Active directory for user authentication in a historization system
First Claim
Patent Images
1. A user authentication system comprising:
- a processor;
a memory device coupled to the processor;
processor-executable instructions stored on the memory device and executed on the processor, said instructions comprising;
instructions for registering a main directory within a historian application;
instructions for creating a plurality of active directories and assigning a domain to each active directory, wherein each active directory and the domain assigned thereto are associated with a tenant having its own set of users and access rules, wherein each active directory stores user credentials for controlling access to the historian application by the users thereof, and wherein the active directories are separate from each other;
instructions for populating a first active directory of the plurality with user authentication information for a user of the historian application upon the user being added to the domain assigned to the first active directory;
instructions for assigning a tenant identifier to the first active directory, the tenant identifier identifying a group of users associated with the first active directory;
instructions for linking the first active directory to the historian application through the main directory by adding an application identifier to the first active directory, wherein the application identifier identifies the historian application as having access thereto controlled by the first active directory, and wherein the historian application is associated with a process control system;
instructions for redirecting a web browser to open a login page from the first active directory upon receiving a sign-in request for a historian storage associated with the first active directory, wherein one or more of the tenants are allowed access to the historian storage;
instructions for receiving credential data for the first active directory from the user;
instructions for generating a first token when the credential data matches a portion of the user authentication information, wherein the tenant identifier is included in the first token when the credential data received from the user includes the tenant identifier;
instructions for returning the first token to the web browser to open a session between the web browser and the first active directory;
instructions for converting the first token into a second token, wherein the second token is a single-use token, and wherein the second token includes a role claim based on a role of the user within the process control system and includes the tenant identifier from the first token;
instructions for validating the second token against the tenants allowed access to the historian storage; and
instructions for granting the user access to the historian application for aspects of the process control system associated with the user by the role claim of the second token upon validation thereof and to data stored in one or more storage accounts via the historian application when the second token includes the tenant identifier.
3 Assignments
0 Petitions
Accused Products
Abstract
A user authentication system enables control of access to historian data through a historian application. The user authentication system creates a user authentication directory for storing user authentication information. The system populates the directory with user authentication information. The system links the directory to a historian application and receives credential data from a user. The system grants access to the historian application when it determines that the credential data from the user matches a portion of the user authentication information on the directory.
41 Citations
9 Claims
-
1. A user authentication system comprising:
-
a processor; a memory device coupled to the processor; processor-executable instructions stored on the memory device and executed on the processor, said instructions comprising; instructions for registering a main directory within a historian application; instructions for creating a plurality of active directories and assigning a domain to each active directory, wherein each active directory and the domain assigned thereto are associated with a tenant having its own set of users and access rules, wherein each active directory stores user credentials for controlling access to the historian application by the users thereof, and wherein the active directories are separate from each other; instructions for populating a first active directory of the plurality with user authentication information for a user of the historian application upon the user being added to the domain assigned to the first active directory; instructions for assigning a tenant identifier to the first active directory, the tenant identifier identifying a group of users associated with the first active directory; instructions for linking the first active directory to the historian application through the main directory by adding an application identifier to the first active directory, wherein the application identifier identifies the historian application as having access thereto controlled by the first active directory, and wherein the historian application is associated with a process control system; instructions for redirecting a web browser to open a login page from the first active directory upon receiving a sign-in request for a historian storage associated with the first active directory, wherein one or more of the tenants are allowed access to the historian storage; instructions for receiving credential data for the first active directory from the user; instructions for generating a first token when the credential data matches a portion of the user authentication information, wherein the tenant identifier is included in the first token when the credential data received from the user includes the tenant identifier; instructions for returning the first token to the web browser to open a session between the web browser and the first active directory; instructions for converting the first token into a second token, wherein the second token is a single-use token, and wherein the second token includes a role claim based on a role of the user within the process control system and includes the tenant identifier from the first token; instructions for validating the second token against the tenants allowed access to the historian storage; and instructions for granting the user access to the historian application for aspects of the process control system associated with the user by the role claim of the second token upon validation thereof and to data stored in one or more storage accounts via the historian application when the second token includes the tenant identifier. - View Dependent Claims (2, 3)
-
-
4. A method for authenticating users accessing a historian application comprising:
-
registering a main directory with the historian application; creating a plurality of active directories stored on a memory device, the active directories each storing user credentials for controlling access to the historian application, and the active directories each being separate from the other active directories; assigning a domain to each active directory, each active directory and the domain assigned thereto being associated with a tenant having its own set of users and access rules; populating a first active directory of the plurality with user authentication information for a user of the historian application in response to the user being added to the domain assigned to the first active directory; assigning a tenant identifier to the first active directory, the tenant identifier identifying a group of users associated with the first active directory; linking the first active directory to the historian application through the main directory by adding an application identifier to the first active directory, the application identifier identifying the historian application as having access thereto controlled by the first active directory, the historian application associated with a process control system; receiving credential data for the first active directory from the user; generating a first token when the credential data matches a portion of the user authentication information; including the tenant identifier in the first token when the credential data received from the user includes the tenant identifier; opening a session between a web browser and the first active directory upon validity confirmation of the first token; converting the first token into a second token, wherein the second token is a single-use token, and wherein the second token includes a role claim based on a role of the user within the process control system; including the tenant identifier from the first token in the second token; and granting the user access to the historian application for aspects of the process control system associated with the user by the role claim of the second token and to data stored in one or more storage accounts via the historian application when the second token includes the tenant identifier. - View Dependent Claims (5, 6)
-
-
7. A tangible, non-transitory computer-readable storage media storing processor-executable instructions that, when executed by a processor, perform a method for implementing a user authentication system, the method comprising:
-
creating a first directory stored on a memory device, the first directory storing user access credentials for controlling access to a historian application; assigning a domain to the first directory, wherein the first directory and the domain assigned thereto is associated with a tenant having a set of users and access rules; populating the first directory with user authentication information for a user of the historian application in response to the user being added to the domain assigned to the first directory; assigning a tenant identifier to the first directory, the tenant identifier identifying a group of users associated with the first directory; linking the first directory to the historian application by adding an application identifier to the first directory, wherein the application identifier identifies the historian application as having access thereto controlled by the first directory, and wherein the historian application is associated with a process control system; receiving credential data from a user; generating a first token when the credential data matches a portion of the user authentication information; including the tenant identifier in the first token when the credential data received from the user includes the tenant identifier; converting the first token into a second token, wherein the second token is a single-use token, and wherein the second token includes a role claim based on a role of the user within the process control system; including the tenant identifier from the first token in the second token; and granting the user access to the historian application for aspects of the process control system associated with the user by the role claim of the second token and to data stored in one or more storage accounts via the historian application when the second token includes the tenant identifier. - View Dependent Claims (8, 9)
-
Specification