status Bar Shows or hides status bar.
Synchronize
with NT
Synchronizes users and groups with the Windows NT
operating system security database.
Basic Mode* Indicates that the configuration file is in the Basic
configuration mode. (We do not support Basic mode.)
Advanced
Mode*
Indicates that the configuration file is in the Advanced
configuration mode. If the file is in Basic mode, you
can select this option to convert it to Advanced mode.
Help
Help Topics Opens online help.
About Security Lists program version information.
* A bullet beside the menu item indicates the mode of your security file.


M-Password Technical Bulletin 10
Global Settings
The Global Settings define the behavior of the security system for all
users. The Global Settings consist of three tabs: the Policy tab
(Figure 3), the Critical Points tab (Figure 5), and the Critical Alarms
tab (Figure 6).
Table 3 describes the features of the Policy tab. The Critical Points and
Critical Alarms tabs are described in the Critical Operational Data
(COD) section. COD is only supported for Metasys system for
Validated Environments (MVE) applications.

Figure 3: Global Settings Policy Tab
M-Password Technical Bulletin 11
Table 3: Global Settings Fields
Field Description
Allow Auto NT Login* Enables users with matching user names and
domain names to be automatically logged in to the
security server when the login application is run.
This feature eliminates the need for users who
have already logged in to a Windows NT Operating
System (OS) domain to enter a user name and
password a second time to gain access to
M-Password.
Allow User Lists Allows the Login Dialog in the Login Application to
display a list of all users. This feature allows users
to log in by selecting the user name from a list
instead of typing it in. This is useful for touch
screen systems.
Display Last User Allows the Login dialog to display the name of the
last user who successfully logged in.
Include Users Full Name
in Events
Records the users full name (Full Name field) in
the Alarm and Event database.
Simultaneous Logins Allows multiple users to be logged in at the same
time from the same node. The rights granted are
the sum of the rights of all the logged in users. If
this feature is not selected, when a new user logs
in when another user is already logged in, the
original user is logged out. This option is not
currently supported.
NT Domain* Indicates the Domain with which M-Password
synchronizes users and Groups.
NT Synchronization
Period*
Indicates how often M-Password synchronizes the
names of users and groups with the Windows
Operating System (OS). A value of 0 disables the
automatic synchronization with Windows NT.
Critical Points Login
Period
Indicates the length of time that the user is
permitted to modify the COD value. After this COD
modification time expires, the user has to log in
again to modify the point.
Auto Logout Recovery The number of minutes after all security related
requests from a node have ceased (in the event
that a client node crashes) that users from that
node are logged out. Range is 0 to 99 minutes,
default is 2. A value of 0 disables this feature.
* These fields are only available if the Integrated NT Security feature is active.
The Integrated NT Security feature is supported for MVE installations only.

Critical Operational Data (COD)
Note: The COD feature is supported for MVE installations only.
M-Password provides an additional level of security for selected points
called COD that requires the users to log in again to verify their
identity using the M-Password Login dialog box (Figure 27).

M-Password Technical Bulletin 12
The COD feature is a part of the Global Settings on the Edit menu.
Using the Critical Points and Critical Alarms tabs, you can create a list
of points and alarms that require the user to log in again. Even if the
user (with permission to access the COD) is already logged in, he or
she is forced to log in again. The first dialog box (Figure 4) informs
the user that he or she needs to log in to M-Password. After selecting
Yes or No, the M-Password login dialog box appears (Figure 27). If
you click No, the initial dialog box does not appear again.

Figure 4: COD Dialog Box
The Critical Points tab (Figure 5) and the Critical Alarms tab
(Figure 6) allow you to define COD points and alarms in your system.
The two property pages are divided into two sections: Include and
Exclude. Each section contains an edit field and a list box. Press Enter
with the cursor in the edit field or click the Add button to add text to
the list box. Use the Browse button to scan OPC data points.
Refer to the Wildcards and Pattern Matching section in this document
for details on using wildcards.
Type a specific point in the test string field to see if the current user
has access. If the user has access, a check mark appears in the
Considered Critical field. If it is not considered critical, the field
remains empty.
The COD feature affects users trying to access COD points in the
following software:
M-Graphicsyou cannot command a COD point without logging in
to M-Password.
M-Alarmyou cannot acknowledge a COD point without logging
in to M-Password.
N1 Scheduleyou cannot enter the edit mode of the schedule of a
COD point without logging in to M-Password. If the time it takes
you to edit the schedule exceeds the COD login period, you must
log in to M-Password again to save your changes.
M-Password Technical Bulletin 13

Figure 5: Global Settings Critical Points Tab

M-Password Technical Bulletin 14

Figure 6: Global Settings Critical Alarms Tab
Integrated NT Security
Note: The Integrated NT Security feature is supported for MVE
installations only.
M-Password allows you to synchronize users and password policies
with a Windows 2000 computer or domain and the M-Series
Workstation. This feature provides central password management and
saves you time.
When you create a new security configuration in Advanced mode, an
Integrated NT Security dialog box (Figure 16) prompts you to choose
the computer or Domain with which to synchronize.
If you choose to synchronize M-Password with the Windows OS users
and groups, you cannot add or remove users and groups from within
M-Password. Since the operating system controls the user policy, most
of the account policy settings are hidden in this mode (Figure 7).
M-Password Technical Bulletin 15
M-Password queries the Windows OS and keeps the users and groups
up to date. You can manually synchronize users and groups by
selecting Synchronize with NT from the View menu or by clicking the
Refresh button on the toolbar.

Figure 7: Account Policy Tab
Default Group
The system Default Group is used to assign access rights that are
granted whether any users are logged in or not. When M-Password is
first installed, the Default Group has full access to everything (all
points, alarms, files, and application actions). The first step in
configuring M-Password is to remove most, if not all, access rights
assigned to the Default Group.
Note: Configure the Default Group with minimal access rights. All
users and groups are granted all rights available in the Default Group,
plus the set of rights defined for an individual user and the set of rights
defined for any groups with which the user is associated. This is true
even when no one is logged into the system.

M-Password Technical Bulletin 16
For example, if you exclude a point in Wills properties, but the
Default group has access to that point, Will can still access that point.
When defining a user, if the users group has higher access rights than
that user and the default group, the access rights of the users group
take priority over all other access rights. Similarly, if the access rights
of the users group and default group are lower than the access rights
defined for the user, the users access rights take priority.
When assigning access rights, consider the following:
Once you have defined users and groups, the group or user with
the highest access rights takes priority. Compare the users access
rights to the group access rights and the default group access
rights; whichever has the highest access rights takes priority.
Exclude definitions override include definitions within an
individual assignment for any group or user.
Example: If a point is both included and excluded within a single
group or individual users rights, it is excluded. Points included in
the group cannot be excluded for individual users within the group.
Only points included for the individual user can be excluded in the
exclude list for that user.
Access rights for defined groups apply only in those areas not
assigned by the Default Group. Access rights for users apply only
in those areas not assigned by the Default Group or groups to
which the users belong. In other words, the rights granted by the
Default Group cannot be taken away by any other group or user.
The rights granted by a group cannot be taken away by a user.
Example: If access to all points in Building 1 are included in the
Default Group, access to Building 1 cannot be excluded by a
user-defined group or an individual users rights.
If a user belongs to multiple groups, the users rights are the union
of the assignments of the groups, plus the individual assignments
in areas outside those defined in the groups.
Example: No rights are assigned in the Default Group. The rights
for the Blue Group include all points but exclude Building 2, 3,
and 4. The rights for the Red Group include all points but exclude
Buildings 1, 3, and 4. If User A belongs to the Blue and the Red
Groups, the total rights for User A include individual assignments
and Buildings 1 and 2.
M-Password Technical Bulletin 17
User and Group Properties
When the system administrator defines a group or user, the fields in
each tab listed in Table 4 must be configured in either the Properties
for User dialog box (Figure 8) or the Properties for Group dialog box
(Figure 9).

Figure 8: Example of Properties for User Dialog Box

M-Password Technical Bulletin 18

Figure 9: Example of Properties for Group Dialog Box
M-Password Technical Bulletin 19
Table 4: User and/or Group Property Dialog Box Tabs
Tab Description
User Properties The User Properties tab contains information about the user name, password changes,
and if this user is a security system administrator.
Group Properties The Group Properties tab contains the group name and description.
Points The Points Tab controls access to points (OPC tags) users may want to monitor and
command. Before an M-Series Workstation software application outputs a value to a
networked supervisory controller via OPC DA Server, the string that identifies the OPC
point is sent to M-Password to determine if the intended action should be allowed, based
on the current logged in users and/or the groups to which they belong.
Alarms The Alarm Tab controls whether users can acknowledge particular alarms and
messages. Before a user can acknowledge an alarm message that is displayed in the
M-Alarm Viewer, the string that identifies the alarm message is sent to the M-Password
security server to determine if this action should be allowed, based on the current logged
in users and/or the groups to which they belong.
Files The Files tab controls access to files users may open. Currently, only M-Graphics and
Screen Manager files can be protected. For example, entries here would typically be
used to restrict certain users and/or groups from picking certain graphic displays from
M-Graphics.
Time Sheet The Time Sheet tab allows time-of-day restrictions on an hourly basis for users and
groups. For selected hours, access is allowed. For non-selected hours, users can log in,
but access is denied for protected objects.
Account Policy The Account Policy tab defines how passwords are used by all user accounts, if user
accounts are automatically locked out after a series of incorrect login attempts, and if
Auto Login to M-Password through NT Login is enabled. (The system administrator must
unlock a user after a lockout.)
The base policy for the system is set in the Default Group. For users and groups other
than the Default Group, each policy can selectively be enabled and set for that user or
group. If more than one policy setting is in effect, the least restrictive is used. For this
reason, the policy set in the Default Group must be the most restrictive. Individual users
and groups can be made less restrictive than the Default but never more restrictive.
Note: Currently, Custom and Stations tabs are not used.

M-Password Login Utility
The J ohnson Controls M-Password window (Advanced View) is
divided into two panes. The upper pane contains the status of the
Security Server to which the Login Utility is connected. The lower
pane contains a list of currently logged in users.

M-Password Technical Bulletin 20

Figure 10: Johnson Controls M-Password Login Utility Window (Advanced View)
Table 5 describes the display-only fields in the upper pane of the
J ohnson Controls M-Password Login Utility Window. The Logging in
as a User procedure shows the M-Password Basic view window
(Figure 27).
Table 5: Johnson Controls M-Password Window
Field Description
Security Server Location The name of the workstation where the security
server is running and to which the Login Utility is
connected. It is <local> if the security server is
running on the same workstation as the Login
Utility.
Server Start Time Date and time the security server was started.
Time is converted to the local time of the user
workstation if the security server is in a different
time zone.
Server Current Time Current date and time as reported by the security
server on the last update. Time is converted to the
local time of the user workstation if the security
server is in a different time zone.
Server Configuration File Name and path of the configuration file currently
being used by the security server.

M-Password Technical Bulletin 21
Login Utility Preferences
The Preferences dialog box allows the user to configure login options.
Refer to Table 6 for field descriptions.

Figure 11: Preferences Dialog Box
Table 6: Preferences
Field Description
Primary Enter the name of the primary workstation to which the
Login Utility should connect in order to run the security
server. The default is <local>.
Backup Enter the name of the backup workstations to which the
Login Utility should connect in order to run the security
server. The default is <local>.
Note: Expanding the drop-down list causes a search of
all nodes on the network for installed security servers.
This may be time consuming. If known, it is faster to
enter the name of the workstation.
Auto Logout
Reminder
The number of minutes prior to a security server auto
logout that a user is reminded to log in again. The range
is 0 to 60 minutes. Enter 0 for no pop-up reminder
window.
Status Update Period The period between updates of the Server Status in the
main window. The range is 1 to 60 seconds.
Splash Screen Suppresses the initial M-Password screen that shows
company logos and trademarks.

Wildcards and Pattern Matching
The entries in the include and exclude lists on the Points, Alarms, and
Files tabs allow pattern matching. Pattern matching allows the use of
wildcard characters, character lists, or character ranges, in any
combination.

M-Password Technical Bulletin 22
Table 7 shows the characters allowed in patterns and what they match:
Table 7: Wildcards and Pattern Matching
Characters in Pattern Matches:
? Any single character
* Zero or more characters
# Any single digit (0-9)
[charlist] Any single character in charlist
[!charlist] Any single character not in charlist

Type a specific point or file in the test string field (Figure 21) to see if
the selected user has access. If the user has access, a check mark
appears in the Access Granted field. If the user does not have access,
the field remains empty.
A group of one or more characters (charlist) enclosed in brackets ([ ])
is used to match any single character in string and includes almost any
character code, including digits.
Note: The special characters left bracket ([), question mark (?),
number sign (#), and asterisk (*) can be used to match themselves
directly only by enclosing them in brackets. The right bracket (])
cannot be used within a group to match itself, but it can be used
outside a group as an individual character.
In addition to a simple list of characters enclosed in brackets, charlist
can specify a range of characters by using a hyphen (-) to separate the
upper and lower bounds of the range. For example, [A-Z] in pattern
results in a match if the string contains any of the uppercase letters in
the range A through Z. Multiple ranges are included within the
brackets without any delimiters.
Other important rules for pattern matching include the following:
An exclamation point (!) at the beginning of charlist means that a
match is made if any character except the ones in charlist is found
in string. When using outside brackets, the exclamation point
matches itself.
The hyphen (-) can appear either at the beginning (after an
exclamation point if one is used) or at the end of charlist to match
itself. In any other location, the hyphen is used to identify a range
of characters.
When a range of characters is specified, they must appear in
ascending sort order (from lowest to highest). [A-Z] is a valid
pattern, but [Z-A] is not.
The character sequence [] is ignored.
M-Password Technical Bulletin 23
Pattern matching is done on the file extension, separate from the
file name, to match the Disk Operating System (DOS) wildcard
semantics. For example, the wildcard *.* indicates all files.
Application Actions
M-Password allows system administrators to grant or deny access to
specific applications and applications functions.
Figure 12 is an example of the Actions/Users Association dialog box.
The items on the left tree control are the J ohnson Controls application
names. The child items of the application names are the application
functions that can be protected. The items in the tree control on the
right are the users and groups defined in the M-Password database.
The child items of the users and groups are the application names and
actions enabled for that user or group.
Note: When M-Password is first installed, the Default Group has
full access to everything. You must configure the Default Group with
minimal access rights. Remove all, if not most, access rights assigned
to the Default Group.
All users and groups are granted all rights available in the Default
Group, plus the set of rights defined for an individual user.

Figure 12: Actions/Users Association Dialog Box
Note: Each J ohnson Controls client provides a list of application
functions that can be protected through M-Password. Refer to
M-Password Application Actions Technical Bulletin (LIT-1153175) for
specific application actions that are protected.

M-Password Technical Bulletin 24
Security Login Reminder
The J ohnson Controls M-Password Reminder dialog box (Figure 13)
indicates the amount of time remaining before auto logout occurs. This
dialog box appears at an interval determined by subtracting the time
entered in the Logout In minutes field of the Properties for User
Dialog Box: Account Policy Tab (Figure 25), from the number of
minutes entered in the Auto Logout Reminder field in the Login
Utility Preferences dialog box (Figure 11). For example, if 20 is
entered in the Logout In minutes field and 12 is entered in the Auto
Logout Reminder field, the reminder appears 8 minutes before Auto
Logout occurs.

Figure 13: M-Password Reminder Dialog Box
Table 8: M-Password Reminder Dialog Box
Field Description
Dismiss Close dialog box, user is not reminded again.
Postpone Postpone reminder by the time entered by user.
Login Now Allow system login to reset the auto logout timer.
Click Postpone to be
reminded again in x minutes
Enter number of minutes until reminder
reappears.

M-Password Technical Bulletin 25
Auto Login to Security Server from the Windows NT/Windows 2000
Operating System Logon
M-Password supports auto login to M-Password from
Windows NT/Windows 2000 Operating System Logon. To use this
feature, the Windows NT Workstation must be a member of a
Windows NT Domain. Verify that the M-Password username is
synchronized with the username in Windows NT Security Account
Manager (SAM) database. The administrators are responsible for
making sure the usernames in both M-Password and Windows NT
SAM are the same. It is not necessary for the passwords to match.
When a Windows NT domain user is logged in to a Windows NT
workstation and a matching username and domain name exist in the
M-Password database for that user, the user is automatically logged in
to M-Password when launching the Login application.
Note: Once a user is granted the Allow Auto NT Logon option,
he/she must log out using Windows NT Logout. If the M-Password
logout is used, the Auto Logon is not disabled, which leaves the
workstation unsecured, and anyone can log in to M-Password when
launching the Login application.
M-Password Worksheet Example
The following example of an M-Password worksheet is used to record
and manage user access.
Security File Name
*.SEC File Name: .SEC

Name Analysis
Persons Name User Name Password* Group Name
Administrator:
* Passwords are case sensitive and spaces are not allowed. M-Password has no association to the
passwords in the N30 Supervisory Controller or in the Network Control Module (NCM) Supervisory Controller.
Access and Privileges Analysis
Account policy tips:
Follow your Information Technology departments login account
standards.
Keep options the same for all users and groups.
Keep in mind that M-Password uses the least restrictive of all
options when users log in. Set groups as most restrictive and then
set users as least restrictive.

M-Password Technical Bulletin 26
User
Name
and
Group
Application
Associations
User
Properties
Points Alarms Files Time
Sheet
Account Policy
(Blank indicates
unchecked)
BACnet_OPC =
CF-Connect =
M3HCI =
M-Authorize =
M-Collector =
M-Explorer =
M-Graphics =
M-Terminal =
M-Trend =
Change P/W on
Login [ ]
User can not
change P/W [ ]
Security
Administrator [ ]
Max P/W Age = __ Days
P/W Length = __
Characters
Account Lockout = __ Bad
Attempts
Min P/W Age = __ Days
P/W Uniqueness = __
Unique P/Ws
Auto Logout = __ Minutes
Account Lockout = _3_
Bad Attempts
BACnet_OPC =
CF-Connect =
M3HCI =
M-Authorize =
M-Collector =
M-Explorer =
M-Graphics =
M-Terminal =
M-Trend =
Change P/W on
Login [ ]
User can not
change P/W [ ]
Security
Administrator [ ]
Max P/W Age = __ Days
P/W Length = __
Characters
Account Lockout = __ Bad
Attempts
Min P/W Age = __ Days
P/W Uniqueness = __
Unique P/Ws
Auto Logout = __ Minutes


Default Group Analysis
M-Password uses the least restrictive (group or user) option when
users log in. We recommend setting on groups with more restrictions
and setting users with lesser restrictions.
Applications Properties Points Alarms Files Account Policy
BACnet_OPC =
CF-Connect =
M3HCI =
M-Authorize =
M-Collector =
M-Explorer =
M-Graphics =
M-Terminal =
M-Trend =
Max P/W Age = __ Days
P/W Length = __ Characters
Account Lockout = __ Bad Attempts
Min P/W Age = __ Days
P/W Uniqueness = __ Unique P/Ws
Auto Lockout = __ Minutes
Account Logout = _3_ Bad Attempts
Simultaneous P/Ws = [ ] yes/no

M-Password Technical Bulletin 27
Detailed Procedures
When configuring M-Password options, the security system
administrator must log in first. We recommend: adding users and
groups, editing the Default Group so it has minimum access rights, and
selecting at least one new user as the security system administrator.
Logging in as Administrator
To log in as administrator:
1. Select Start >Programs >J ohnson Controls >M-Password >
Configuration. The J ohnson Controls M-Password Administrator
Login dialog box appears (Figure 14).

Figure 14: Johnson Controls M-Password Administrator Login
Dialog Box
2. Leave the user name blank, and enter J CI as the password
(password is case-sensitive), which is the default administrator
password. Currently the Challenge field is not being used.
3. Click OK.
Notes: Passwords are case sensitive.

Once a new administrator is defined, the default password is
disabled.

When you save changes into the M-Password configuration file (.sec),
we recommend picking a new name for the file. Future sessions
automatically load this file on startup.

M-Password Technical Bulletin 28
Editing the Default Security File
Note: For standard M-Series Workstation applications (M3, M5, and
Metasys system Web Access [MWA]), we recommend that you use the
default security file that is provided with the M-Series Workstation
software to set up the security system for your application.
Table 9: Default Security File Names
Application Default Security File Name
MVE default.sec
M5 SAES or SAOS default.sec
M3 or M5 Workstation mseries.sec
MWA mseries.sec

To edit the default security file:
1. On the Start menu click Programs >J ohnson Controls >
M-Password >Configuration. The J ohnson Controls M-Password
Administrator Login dialog box appears.
2. Enter user name and password. The Configurator program appears.
3. Edit the Users and Groups as necessary as described in this
document.
4. On the File menu, click Save As. The Save As dialog box appears.
5. Type the desired file name, and click Save.
If you cannot edit the default security file, create a new file using the
steps in the next section.
Creating a New Security File
Note: Use the default file, unless it is necessary to create a new file.
To create a new security file:
1. On the File menu, click New. The Security Server dialog box
appears (Figure 15).

Figure 15: Security Server Dialog Box
M-Password Technical Bulletin 29
2. Click No to create it in Advanced mode. The Integrated NT Security
dialog box appears (Figure 16).
Note: Use Advanced mode. If you choose Basic mode, you can
convert it to Advanced.

Figure 16: Integrated NT Security Dialog Box
4. Click Cancel. The Save As dialog box appears (Figure 17).
Note: If you are creating a new security file for an MVE
installation, complete the dialog box by performing one of the options
according to Table 10.
Table 10: Integrate NT Security Options
Option Results
Click Cancel Creates a new security file without
synchronizing users and groups between
M-Password and the Windows OS.
Select Local Computer Synchronizes the users and groups between
M-Password and the Windows OS.
Note: Auto login with NT User ID can only be
done with Domain users accounts.
Select Domain and Type the
Domain Name
Synchronizes the users and groups between
M-Password and the network domain you type.


M-Password Technical Bulletin 30

Figure 17: Save As Dialog Box
3. Type a name for the file and click Save.
Adding a User or Group
To add a user or group:
1. Select Insert >New User or Insert >New Group. A new entry
appears in M-Password with the name New User or New Group.
The Properties dialog box appears for a new user (Figure 18) or
group (Figure 20).
M-Password Technical Bulletin 31

Figure 18: Properties for User Dialog Box: User Properties Tab
2. Click Preferences. The User Preference Properties dialog box
appears (Figure 19).

M-Password Technical Bulletin 32

Figure 19: User Preference Properties Dialog Box
Note:
Notes:
Note:
Only the M5 Workstation software uses the Screen Manager
tab.
3. On the M5 Workstation only, select a default layout for Screen
Manager. M5 Workstation software loads this default layout when
this user logs in to the system.
This is the default layout used when a user logs in to the
workstation and is different from the default layout or slide show used
when no user is logged in.
On all M-Series Workstations, if you are using a language other than
English, select the language tab. Choose the language preference from
the drop-down list.
The Language Installation Program installs appropriate language files.
The drop-down list is populated with the installed languages.
4. Fill in the fields in each of the tabs. Refer to the User Properties
Tab, Group Properties Tab, Points Tab, Alarms Tab, Files Tab,
Time Sheet Tab, and Account Policy Tab sections for detailed
descriptions of the fields in each tab.
M-Password does not support the Custom and Stations tabs.
5. Click OK.
M-Password Technical Bulletin 33
User Properties Tab
Figure 18 shows an example of the User Properties Tab. Refer to
Table 11 for details.
Table 11: User Properties
Field Description
User Name Short name (no spaces) the user types when logging on
to the system
Full Name Users full name, optional
Description For information only, optional
Password Password the user must type to log in. The default is
blank.
Note: This field is case sensitive. Use caution when
typing the password. The software will allow the entry of
spaces; however, no spaces are allowed.
Verify password If you change the Password field, you must retype the
exact password in this field.
NT Domain If the security system supports Auto Login to the
Security Server from NT Login feature, use this field to
identify the NT Domain name where the user belongs.
User Must Change
Password at Next
Logon
When checked, the user must change his/her password
at the time of the next logon. This is often used when a
new user is created. The administrator enters a default
password for the new user and checks this field to
require a real password to be entered on first logon.
User Cannot Change
Password
When checked, only the M-Password administrator can
change the users password from this dialog box.
Account Disabled Checking this field has the same effect as deleting the
user without the permanence of an actual delete. This
could be used to temporarily disable a user due to a
holiday or extended leave of absence.
Account Locked Out This field is normally unchecked and disabled. Should
the account become locked out, the field would be
enabled and checked. From here, the administrator can
uncheck the field to re-enable the user login.
Security System
Administrator
When checked, this user is allowed to log in as a
security system administrator to configure all aspects of
the security system. Once an administrator is defined,
the default administrator password is disabled.
Preferences Button Opens the User Preference Properties dialog box.
Users can choose default layouts and language type.


M-Password Technical Bulletin 34
Group Properties Tab
Figure 20 shows an example of the Group Properties tab. Refer to
Table 12 for details.

Figure 20: Properties for Group Dialog Box: Group Properties Tab
Table 12: Group Properties Tab
Field Description
Group Name Short name (no spaces) that uniquely identifies this group within
the system.
Full Name Full name for this group. For information only, optional.
Description For information only, optional.

M-Password Technical Bulletin 35
Points Tab
The Points property page is divided into two sections: Include and
Exclude (Figure 21). Each section contains an edit field and a list box.
Pressing Enter with the cursor in the edit field or clicking the Add
button adds text to the list box. Use the Browse button to scan OPC
data points.
Note:
Note:
Note:
If you leave the fields blank, no access is granted. Typing *
and clicking Add grants access to everything.
Refer to the Wildcards and Pattern Matching section in this document
for details on using wildcards.
When an application sends an OPC point string to M-Password for
access testing (granted or denied), the include/exclude lists are
compared as follows for each active user and group until access is
granted:
Compare the OPC point string with each string in the include list until
a match is found. If no match is found, access is denied.
The exclude list entries can only remove rights granted in
their corresponding include list. For example, if user Glenn belongs to
group operators and operators grants access to OPC point xy*,
adding point xyz to Glenns exclude list does not take away the access
rights to the point for Glenn. Glenns include list should have points
xy*, then adding xyz to the exclude list takes away access rights to
point xyz.
If you wish to restrict access to specific points, enter *.* in
the Include list and enter the restricted points in the Exclude list. But,
if you have *.* in the Include list, and enter the Metasys software and
M-Explorer executable files in the Exclude list, you will not be able to
access these software programs from the M5 Screen Manager
command bar. If you have *.* in the Include list and enter nothing in
the Exclude list, you will have access to all points and software
programs.
Excluding points has the following effects:
In M-Graphics, the Exclude command removes only write access
to those points. Read access is not excluded.
M-Explorer cannot launch M-Inspector for a restricted OPC point.
Type a specific point in the test string field to see if the current user
has access. If the user has access, a check mark appears in the Access
Granted field. If the user does not have access, the field remains
empty.

M-Password Technical Bulletin 36
Note: All users and groups, including system users that are not
logged in, are granted all rights available in the Default Group, plus
the set of rights defined for an individual user. The highest access
rights, either of the user or group, supersede all other rights.

Figure 21: Properties for User Dialog Box: Points Tab
Alarms Tab
The Properties for Users dialog box: Alarms Tab (Figure 22) is used to
control access to which alarms users or groups can acknowledge.
Notes: If you leave the fields blank, no access is granted. Typing *
and clicking Add grants access to everything.
All users and groups, including system users that are not
logged in, are granted all rights available in the Default Group, plus
the set of rights defined for an individual user. The highest access
rights, either of the user or group, supersede all other rights.
Refer to the Wildcards and Pattern Matching section in this document
for details on using wildcards.
M-Password Technical Bulletin 37

Figure 22: Properties for User Dialog Box: Alarms Tab
Files Tab
The Properties for Users dialog box: Files Tab (Figure 23) is used to
control access to files.
Note:
Note:
M-Graphics and Screen Manager restrict access to these files
at Runtime mode from both the File >Open menu and any Pick action
that loads a new display. No other M-Series Workstation applications
currently support the file option.
If you leave the fields blank, no access is granted. Typing
*.* and clicking Add grants access to everything.

M-Password Technical Bulletin 38
Note: If you wish to restrict access to specific files, enter *.* in the
Include list and enter the restricted points in the Exclude list. But, if
you have *.* in the Include list, and enter the Metasys software and
M-Explorer executable files in the Exclude list, you will not be able to
access these software programs from the M5 Screen Manager
command bar. If you have *.* in the Include list and enter nothing in
the Exclude list, you will have access to all files and software
programs.
Refer to the Wildcards and Pattern Matching section in this document
for details on using wildcards. The wildcard pattern matching applies
to files with the following differences:
The pattern matching is done on the file extension, separate from
the file name to match the DOS wildcard semantics. For example,
the wildcard *.* indicates all files.
File names entered without a path are considered a match,
regardless of the directory in which they are located.
Note: All users and groups, including system users that are not
logged in, are granted all rights available in the Default Group, plus
the set of rights defined for an individual user. The highest access
rights, either of the user or group, supersede all other rights.
M-Password Technical Bulletin 39

Figure 23: Properties for User Dialog Box: Files Tab

M-Password Technical Bulletin 40
Time Sheet Tab
The Time Sheet tab allows time-of-day restrictions on an hourly basis
for users and groups. For hours selected (highlighted), access is
allowed. For deselected hours, access is denied. Figure 24 depicts a
configuration that allows access from 7 A.M. to 5 P.M., Monday
through Friday.
Notes: Click on an hour to select or deselect all but that hour. Then
hold down the Ctrl key and click on the remaining hour to deselect that
hour.
The user is allowed to log in during the specified time. M-Password
controls access to restricted objects during this time.

Figure 24: Properties for User Dialog Box: Time Sheet Tab
M-Password Technical Bulletin 41
Account Policy Tab
The Account Policy tab fields control how passwords are used by user
accounts, and whether user accounts are automatically locked out after
a series of incorrect login attempts (Figure 25). Table 13 describes the
Account Policy tab fields.
The base policy (that is, the most restrictive) for the system is set in
the Default Group. For users and groups other than the Default Group,
each policy can be selectively enabled and set for that user or group.
Note: Each user has at least two policy settings, the Default Group
and the User, and the least restrictive policy setting is used. For this
reason, the policy set in the Default Group must be the most
restrictive. You can make individual users and groups less restrictive
than the Default Group, but never more restrictive.

Figure 25: Properties for User Dialog Box: Account Policy Tab

M-Password Technical Bulletin 42
Table 13: Account Policy Tab Fields
Field Description
Maximum Password Age The time limit for a password, after which the user must change to a new
password. The range is 1 to 999 days.
Minimum Password Age The period of time a password must be in effect before the user can change it.
The range is 1 to 999 days.
Note: Do not allow immediate changes if a Password uniqueness value is
entered.
Minimum Password
Length
The fewest number of characters a password can contain. The range is 5 to
14 characters.
Password Uniqueness The number of new passwords used by a user account before an old
password can be reused. The range is 1 to 24 passwords.
Note: For uniqueness to be effective, specify an age value for Minimum
Password Age (do not select Allow Immediate Changes).
Account Lockout If selected and if too many incorrect login attempts are made on a user
account, the account is locked out. A locked account cannot log in.
If you select Account Lockout, do the following:
In Lockout After, enter the number of incorrect login attempts that cause
the account to be locked. The range is 1 to 999.
In Reset Count After, enter the number of minutes that must pass
between any two login attempts to ensure that a lockout does not occur.
The range is 1 to 99999.
No Account Lockout
When selected, never locks out user accounts, no matter how many incorrect
login attempts are made on a user account.
Lockout Duration
Click Duration and enter a number of minutes locked accounts remain
locked before automatically becoming unlocked. The range is 1 to 99999.
or
Select Forever in Lockout Duration, to keep locked accounts locked out
until an administrator unlocks them.
Auto Logout If selected, the number of minutes from the time of user login, before the
system automatically logs the user off. The range is 1 to 999 minutes. Note,
this is based on when the user logs in, not on user inactivity at the workstation.
Note: Make sure the Auto Logout time period set for the Default Group is
less than the Auto Logout time period set for the users.
Password Complexity Allows M-Password to mimic Windows NT OSs test for password complexity.
If you select Password Complexity, the users or groups password must:
not contain all or part of the users name
be at least 6 characters long
contain at least one character from three of the following four categories,
at the users discretion:
1. Alphabetic uppercase (A through Z)
2. Alphabetic lowercase (a through z)
3. Base 10 digits (0 through 9)
4. Non-alphanumeric characters (for example, !, $,#,%)
Logout Password If selected, the user must enter a password to log out.

M-Password Technical Bulletin 43
Editing a User or Group
To edit a user or group:
1. Select a user or group.
2. Either press Enter, double-click on the user, right-click and select
Edit, or select Edit >Edit. The Properties dialog box appears for
the selected user (Figure 18).
3. Fill in the fields in each of the tabs. Refer to the User Properties
Tab, Points Tab, Alarms Tab, Files Tab, Time Sheet Tab, and
Account Policy Tab sections for detailed descriptions of the fields
in each tab.
4. Click OK.
Note:
Note:
Note:
Currently M-Password does not use the Custom or
Stations tabs.
Deleting a User or Group
To delete a user or a group:
1. Select a user or group.
2. Either press the Delete key, right-click and select Delete, or select
Edit >Delete.
If you delete a user in the group tree or a group in the user
tree, you disassociate the group from the user but do not actually
delete it.
Editing the Default Group
When M-Password is first installed, the Default Group has
full access to everything. You must configure the Default Group with
minimal access rights. Remove all, if not most, access rights assigned
to the Default Group.
To edit the Default Group:
Select Edit >Default Group. The same property sheets to edit ordinary
groups are used for the Default Group with the following differences:
There is no Time Sheet tab. Default access is valid for all hours.
Account Policy must be set in the Default Group, and there is
one additional field: Simultaneous Logins. Currently simultaneous
logins are not supported in M-Password.
Associating Users and Groups
To associate users and groups:

M-Password Technical Bulletin 44
1. Select a Group in the left pane of the main window. Select a User
in the right pane of the main window.
2. Select Insert >Associate User and Group, or right-click and select
Associate User and Group.
When a user and group are associated, the user appears as an item
under the group in the left pane and the group appears under the user
in the right pane.
Removing Associations
Note: This operation never deletes the user or group. Only the
association is removed.
To remove associations:
1. Select the user under the desired group in the left pane or select a
group under the desired user in the right pane.
2. Press the Delete key.
Assigning Application Actions
To assign application actions:
1. Select Edit >Application Actions. The Actions/Users Association
dialog box appears (Figure 26).

Figure 26: Actions/Users Association Dialog Box
Note: Each J ohnson Controls application provides a list of
application functions that can be protected through M-Password. Refer
to M-Password Application Actions Technical Bulletin (LIT-1153175)
M-Password Technical Bulletin 45
for specific applications actions that are protected. This list may
display applications that are not installed on your system. Adding or
removing actions that belong to uninstalled applications does not
affect your system.
2. From the list of applications on the left, select a specific function
or entire application. Click on the +sign to expand the details of
each application.
3. From the list on the right, select the user or group that should have
access. Click on the +sign to show all allowed actions currently
assigned to the user or group.
4. Click the Move button to assign the selected applications.
Note:
Notes:
To add all application actions, right-click on the user or
group name, and select add all actions from the pop-up menu.
5. Click OK.
Removing Application Actions
To remove application actions:
1. In M-Password, select Edit >Application Actions.
2. Select a user or group name or select the application name or
function and press the Delete key.
To remove all application actions, right-click on the user or
group name and select remove all actions from the pop-up menu.
This operation never deletes the User, Group, or application function.
Only the association is removed.
Logging In as a User
To log in as a user:
1. Select Start >Programs >J ohnson Controls >M-Password >
Login. The J ohnson Controls M-Password Login dialog box
appears (Figure 27).

Figure 27: Johnson Controls M-Password Security Login Dialog Box
(Basic View)
5. Enter the User Name and Password.

M-Password Technical Bulletin 46
Notes:
Note:
Note:
Passwords are case sensitive; no spaces are allowed.
Click Keypad to display a keypad that can be used to enter the user
name and password.
To see who is currently logged in, click the Advanced button.
The Advanced button can be enabled/disabled from the
Application Actions option by adding/removing the Login action.
If the currently logged in user has access to the Login application, it
takes a few seconds to enable the Advanced button when launching the
Login utility
6. Click OK. After a successful login, this dialog box becomes
hidden.
Changing a Password as a User
This procedure is for users. Security system administrators
change passwords in the User Properties dialog box.
To change a password as a user:
1. Select Start >Programs >J ohnson Controls >M-Password >
Login. The J ohnson Controls M-Password Login dialog box
appears (Figure 27).
2. Click Change Password. The Change Password dialog box appears
(Figure 28).

Figure 28: Change Password Dialog Box
3. Enter the old password, new password, and confirmation of the
new password.
4. Click OK.
M-Password Technical Bulletin 47
Editing the Default Group to Allow Auto NT Login
To edit the Default Group to allow Autologin:
1. Verify that the Windows NT workstation is a member of a domain.
On the Start menu, click Control Panel. Open the Network
property sheet, click the Change button. The Identification
Changes dialog box (Figure 29) appears. If the workstation is a
member of a domain, the domain name appears in the Member of
Domain field.

Figure 29: Identification Changes Dialog Box
2. On the Edit menu, select Global Settings. The Global Settings
dialog box appears (Figure 3).
3. On the Policy tab, select Allow Auto NT Login.
4. Click Apply.

M-Password Technical Bulletin 48
Enabling a User for Auto NT Login
To enable a user for Auto NT Login:
1. Add a User following the instructions in the Adding a User or
Group section of this document.
2. On the User Properties tab, the NT Domain name appears in the
NT Domain field. The Domain name must match the Domain in
the Identification Changes dialog box (Figure 29).

Figure 30: Properties for User Dialog Box: User Properties Tab
3. Enter the User Name. This name must match the Windows NT
User Name.
4. Continue the instructions in the Adding a User or Group section of
this document.
M-Password Technical Bulletin 49
Logging Out
To log out:
Note: You can also log out from the M-Password Login dialog box
in the Basic view (Figure 27).
1. On the User Menu of the J ohnson Controls M-Password window in
the advanced view (Figure 10), click Logout. The M-Password
Window remains open.
2. To exit M-Password, on the User Menu, click Exit.



Controls Group
507 E. Michigan Street
P.O. Box 423 www.johnsoncontrols.com
Milwaukee, WI 53201 Published in U.S.A.
Metasys is a registered trademark of Johnson Controls, Inc.
All other marks herein are the marks of their respective owners.
2006 Johnson Controls, Inc.

Оценить