Dist Management in Combination with Active Directory

Re-sorting/Synchronization of Users without Lost of History

The workaround described in this chapter is based on the WinCC OA version 3.17 or higher. Therefore, the projects must be migrated to version 3.17 or higher!
Note:

To avoid this problem, use the config entries "lowestUserId in the [auth] section and firstLoginEnabled in the [distsync]

section. Therefore, the workaround described below is not required.

Problem (with the aid of a simple example):

A distributed system consists of two WinCC OA projects that are connected to each other and to a an Active Directory.

Active Directory Server Existing User:
Testuser1
Testuser2
Testuser3

WinCC OA Dist System1

  1. Local Login process with “Testuser1”
  2. “Testuser1” is created with ID 1 and synchronized with AD
  1. Local Login process with Testuser2“ -> receives the ID 2
  2. Local Login process with „Testuser3“ -> receives the ID 3

WinCC OA Dist System2

  1. Local Login process with “Testuser3”
  2. “Testuser3” is created with ID 1 and synchronized with AD
  1. Local Login process with „Testuser1“ -> receives the ID 2

Based on the logins, the following WinCC OA users are created on both systems:

System1

(User name)

System1

(WinCC OA user ID)

System2

(User name)

System2

(WinCC OA user ID)

Testuser1 1 Testuser3 1
Testuser2 2 Testuser1 2
Testuser3 3 - -

When, for example, the Testuser1 logs in to the System2 with a user interface, sets a value (e.g. flow rate), the value is archived in the System2 with the user ID 2.

If a historical query is executed from a user interface that is opened directly on System2, the query returns that the user with the ID 2 (meaning "Testuser1" on the system 2) set the value.

If you open a user interface directly on System1, that executes a historical query of the setpoint value of System2, the query returns that the user with the ID 2 set the value. The ID 2 is interpreted for the display (e.g. analyze table) on the basis of the local users on the System1. Therefore, the Testuser2 would erroneously be shown as the user who set the setpoint value.

In order to avoid this behavior, the WinCC OA users must be identical (name, order/ID) on all distributed systems of a distributed group.

Therefore, use the WinCC OA feature Dist-Management that allows you to synchronize the WinCC OA users in a distributed group.

Therefore, specify one system of the group as a "Master" (like a master template). All other systems are synchronized with the data from this master system (one way, this means everything is overwritten on the other systems).

In the example above, the System1 would be specified as a "MASTER" since everything is correct on the master and is therefore used as a reference.

Before Synchronization:

System1

(MASTER)

(User name)

System1

(MASTER)

(WinCC OA User ID)

System2

(User name)

System2

(WinCC OA User ID)

Testuser1 1 Testuser3 1
Testuser2 2 Testuser1 2
Testuser3 3 - -

After the Synchronization:

System1

(MASTER)

(User name)

System1

(MASTER)

(WinCC OA User ID)

System2

(User name)

System2

(WinCC OA User ID)

Testuser1 1 Testuser1 1
Testuser2 2 Testuser2 2
Testuser3 3 Testuser3 3

The users would be identical and a historical query of the user ID 2 would always show the Testuser2 independent of the user interface the query is executed on.

For queries "before the synchronization" this would be incorrect since the above query should associate the Testuser1 with the ID 2 for such historical queries.

Only for queries for the time "after the synchronization" the Testuser2 must be returned for the ID 2.

This problem with historical data can only be solved by separating the ID range of the created users available before the synchronization from the users after the synchronization, on all systems.

The solution is (by using the Dist management and System1 as Master):

At this point you must execute an ASCII export of the original values of the data points _Users, _Groups, _Areas of all systems involved. These exports should be saved for archiving purposes!

WinCC OA Dist System1 (MASTER)

  1. Delete Testuser1, Testuser2, Testuser3 (By using the "Delete" function of the WinCC OA User Administration. Open the User Administration via the System Management-> Permission- > User Administration).
  1. Login with Testuser1, Testuser2 and Testuser3 and assign a higher ID. Assign new user IDs as of the number 500 manually!
  2. Trigger the user synchronization to all systems via the Dist management.
  3. "Date X“ Note the synchronization as an important milestone.

WinCC OA Dist System2

  1. Delete the Testuser3, Testuser1 as described in step 1.

After this step the following user structure can be found on the systems. The _DeletedUsers remain unmodified on all systems since these were not synchronized through the Dist management.

Data point type

System1

(MASTER)

(User name)

System1

(MASTER)

(WinCC OA User ID)

System2

(User name)

System2

(WinCC OA User ID)

_DeletedUsers Testuser1 1 Testuser3 1
_DeletedUsers Testuser2 2 Testuser1 2
_DeletedUsers Testuser3 3 - -
_Users Testuser1 500 Testuser1 500
_Users Testuser2 501 Testuser2 501
_Users Testuser3 502 Testuser3 502

Future queries of periods AFTER "Date X" will always return the same User/ID combination on all systems and will be shown correctly.

For historical queries the old IDs (with low numbers) are saved in the „_DeletedUsers“ per system and mistakes are impossible. The conclusion of the historically correct user name for the periods "BEFORE Date X" is technically possible. If the archived ID is not found in the active users, it can be queried from the _DeletedUsers.