In this blog post, let’s take a closer look at user accounts on the groov EPIC system, and how you can improve your system security by giving users and services fine-grained access to applications running on EPIC. In other words, make sure each person or service has only the access they really need and nothing more.
But before we get deep into user accounts, let’s first discuss user account credentials. Take a moment and ask yourself the following questions:
- Do you use the same password for multiple accounts?
- Do you use a mix of punctuation and capital letters in your passwords?
- Do you use long phrases as your passwords?
We all know what we should do, but then there is what we actually do. We have talked about passwords in a past blog post, but it bears repeating here: long passphrases are much more secure than shorter "tricky" passwords, whether they include symbols and capital letters or not.
In more cases than we’re willing to admit, the weakest link in the security of our systems comes down to security credentials, and more specifically, user account credentials. Even if we get everything else right, without a strong password, you’re vulnerable.
One of my favorite tools from that previous blog post is How Secure Is My Password? Try a few of your current passwords, and see how they fare. I think you’ll be surprised.
Okay, now that we agree long passphrases are important, we can continue.
Getting Started with EPIC and your first Admin User Account
When you power up your groov EPIC for the very first time, you’re prompted to create an Admin User Account. It is important to note that there is no default username or password in groov EPIC (that’s security by design), so the only way to access your EPIC is from an account only you create.
We designed it this way to prevent system access using any default credentials, which are easy to find on the Internet. Someone would have to know the username and password you created at setup to gain access. Along the same lines, if you forget your credentials, there is no way to recover them. We can’t help you. The only option is to straighten out a paper clip and push in the Reset button (which will reset the device back to factory defaults) and start all over again.
After you set up this first Admin user account, you can create more users and set their passwords and permissions from groov Manage, the built-in web application for managing all things EPIC. Remember that you can configure user accounts in groov Manage on the EPIC’s built-in high-resolution color touchscreen, or securely over the network from a computer or mobile device.
Having a controller/PLC with secure user accounts is a big deal. Very few systems like this on the market offer this functionality, and it’s an essential part of system security.
Now it might be tempting to just make everyone an admin user and “be done with it,” but very few people who will be using the device need to have full, unfettered access to your EPIC. Put bluntly, the fewer people who have access to the device, the more secure it will be. So, stop and think about your user access levels before creating accounts.
Of course, it goes without saying (so I’ll say it): Make sure each user has a unique username AND a unique password, never the same as another user. Making strong, unique passwords is highly recommended as noted above, and there's no limit on your password length, capitalization, punctuation, language, etc.
This is what the Add User dialog box looks like in groov Manage, in your Account settings page.
Note that by default, the new user does not have any permissions. It is up to you to assign them as required. Once you enter the user’s username and password, you also set permissions for access to the software services on your EPIC. It’s best to start out by assigning only the permissions you know this user needs now; you can always edit the user and add more later if needs change. Also note that only Admin accounts can edit these permissions.
Also note that user accounts can be for people or software. If you have a programmer whose application needs to access EPIC, you can set up a user account for that application, different from human user accounts. We recommend that you have your programmers utilize this “user account” feature and use the automatically generated, unique API keys for their applications. groov EPIC makes it easy for each application to have its own API Key.
If you’d like to permanently display an HMI screen on groov EPIC's color touchscreen display using groov View, consider creating a new user account with only groov View rights, and set those rights as “Kiosk.” With the Kiosk limited permissions, someone who walks up to EPIC can view any HMI screens allowed for that user account but cannot log out, edit the project, or change the password. Use this Kiosk account for any computer, tablet, or other device that is left logged into groov View for an extended period of time.
Day-to-day use of groov EPIC is just like doing your banking: treat it with respect and always log out of any admin accounts when you are done.
In conclusion, User Accounts help make your groov EPIC secure by limiting access to software and services to only those who need it. By setting them up thoughtfully and making full use of this feature, you can completely control all access to your system.
What other controller can do that?
Till next time. Cheers, Mate.