Dist Management in Combination with Active Directory

Re-sorting/Synchronization of Users without Loss of History

The workaround described in this chapter is based on the WinCC OA version 3.17 or higher. Therefore, the projects must be migrated to version 3.17 or higher!

Note:
To avoid this problem, use the config entries [auth] lowestUserId and [distsync] firstLoginEnabled. Therefore, the workaround described below is not required.

Problem (with the aid of a simple example):

A distributed system consists of two WinCC OA projects that are connected to each other and to an Active Directory.

Active Directory Server Existing User:
UserA
UserB
UserC
Note:
The user must login to the master system first. If there are many users, add them to WinCC OA in advance via the User Administration.

WinCC OA Dist System1

WinCC OA Dist System2

  1. Local Login process with “UserA”
  2. “UserA” is created with ID 1 and synchronized with AD
  1. Local Login process with “UserC”
  2. “UserC” is created with ID 1 and synchronized with AD
  1. Local Login process with UserB“ -> receives the ID 2
  2. Local Login process with „UserC“ -> receives the ID 3
  1. Local Login process with „UserA“ -> receives the ID 2

Based on the logins, the following WinCC OA users are created on both systems:

System1

(User name)

System1

(WinCC OA user ID)

System2

(User name)

System2

(WinCC OA user ID)

UserA 1 UserC 1
UserB 2 UserA 2
UserC 3 - -

When, for example, UserA logs into System2 with a user interface and sets a value (e.g. flow rate), the value is archived in System2 with the user ID 2.

If a historical query is executed from a user interface that is opened directly on System2, the query returns that the user with the ID 2 (meaning "UserA" on the system 2) set the value.

If you open a user interface directly on System1 and execute a historical query of the setpoint value of System2, the query returns that the user with the ID 2 set the value. The ID 2 is interpreted for the display (e.g. analyze table) on the basis of the local users on the System1. Therefore, the UserB would erroneously be shown as the user who set the setpoint value.

In order to avoid this behavior, the WinCC OA users must be identical (name, order/ID) on all distributed systems of a distributed group.

Therefore, use the WinCC OA feature Dist-Management that allows you to synchronize the WinCC OA users in a distributed group.

Therefore, specify one system of the group as a "Master" (like a master template). All other systems are synchronized with the data from this master system (one way, this means everything is overwritten on the other systems).

In the example above, the System1 would be specified as a "MASTER" since everything is correct on the master and is therefore used as a reference.

Before Synchronization:

System1

(MASTER)

(User name)

System1

(MASTER)

(WinCC OA User ID)

System2

(User name)

System2

(WinCC OA User ID)

UserA 1 UserC 1
UserB 2 UserA 2
UserC 3 - -

After the Synchronization:

System1

(MASTER)

(User name)

System1

(MASTER)

(WinCC OA User ID)

System2

(User name)

System2

(WinCC OA User ID)

UserA 1 UserA 1
UserB 2 UserB 2
UserC 3 UserC 3

The users will be identical and a historical query of the user ID 2 will always show the UserB independent of the user interface the query is executed on.

For queries "before the synchronization" this would be incorrect since the above query should associate the UserA with the ID 2 for such historical queries.

Only for queries for the time "after the synchronization" the UserB must be returned for the ID 2.

This problem with historical data can only be solved by separating the ID range of the created users available before the synchronization from the users after the synchronization, on all systems.

The solution is (by using the Dist management and System1 as Master):

Note:
At this point you must execute an ASCII export of the original values of the data points _Users, _Groups, _Areas of all systems involved. These exports should be saved for archiving purposes!

WinCC OA Dist System1 (MASTER)

  1. Delete UserA, UserB, UserC (By using the "Delete" function of the WinCC OA User Administration. Open the User Administration via the System Management-> Permission- > User Administration).
  2. Login with UserA, UserB and UserC and assign a higher ID. Assign new user IDs above the number 500 manually!
  3. Trigger the user synchronization to all systems via the Dist management.
  4. "Date X“ Note the synchronization as an important milestone.

WinCC OA Dist System2

  1. Delete the UserC and UserA as described in step 1.

After this step, the following user structure can be found on the systems. The _DeletedUsers remain unmodified on all systems, since these were not synchronized through the Dist management.

Data point type

System1

(MASTER)

(User name)

System1

(MASTER)

(WinCC OA User ID)

System2

(User name)

System2

(WinCC OA User ID)

_DeletedUsers UserA 1 UserC 1
_DeletedUsers UserB 2 UserA 2
_DeletedUsers UserC 3 - -
_Users UserA 500 UserA 500
_Users UserB 501 UserB 501
_Users UserC 502 UserC 502

Future queries of periods AFTER "Date X" will always return the same User/ID combination on all systems and will be shown correctly.

For historical queries, the old IDs (with low numbers) are saved in the “_DeletedUsers” per system and errors are excluded. The conclusion of the historically correct user name for the periods "BEFORE Date X" is technically possible. If the archived ID is not found in the active users, it can be queried from the _DeletedUsers.