proficy* workflow

Proficy* Workflow Powered by Proficy SOA

GETTING STARTED

Version 1.5 SP4 February 2012

All rights reserved. No part of this publication may be reproduced in any form or by any electronic or mechanical means, including photocopying and recording, without permission in writing from GE Intelligent Platforms, Inc.

Disclaimer of Warranties and Liability

The information contained in this manual is believed to be accurate and reliable. However, GE Intelligent Platforms, Inc. assumes no responsibilities for any errors, omissions or inaccuracies whatsoever. Without limiting the foregoing, GE Intelligent Platforms, Inc. disclaims any and all warranties, expressed or implied, including the warranty of merchantability and fitness for a particular purpose, with respect to the information contained in this manual and the equipment or software described herein. The entire risk as to the quality and performance of such information, equipment and software, is upon the buyer or user. GE Intelligent Platforms, Inc. shall not be liable for any damages, including special or consequential damages, arising out of the use of such information, equipment and software, even if GE Intelligent Platforms, Inc. has been advised in advance of the possibility of such damages. The use of the information contained in the manual and the software described herein is subject to GE Intelligent Platforms, Inc. standard license agreement, which must be executed by the buyer or user before the use of such information, equipment or software.

Trademarks

© 2012, GE Intelligent Platforms, Inc. All rights reserved. * Trademark of GE Intelligent Platforms, Inc. All other brands or names are property of their respective holders. Any other trademarks referenced herein are used solely for purposes of identifying compatibility with the products of GE Intelligent Platforms, Inc.

Notice

GE Intelligent Platforms, Inc. reserves the right to make improvements to the products described in this publication at any time and without notice. We want to hear from you. If you have any comments, questions, or suggestions about our documentation, send them to the following email address:

[email protected]

Table of Contents

i

Table of Contents Getting Started ____________________________________ 1 Installation Requirements ____________________________ 2

Hardware Requirements 2 Server 2 Client 3 Reporting Database 3

Software Requirements 4 Server Installation 4 Client-only Installation 7 Proficy Reporting Database Installation 8 Proficy Host Installation 8

Web Task List Software Requirements 9 Installation 9

The Hardware Key 9 Hardware Key Installation 10 License and Key Checking 11 Hardware Key Installation Troubleshooting 12

Troubleshooting the Aladdin HASP Key 12 Defective Hardware Key Replacement 12 Common Questions About Hardware Keys 13

Proficy Workflow Installations ________________________ 15 Install a Proficy SOA Server and Client 17 Install a legacy Proficy SOA Server and Client 21

Legacy Server Limitations 26 Firewall Ports 27 Install a remote Proficy Client 27 Install and run the Web Task List 29

ii Proficy* Workflow

Uninstall Proficy Workflow 29 Multiple Servers ___________________________________ 30

Install multiple servers 31 Modify server roles 33

Server Clustering and Failover _________________________ 35 Server Clustering and One-Click Deployment 36 Configure a Proficy SOA server to be clustered 36 Configure the failover Proficy SOA Server for a cluster 37

Post-installation Configuration ________________________ 38 Modify the server configuration 38 Modify the Microsoft Active Directory Services 39 Modify the SQL server 40 Modify security 41 Configure a server instance 42

Command Line Installation ___________________________ 44 Log Files _________________________________________ 46 GE Single Sign On (SSO) ____________________________ 47 Log in to Proficy Client ______________________________ 49 Running with a Standard Windows User Account __________ 52 Upgrading Proficy Workflow _________________________ 53

Upgrade to a newer version of Proficy Workflow 54 Upgrade custom forms 56

Proficy Real-Time Information Portal ___________________ 58 Install Proficy Real-Time Information Portal 59

Proficy Reporting Database ___________________________ 61 Install the reporting database 61 Configure Component Services 64

Table of Contents

iii

Uninstall the reporting database 66 Task Controls in Proficy HMIs ________________________ 67

Proficy Task List Configuration 67 Modify Task List installation configurations 69 Install task list controls 70

Key Concepts _____________________________________ 72 One-Click Deployment ______________________________ 85 Supported Regional Settings __________________________ 88 Daylight Saving Time _______________________________ 90 Special Keyboard Buttons ____________________________ 91 SQL Server Backup and Restore _______________________ 92 Proficy Workflow Security ___________________________ 93

Introducing Security 93 System Protection 93 Security Concepts 94 Security Status 95

Understanding Security 96 Users 98 Groups 99 Create Groups and Users 100 Modify Groups and Users 100 Delete Groups and Users 101 Design and Plan Security 101 Login to Individual Workstations 103 Using Security 104 Windows Security 105

Contact Information ________________________________ 110 General 110

iv Proficy* Workflow

Technical Support 110 Americas 110 Europe, Middle East, and Africa 111 Asia Pacific 111

Getting Started

1

Getting Started

Welcome to Proficy Workflow–Powered by Proficy SOA!

Before you begin installing our product, please take some time to review the Getting Started guide. This guide includes information about the following:

Installation Requirements (software, hardware, and the hardware key)

Installing the Proficy SOA Server and Client

Installing and configuring a failover cluster

Installing and configuring multiple servers

Installing the legacy Proficy SOA Server and Client, and Proficy Host.

Installing Proficy Real-Time Information Portal

Installing the Proficy Reporting Database

Installing the Proficy Host / Embeddable Proficy Host

Installing the Task List in HMIs

Proficy Workflow Security IMPORTANT: Please read the Important Product Information on your installation DVD for the latest information about Proficy Workflow, including new features, system requirements, and release notes.

2 Proficy* Workflow

Installation Requirements

This chapter provides general information you need in order to install Proficy Workflow, including:

Hardware requirements

Software requirements

Installing the hardware key and replacing defective keys

Before you begin installing your Proficy Workflow software, we highly recommend that you start by clicking Important Product Information on the installation DVD. This opens an online help file where you can read the latest release notes and the most current information about Proficy Workflow.

Hardware Requirements

This section describes the minimum hardware requirements to run Proficy Workflow and all products that work with it.

Server

NOTE: These requirements apply whether you are installing a multiple server configuration (that is, a core server and a Workflow server), a failover cluster, or a legacy server.

2.6 GHz Core Duo computer with 3 GB RAM (minimum)

50 GB hard disk space (minimum)

CD-ROM Drive

Network interface software for network communications. The TCP/IP network protocol is required.


3

XGA or better color monitor and a 100% IBM-compatible 24-bit graphics card capable of 1024x768 resolution and at least 65535 color

Two-button mouse with scroll wheel or compatible pointing device (such as a touch screen)

Client

2 GHz Pentium 4-based computer with 2 GB RAM (minimum)


CD-ROM Drive


SVGA or better color monitor and a 100% IBM-compatible 24-bit graphics card capable of 1024x768 resolution and at least 65535 colors


Reporting Database

2.6 GHz Core™ 2 Duo Processor with 3 GB RAM (minimum)


CD-ROM Drive


One free direct-connect USB port

4 Proficy* Workflow

XGA or better color monitor and a 100% IBM-compatible 24-bit graphics card capable of 1024x768 resolution and at least 65535 colors


Software Requirements

This section describes the minimum software requirements for your installation, including the recommended operating system and database.

Server Installation

The following list describes the software required to install and use Proficy Workflow and the Proficy SOA Server.

One of the following operating systems:

Windows 7 Professional (32 or 64-bit)

Windows Server 2008 SP2 (32-bit only)

Windows Server 2008 R2 (64-bit)

Windows Server 2003 SP2 or greater (32 or 64-bit)

Windows XP Professional SP2 or greater (32-bit only)

One of the following SQL Server systems:

Microsoft SQL Server 2008 Standard, Professional, or Enterprise Edition (32 or 64-bit)

Microsoft SQL Server 2008 R2

Microsoft SQL Server 2008 Express


5

Microsoft SQL Server 2005 Standard SP2, Professional SP2, or Enterprise Edition SP2 (32-bit only)

NOTE:

The SOA project is installed into this SQL Server database. SQL Server can be installed on a different computer that is also on the domain or workgroup; however, you must ensure that network configurations allow appropriate machine communication.

If you are using SQL Server Express with the Proficy SOA Server, you cannot use the Reporting Database.

Microsoft .NET Framework 4.0 (Full Framework)

Microsoft AD LDS (Active Directory Lightweight Directory Service) or ADAM (Active Directory Application Mode) with SP1 (available from http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en)

NOTE:

If you are using Windows XP or Windows Server 2003, ADAM is required. If you are using Windows 7 or Windows Server 2008, AD LDS is required. In Windows Server 2003, Windows 7, and Windows Server 2008, these can be added as Windows components or features in the Programs applet of the Control Panel.

For demo, evaluation, or pilot systems, you can use Simulated Directory mode rather than using ADAM or AD LDS. In this mode, the system functions the same way. However, you must use ADAM or AD LDS to run large systems that have hundreds of clients connecting simultaneously.

http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en)

http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en)

6 Proficy* Workflow

Microsoft Silverlight 4.0 and the Silverlight SDK

NOTE: Silverlight is required to access and develop forms and displays in the Silverlight Designer, and to view Silverlight forms and displays in the Global Viewer.

Microsoft Excel 2007 and its Primary Interop Assemblies (for Import/Export operations). For more information, see:

http://msdn.microsoft.com/en-us/library/kh3965hw.aspx

http://www.microsoft.com/downloads/details.aspx?familyid=59DAEBAA-BED4-4282-A28C-B864D8BFA513&displaylang=en

http://technet.microsoft.com/en-us/library/cc179091.aspx

Internet Explorer 7 or greater

Other software:

VMWare Server or VMWare ESX Server.

NOTE: VMWare servers are supported to use any of the supported operating systems.

IMPORTANT: Advanced features of ESX Server (that is, VMotion and Clustering support) are not supported.

Proficy Portal 3.0 with SP1 (included on the installation DVD) or greater.

Java Run-time plug-in v6.0 or greater (to view Proficy Portal displays)

Proficy Historian 3.5 or greater.


http://www.microsoft.com/downloads/details.aspx?familyid=59DAEBAA-BED4-4282-A28C-B864D8BFA513&displaylang=en%20






7

Client-only Installation

A client-only machine contains only the Proficy Client application and must connect to another machine that has the Proficy Server installed.








Microsoft Silverlight 4.0

NOTE: Silverlight is required to access and develop forms and displays in the Silverlight Designer, and to view Silverlight forms and displays in the Global Viewer.

Microsoft Excel 2007 and its Primary Interop Assemblies (for Import/Export operations). For more information, see:


http://www.microsoft.com/downloads/details.aspx?familyid=59DAEBAA-BED4-4282-A28C-B864D8BFA513&displaylang=en









8 Proficy* Workflow

Proficy Reporting Database Installation










NOTE:

SQL Server Integration Services must be installed with SQL Server.

If you are using SQL Server Express with the Proficy SOA Server, you cannot use the Reporting Database.


Proficy Host Installation






9





Web Task List Software Requirements

Installation

The following list describes the software required to install the task list.









Microsoft Silverlight 4

The Hardware Key

The hardware key supports USB port configurations. The hardware key you use to run the Proficy SOA Server:

Controls and enables software options available to your installation.

10 Proficy* Workflow

Uses a utility to electronically reprogram options you choose to upgrade or change (for HASP M4 keys only).

Proficy Workflow runs in demo mode, which limits you to two clients if the key is not installed or found.

Be sure to file your hardware key packing slip in a safe location. The codes on this slip are necessary for us to quickly duplicate the key in case it is damaged or misplaced. You can verify that your serial number matches the serial number on the hardware key packing slip by using the Proficy License Viewer utility to detect and display your hardware key settings. For more information, see the License and Key Checking section.

Hardware Key Installation

A hardware key is included with your Proficy Workflow software. You must install your hardware key in order to access all the components of the Proficy Workflow software you purchased.

Typically, you install your hardware key as you install the Proficy Workflow product. Refer to the Installing Proficy Workflow section for more details.

If you insert the key after you install Proficy Workflow, it should be detected automatically when the software starts. It is recommended that you shut down your computer before plugging in a new hardware key.

IMPORTANT: Do not remove the hardware key from your node while Proficy Workflow is running. If you do, some features will shut down and you will need to restart Proficy Workflow. You may also damage the hardware key if you remove it while the software is running.


11

We support the installation of the USB port hardware key only on systems running Windows 7 (32 and 64-bit), Windows Server 2008 (32 and 64-bit), Windows Server 2003 (32 and 64-bit), or Windows XP (32-bit only). At this time, we do not support USB keys connected through an external USB hub.

On new installs on Windows XP SP1, we recommend that you insert your USB key after you run the Proficy Workflow install.

License and Key Checking

Use the Proficy License Viewer to determine the enabled options

To use Proficy Workflow and other Proficy products, you must purchase the product with the desired options from us. Depending on the options you buy, you may need to replace your current key or run an update program on your existing key to enable the options.

If you want to determine the options that are enabled on the computer you are currently working on use the Proficy License Viewer to view the options enabled.

TIP: The Proficy License Viewer programs can be used to provide technical support personnel with information about your hardware key.

1. From the Start menu, point to Programs, Proficy Common, and then click License Viewer.

2. In the Proficy Products list, select the Proficy Workflow product. The License and Key Diagnostics area should display the available options. For information on upgrading your key to add other options, contact us. We will provide the steps for upgrading your Proficy license file when you purchase new options or products.


Hardware Key Installation Troubleshooting

If the hardware key does not install properly, you may see a message displayed on the Client at startup.

First, check to see that your hardware key is firmly attached. Next, uninstall and reinstall the driver for the hardware key. If this driver has been incorrectly uninstalled, it may behave unpredictably.

Troubleshooting the Aladdin HASP Key

If the Aladdin HASP USB key does not appear to be working, you can reinstall the licensing to recover from the improper install. When the Aladdin HASP key is not communicating correctly, you will notice that the indicator light at the end of the key is off.

To reinstall Proficy Licensing

1. Click the ProficyClientInstaller.exe file in the License folder on the Proficy Workflow product installation CD to reinstall the license.

2. Click Finish when the licensing install completes.

Defective Hardware Key Replacement

A defective hardware key causes your Proficy product to run in demo mode.

Be sure to check that the key is firmly attached to your USB or parallel port before assuming it is defective. Additionally, for USB keys, if the indicator light at the end of the key is off, then the key is not communicating correctly.


13

You can also use the License Viewer to determine if the hardware key is defective. If your hardware key is defective, the License Viewer does not display the proper enabled options. Or, an error message stating that a hardware key is required to view the enabled options may appear. For more information on using the License Viewer, refer to the License and Key Checking section.

We replace defective keys as quickly as possible. To obtain a replacement hardware key:

Call your local Technical Support representative. The support representative will instruct you to FAX a completed copy of a Merchandise Return Authorization form. On receipt of the form, we can program a new hardware key and send it to you overnight.

When you receive the hardware key, you must return the old one along with a copy of the form sent with the new hardware key. We reserve the right to invoice you for defective hardware keys that are not returned.

Common Questions About Hardware Keys

This section describes some frequently asked questions about Proficy hardware keys.

What does the light at the end of the USB key indicate?

For the Aladdin HASP USB key, the light indicates that the key and the software are communicating. If this light is off, it indicates a problem with the key.


If I move the USB key to another port, is it automatically detected?

Yes. The USB key is automatically detected when moved to another USB port. There are no additional screens requesting software to be installed for the Aladdin HASP USB key.

Proficy Workflow Installations

15


The procedures in this section outline the various installation options for Proficy Workflow, Proficy Host, and the Web Task List.

IMPORTANT:

Workgroups and Windows domains are both supported; however, users must ensure that network configurations allow appropriate machine communication. Also, Windows authentication for security is supported only on a domain.

Any resolvable computer name or IP address can be used when installing Proficy Workflow; however, the same name or IP address must be used consistently for a machine in all configurations on any server, client, or host machine.

Before you begin the Proficy Workflow installation, make sure that you have installed the following:


Microsoft AD LDS (Active Directory Lightweight Directory Service) or ADAM (Active Directory Application Mode) with SP1 (available from http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en)

NOTE:

If you are using Windows XP or Windows Server 2003, ADAM is required. If you are using Windows 7 or Windows Server 2008, AD LDS is required. In Windows Server 2003, Windows 7, and Windows Server 2008, these can be added as Windows components or features in the Programs applet of the Control Panel.


For demo, evaluation, or pilot systems, you can use Simulated Directory mode rather than using ADAM or AD LDS. In this mode, the system functions the same way. However, you must use ADAM or AD LDS to run large systems that have hundreds of clients connecting simultaneously.



Microsoft SQL Server 2008 R2

Microsoft SQL Server 2008 Express


NOTE:

The SOA project is installed into this SQL Server database. SQL Server can be installed on a different computer that is also on the domain or workgroup; however, you must ensure that network configurations allow appropriate machine communication.

The person whose user name is used for SQL authentication must have authority to create new databases.

For regular database use during run time, a user requires only db_owner privileges, not administrative privileges.

For more information, see Software Requirements.


17

Install a Proficy SOA Server and Client

The following information guides you through the Proficy SOA Server and Client installation process.

During this installation process, you are required to create an Administrator user. This Administrator user is automatically assigned all permissions, which will allow you to create and define your users, groups, and key sets, and to set up your production security.

1. Place the installation DVD in the DVD drive. If you have Autoplay enabled, the installation launcher splash screen appears.

NOTE: If it does not appear, run InstallFrontEnd.exe on the root directory of the Proficy Workflow DVD.

2. Click Install Proficy Workflow. The Proficy Workflow Setup wizard appears.

3. Click Proficy Server. The Proficy Server Installation Type page appears.

4. Select Single Server Installation, and then click Next. The License Agreement page appears.

5. Review the license agreement, and then click I Agree. The Choose Install Location page appears.

6. Accept the default destination folder or browse for a new location, and then click Next. The Configure AD LDS Integration page appears.

7. Do one of the following:


If Active Directory Lightweight Directory Services (AD LDS) is not installed, the Configure AD LDS Integration page displays a message regarding its use. If AD LDS is not required, click Next.

If Active Directory Lightweight Directory Services (AD LDS) is installed, but this installation is to be used in a test and/or development server environment, select the Do not use Microsoft Directory Services check box, and then click Next.

If this installation is to be used in a production environment, skip to the next step.

8. For a production environment, do the following:

a) Clear the Do not use AD LDS check box.

b) In the Directory Instance: Name field, enter an instance name for the ADAM directory.

c) In the Port (LDAP) and Port (SSL) fields, enter valid port numbers.

d) In the User Credentials: Name field, enter the name of a user that is a member of the local computer's Administrators Group.

e) In the User Credentials: Domain field, enter the name of your company's domain.

f) In the User Credentials: Password field, enter the password for the user you entered in the Name field.

9. If your SQL server is installed locally and uses Windows Authentication, select the Use a local SQL database with Windows Authentication check box.


19

10. If your SQL server is either local or remote and uses either Windows or SQL Authentication, clear the Use a local SQL database with Windows Authentication check box, and enter the following information:

IMPORTANT: You must install SQL Server 2008 or SQL Server 2005 SP2 before you install Proficy Workflow. For detailed information, see Software Requirements.

a) In the Server field, enter or select the name of the SQL server you want to connect to. If the SQL server is installed locally, you can enter localhost.

b) In the Database field, enter the name of the SQL database, or click the drop-down arrow to search for all databases located on the specified server. If the specified database does not exist it will be created for you.

c) From the Authentication list, select the type of authentication you want to use.

d) If you select Windows Authentication, click Next.

e) If you select SQL Authentication, enter the username and password configured for SQL Authentication on the SQL server you want to connect to.

11. Click Next. The Configure Security page appears.

12. Enter the following information:

a) In the Administrator Name field, accept the default name or enter a name for the Administrator user.

b) In the Administrator Password field, enter a password for the Administrator user.

c) In the Confirm Password field, re-enter the password for the Administrator user.


d) Optional: Select the Enable SSO check box if you want to use GE SSO authentication.

NOTE: Selecting this check box enables the SSO Authentication option on the Proficy Workflow Login dialog box.

e) In the SSO Server URL field, enter the address of your SSO server.

NOTE: You must obtain the SSO server URL from the GE SSO Security group.

f) In the Siteminder URL field, enter the address of the web server that has Siteminder installed on it.

NOTE: For important information on setting up and enabling SSO in your facility and for your users, see GE Single Sign On (SSO).

13. Click Next. If the computer you are installing on has an enabled firewall, the Firewall Detected page appears.

14. If required, make note of the port number to open on the firewall, and then click Next. IMPORTANT: If your system uses a firewall, you must follow the instructions on the Firewall Detected page and open ports 8012, 8112, 8111, 8020, 8201, 8202, 8203, and 8204 to incoming TCP traffic. For information on opening a port in your firewall, see the online help for your Windows operating system.

The Ready to Install page appears.

NOTE: At any time during the installation configuration process, you can click Back to go to a previous page to change your settings.

15. Click Install. The Installing Proficy Workflow page appears, displaying the status of each installation step.


21

16. If a Security Warning dialog box appears, click Run.

17. When the installation is complete, click Exit. NOTE: If the installation fails, or you want to change a configuration setting after installation completes, you can open the appropriate standalone component to configure the required information. For more information, see Post-Installation Configuration.

Install a legacy Proficy SOA Server and Client

The following information guides you through the legacy Proficy SOA Server and Client installation process. A legacy server installation includes the Proficy SOA server, the Workflow engine, and the Proficy Host.

IMPORTANT: If you use Proficy Host as part of your system configuration, you must use the Legacy Server and Host installation option.

During this installation process, you are required to create an Administrator user. This Administrator user is automatically assigned all permissions, which will allow you to create and define your users, groups, and key sets, and to set up your production security.




3. Click Legacy Server and Host. The Legacy Proficy Server Installation Type page appears.


4. Select either the Proficy Server or Proficy Host check box, and then click Next.

If you select Proficy Server, then skip steps 7 and 8.


6. Accept the default destination folder or browse for a new location, and then click Next.

7. In the Host Instance section:

a) In the Instance Name field, enter a name for this Proficy Host instance. A Proficy Project is also automatically created.

b) In the Computer Name field, enter the name or description of the computer that you are installing the Host instance on, or accept the default entry.

c) From the Instance Type drop-down list, select the type of Proficy Host you want to install.

NOTE: If you select Embedded, you must create a Windows service executable file and embed the Proficy Host in that file.

8. In the Proficy Workflow Server section:

In the Computer Name field, enter the name of the computer where the Proficy SOA Server is installed, or accept the default entry.

NOTE: Any resolvable computer name or IP address can be used when installing the Proficy Host.

9. In the Configure AD LDS Integration page, do one of the following:


23

If Active Directory Lightweight Directory Services (AD LDS) is not installed, the Configure AD LDS Integration page displays a message regarding its use. If AD LDS is not required, click Next.

If Active Directory Lightweight Directory Services (AD LDS) is installed, but this installation is to be used in a test and/or development server environment, select the Do not use Microsoft Directory Services check box, and then click Next.









11. Click Next. The Configure SQL Server page appears.

12. Optional: Select the Backup existing database check box to automatically create a backup of your SQL database.










15. Click Next. The Configure Security page appears.



b) In the Administrator Password field, enter a password for the Administrator user.


25

c) In the Confirm Password field, re-enter the password for the Administrator user.

d) Optional: Select the Enable SSO check box if you want to use GE SSO authentication.


e) In the SSO Server URL field, enter the address of your SSO server.


f) In the Siteminder URL field, enter the address of the web server that has Siteminder installed on it.










Legacy Server Limitations

The legacy server is used in environments where you use the Proficy Host, which allows the Plant Applications Service Provider to act as a connection between Proficy Workflow and Proficy Plant Applications. However, the legacy server has limitations.

The list describes the legacy server limitations.

The Silverlight designer is not supported.

Silverlight forms and displays created with external tools cannot be viewed in the Global Viewer.

Server clustering is not supported.

Multi-server architectures are not supported.

Web service endpoints are not supported.

IMPORTANT: If you are using service providers that were created prior to version 1.5 SP4, they are supported only in legacy server environments.


27

Firewall Ports

During server installations, the installation setup detects whether there is a firewall on the computer. You must either disable the firewall or configure it to allow communication with the server.

The following is a list of the inbound TCP ports you can open on the server computer to allow communication.

8012

8112

8111

8020

8201

8202

8203

8204

Install a remote Proficy Client

This information guides you through the process of installing a remote Proficy Client on a different machine than the Proficy Server.

You must have installed the Proficy SOA Server before you can install a client, because you require an available server to connect to.





3. Click Client Only. The License Agreement page appears.


5. Accept the default destination folder or browse for a new location, and then click Next. The Proficy Workflow Server Configuration page appears.


a) In the Server Computer Name field, enter the name of the computer where the server you want to connect to is installed.

NOTE: You can also use the IP address for the server if the server uses a static IP address.

b) In the Server Instance Name field, enter the name of the server instance you want to connect to.

c) In the Server HTTP Port field, enter the port number that the server is using.

d) Click Next.





29

8. When the installation is complete, click Exit.

Install and run the Web Task List

NOTE: The web task list is automatically installed with the Full Server installation of Proficy Workflow.

1. For information on installing Proficy Workflow, see To install Proficy SOA Server and Client.

2. To start the Web Task List, use the following URL in the address bar of Microsoft Internet Explorer: http://<server>:8020/Proficy/Workflow/WebTaskList.html

NOTE: To ensure that the Web Task List does not disconnect while running, update the timeout settings in the following key from 2710 to 30000:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeout

Uninstall Proficy Workflow

1. From Control Panel, go to your programs listing.

2. If applicable, select ADAM Instance SOAAdam, and then click Uninstall (depending on your operating system).

3. In the confirmation message box, click Yes.

4. Select Proficy Workflow (<installation type>), and then click Uninstall (depending on your operating system).



Multiple Servers

Proficy SOA provides the ability to install across multiple servers, each of which hosts a set of services. A multi-server environment is transparent and appears to be a single server to remote clients.

Each server in a multi-server environment must be configured to run the required services. To accomplish this objective, a shared server data model is used. Each Proficy SOA Server refers to a shared configuration data model to determine the specific service providers that they host. Client programs can then connect to any server, and be redirected to the server that is hosting the required service. Client programs, such as a form or custom client, communicates with service providers using service methods and events. As a result, neither the user nor the client program is aware of which server is hosting the service provider.

Deploying Service Providers Across Multiple Servers

After the initial installation of Proficy SOA on each server, setup the database and directory computers that contain service provider data, and then run the Configure Client tool one time from any server to deploy the service providers. All Proficy products, such as Proficy software, are built around service providers, which have defined interfaces, and the servers that are configured to run them. These products are installed to a single location, and then a one-time configuration of the Proficy site is performed to ensure that each Proficy SOA Server is hosting the required service providers. This Proficy SOA Server must connect to a Proficy System SQL Server database to access a site's database servers to perform this initial configuration.

Multiple Servers

31

Using Multiple Servers

In a multi-server Proficy site, roles must be assigned to each server. These roles include sets of service providers that always run on the same physical server. These service providers contain the product-related information of the Proficy software being used. After these roles have been assigned, the server data model can be updated by the Configure Client tool. Then, restart each server that has been configured to finalize this process.

Install multiple servers

Proficy Workflow provides multiple server capability, allowing you to install a core Proficy Server on one machine and a Workflow Server (containing the workflow engine) on another machine. You can also choose to install a User Server, which hosts custom service providers.

IMPORTANT: If you are installing a Workflow Server or a User Server, you must have already installed a core server on a separate machine. For more information, see Install Proficy SOA Server and Client.




3. Click Proficy Server. The Proficy Server Installation Type page appears.

4. Click Server Extension, select one of the following options, and then click Next.


To install a dedicated workflow server, click Workflow Server.

To install a server to host custom service providers, click Service Providers.

The License Agreement page appears.


6. Accept the default destination folder or browse for a new location, and then click Next. The Configure SQL Server page appears.

7. Configure the SQL Server page as follows.

NOTE: This configuration must be the same as the core server.







Multiple Servers

33







Modify server roles

If you want to alter the role of a server after installing Proficy Workflow, use the Configure Site utility to assign services to run on each server instance.

1. On the server machine, click Start > All Programs > Proficy > Proficy Workflow > Configuration > Configure Site.

2. Select the role(s) for each server instance.


NOTE: Each role can be assigned to only one server instance, but a server instance can be assigned multiple roles.

3. Click Save, and then click Exit.

Server Clustering and Failover

35


Proficy Workflow provides the ability to implement Microsoft® Windows Clustering, which allows you to configure your server environment to be fault tolerant.

Microsoft SQL Server also supports Clustering. For complete information about installing, configuring, and maintaining SQL Server 2008 failover clustering, see Getting Started with SQL Server 2008 R2 Failover Clustering.

The following web site provides information about the high availability features supported by the standard edition of SQL Server 2008 R2.

http://msdn.microsoft.com/en-us/library/cc645993.aspx#High_availability

NOTE: Proficy Workflow server clustering and failover is supported only on Windows Server 2008 R2 Standard Edition.

A cluster is a group of independent computer systems working together as a unified computer resource. A cluster provides a single name for clients to use, a single administrative interface, and guarantees that data is consistent across nodes.

Proficy Workflow allows you to configure a failover cluster to maintain a consistent image of the cluster on all nodes. It also allows nodes to transfer resource ownership on demand.

Proficy Workflow server clustering and failover can be configured over two computers; one computer configured as the primary server, and the other as the failover backup server.

http://msdn.microsoft.com/en-us/library/cc645993.aspx%23High_availability

http://msdn.microsoft.com/en-us/library/cc645993.aspx%23High_availability


Custom services managed by failover clustering must maintain their state in shared persistent memory (typically a database), and the state must always be in a consistent state because failover can occur at any time.

IMPORTANT: Proficy Workflow server clustering provides support against hardware failures only.

Server Clustering and One-Click Deployment

If you have implemented a server cluster environment and you want to use one-click deployment in that environment, additional configuration is required to set up the one-click deployment.

There are two methods to choose from to configure one-click deployment in a server cluster environment.

Modify the userstartup.xml file on each client to use the cluster address.

Update the userstartup.xml.deploy file on the server, in the Proficy Workflow\Program\Deployment\1_5_0_0\Program\Data directory, and then regenerate the one-click deployment install.

Configure a Proficy SOA server to be clustered

The Configure Server Instance utility is used to configure the Proficy SOA Server to work in a cluster.

NOTE: You must have installed the Proficy SOA Server and configured server failover clustering using Microsoft clustering software before you can configure a Proficy SOA Server to work in a cluster.


37

1. On the primary server machine, click Start > All Programs > Proficy > Proficy Workflow > Configuration > Configure Server Instance.

2. Select the Create a Proficy SOA Server Instance option.

3. Select the Make this machine a primary for a new failover cluster check box.

4. In the Cluster Name field, enter the name of the cluster you created in the Microsoft clustering software.


Configure the failover Proficy SOA Server for a cluster

The Configure Server Instance utility is used to configure the Proficy SOA Server to work in a cluster.

NOTE: You must have configured a Proficy SOA Server as a primary server for your cluster before you can configure a failover server.

1. On the backup server machine, click Start > All Programs > Proficy > Proficy Workflow > Configuration > Configure Server Instance.

2. Select the Make this machine a failover backup of an existing Server Instance option.

3. From the Choose existing cluster drop-down list, select the cluster that you want this machine to be the failover backup for.



Post-installation Configuration

The procedures in this section outline the various installation options for Proficy Workflow, Proficy Host, and the web task list.

If the installation fails, or you want to change a configuration setting after installation completes, you can open each of the installation wizard configuration pages as a standalone utility and make the required changes.

CAUTION: Changes to your installation configuration should be performed only by advanced users. If you make changes on your own, unpredictable results and behavior may occur. Contact GE Intelligent Platforms for assistance.

Modify the server configuration

Use the Proficy Workflow Server Configuration utility to synchronize any changes you may have made to the Proficy SOA Server computer, instance name, or server port.

IMPORTANT: The Proficy Workflow Server Configuration utility is available only for Client-only installations.

1. On the client computer, click Start > All Programs > Proficy > Proficy Workflow > Configuration > Configure Client. The Proficy Workflow Server Configuration utility appears.

2. Optional: In the Server Computer Name field:

If you are configuring a legacy server or multi-server environment, enter the name of the computer that the server you want to connect to is installed on.

If you are configuring a server cluster environment, enter the cluster name used when you set up your cluster.


39

3. Optional: In the Server Instance Name field, enter the name of the server instance you want your Proficy Client to connect to.

4. Optional: In the Server HTTP Port field, enter the port number required to allow communication with the server.


Modify the Microsoft Active Directory Services

The Configure AD LDS Integration utility provides the ability to configure Active Directory Lightweight Directory Service for your production environment.

1. On the server machine, click Start > All Programs > Proficy > Proficy Workflow > Configuration > Configure Directory Services. The Configure AD LDS Integration page appears.

2. In the Configure AD LDS Integration page, do one of the following:

If Active Directory Lightweight Directory Services (AD LDS) is not installed, the Configure AD LDS Integration page displays a message regarding its use. If AD LDS is not required, click Save.

If Active Directory Lightweight Directory Services (AD LDS) is installed, but this installation is to be used in a test and/or development server environment, select the Do not use Microsoft Directory Services check box, and then click Save.











Modify the SQL server

The Configure Database utility provides the ability to make changes to your SQL server database, as well as change the database you want to connect to.


1. Click Start > All Programs > Proficy > Proficy Workflow > Configuration > Configure Database. The Configure SQL Server page appears.



41









Modify security

The Configure Security utility is used to make changes to your Administrator user or to enable or disable GE Single Sign On (SSO) capabilities.

1. On the server machine, click Start > All Programs > Proficy > Proficy Workflow > Configuration > Configure Security. The Configure Security page appears.




a) In the Administrator Password field, enter a password for the Administrator user.

b) In the Confirm Password field, re-enter the password for the Administrator user.

c) Optional: Select the Enable SSO check box if you want to use GE SSO authentication.


d) In the SSO Server URL field, enter the address of your SSO server.


e) In the Siteminder URL field, enter the address of the web server that has Siteminder installed on it.



Configure a server instance

The Configure Server Instance utility is used to create a Proficy SOA Server instance, as well as to configure server clustering.


43

1. On the server machine, click Start > All Programs > Proficy > Proficy Workflow > Configuration > Configure Server Instance.

2. Select the Create a Proficy SOA Server Instance option.

3. In the Name field, enter a name for the server instance.

4. Optional: In the Description field, enter a description for the server instance.

5. Click the Advanced Configuration arrow.

6. Select or clear the Do not create Windows Service for this Server Instance check box, depending on whether you want this server instance to run as a Windows service.

7. In the Service Ports fields, enter the port numbers for each of the service port types.

8. In the IP Address field, enter the IP address of the server instance.

9. In the Port field, enter the port number for the server instance.



Command Line Installation

Proficy Workflow provides the ability to install the server, client, or hosts using command line parameters.

Using command lines to install the Proficy SOA Server allows you to install multiple servers, ensuring that the same configuration data is used in all instances.

The following table describes the command line parameters that can be used.

Command line parameter Description

/s Runs the installation setup (SetupWorflow.exe) in silent mode; that is, the installation occurs without displaying the user interface. You must use the /c parameter in conjunction with the /s parameter and provide a valid configuration file name.

/t filepath (where filepath is the user-defined file name)

Runs the installation setup (SetupWorkflow.exe), including the user interface, and creates a configuration file that contains all of the installation configuration data. NOTE: For security reasons, passwords are not included in the configuration data.

/c filepath (where filepath is the user-defined file name)

Runs the installation setup (SetupWorkflow.exe) and uses the configuration data found in the configuration file. When used with the /s parameter, the installation runs in silent mode.

Command Line Installation

45

NOTE: You can use the configuration file that was created using the /t command line parameter or you can use the sample configuration file provided in the install directory. If you use the configuration file created by using the /t parameter, you must add the passwords before using that file with the /c parameter.

/l filepath (where filepath is the logging directory)

Overrides the default logging location.


Log Files

Proficy SOA provides a number of log files that you can use to assist you in troubleshooting various aspects of your system.

On Windows XP, all log files, regardless of the type of installation you have (that is, server, client, and so on), are located in ..\Documents and Settings\All Users\Application Data\Proficy\Logs.

On all other supported operating systems (Windows Vista, Windows 7, and Windows Server 2008) the log files are located in: C:\Program Data\Proficy\Logs.

The log files for all installations are also accessible from the program group; that is, Start > All Programs > Proficy > Proficy Workflow > Logs.

GE Single Sign On (SSO)

47

GE Single Sign On (SSO)

You can configure Proficy SOA to use GE Single Sign On (SSO) authentication when your users log on to the Proficy Client.

NOTE: GE Single Sign On applies only to GE businesses.

Within GE, all employees are assigned an SSO ID that grants them access to internal GE web pages and resources. When Proficy SOA is installed within a GE business, you have the option to enable SSO authentication, so that users enter their SSO ID and password to access the system.

Configuration Settings

GE SSO authentication can be configured during the installation process, or at any time after installation using the Configure Security dialog box. For more information, see Post-Installation Server Configuration.

When setting up SSO authentication, you must configure the SSO server and Siteminder URLs. Each GE business has Siteminder installed to protect resources on its own web server. Siteminder provides authentication for all web-based applications. The Proficy Server must be able to access this web server in order to authenticate SSO credentials. User information is retrieved from the SSO Server.

A file named Headers.asp is included with the Proficy SOA installation. Its location is: C:\Program Files\Proficy\Proficy Workflow\Programs. This file must be hosted on the Siteminder Agent web server, and then the SSO security group must protect the file under Siteminder.

Proficy Server makes a request to Headers.asp to get information about the SSO user who is trying to log in. The following table lists and describes the returned header information.


Header Description

HTTP_SM_USER The SSO ID of the user

HTTP_GIVENNAME First name of the SSO User

HTTP_SN Last name of the SSO User

HTTP_GESSOSTATUS Status of the SSO account

HTTP_MAIL E-mail address of the SSO User

When the GE SSO security group sets up Headers.asp, they must make sure that these headers are included in the response.

User Account Setup

After you configure your system for SSO authentication, you can manually set up each user's account to link to their SSO account. The account login name must be the user’s SSO ID.

You can also use the SSO Authentication Failed event to schedule a workflow that will create a Proficy user account. That is, if a user with a valid SSO ID but no Proficy user account tries to log in to Proficy Client, the SSO Authentication Failed event is triggered and causes the Proficy user account to be created. The SSO Authentication Failed event contains the user’s SSO ID, full name, and e-mail address.

IMPORTANT: Make sure that each user belongs to the SSO Users group before creating their SSO user account. The SSO Users group is a default security group under the Personnel model.

Log in to Proficy Client

49


1. From the main screen, click the Login button. The Proficy Workflow Login dialog box appears.

2. In the Authentication Type section, select an authentication method. Your user name and password are verified in the selected system.

Select... If...

Proficy Authentication

Your user profile is part of the Proficy Workflow application.

Windows Authentication

Your user profile is part of the Windows domain. IMPORTANT: To log in using Windows Authentication, your server and client(s) must be on a domain.

SSO Authentication

Your user profile is part of SSO security. NOTE: SSO Authentication is not available if it has not been enabled.

NOTE: The following information applies to all regular logins but the Mobile-Sized Task List:

The computer you log on to stores the authentication type in the proficyclient.exe.config file. When you start a new client on that computer, the authentication type you selected during your previous logon is automatically selected. However, if another user successfully logged in on that computer since your last logon, using a different authentication type, that authentication type will be selected.


If you attempt to log in using a different authentication type but the authentication fails, the authentication type is not updated in the proficyclient.exe.config file.

3. Proceed as follows.

If you selected... Go to...

Proficy Authentication Step 6

Windows Authentication Step 4

SSO Authentication Step 5

4. If you are using Windows Authentication and need to create user(s) in Proficy Workflow, do the following:

a) Create a user account for each one with a user name and password.

b) Add the user(s) to the Windows User group.

5. If you are using SSO Authentication and need to create user(s) in Proficy Workflow, do the following:

a) Create a user account for each one, using their GE SSO ID for the user name, and a password.

IMPORTANT: This password is only a placeholder. When a user selects SSO Authentication on the Proficy Workflow Login dialog box, he must enter his existing SSO password or the login fails. When a user changes his SSO password on the SSO Server, the new password must be used to log in to Proficy Client with SSO authentication.

b) Add the user(s) to the SSO Users group.

6. In the User Name field, enter your user name.

7. In the Password field, enter your password.


51

8. If applicable, in the Domain field, enter the domain name.

NOTE: If you selected Windows Authentication, you must enter a Windows domain name in the Domain field.

The computer stores the domain name you enter in the proficyclient.exe.config file. When you start a new client, that domain name appears in the Domain field. However, if another user successfully logged in under a different domain since your last logon, that domain name will be displayed.

If you attempt to log in under a different domain but the authentication fails, the domain name is not updated in the proficyclient.exe.config file.

9. Click OK.


Running with a Standard Windows User Account

Users who are not Proficy Client administrators, must be given permission to access certain folders in order to view log files and to be able to load forms.

To provide the ability to load forms, ensure your users have permission to access C:\Program Data\Proficy\Logs.

To provide access to log files, ensure your users have permission to access C:\Users\<User>\My Documents\Proficy Workflow.

When a form is opened, it is retrieved from the database and copied to the client computer to be loaded into Proficy Client. If the My Documents folder is in a network storage location, that location is locked by user permissions, preventing the form from being created.

Upgrading Proficy Workflow

53


If you are working with versions of Proficy Workflow that are older than version 1.5, you must uninstall the previous version before installing a new version. However, as of version 1.5, you are not required to uninstall a previously installed version.

IMPORTANT: When you upgrade a Proficy server, you must also upgrade all of the remote Proficy Clients that connect to that server to use the same version of Proficy Workflow.

The following upgrade paths are supported:

Upgrade from Proficy Workflow 1.5x to a later version of Proficy Workflow 1.5x

Upgrade from Proficy Workflow 1.2 to Proficy Workflow 1.5



IMPORTANT: As of version 1.5 Service Pack 3, there are changes to the way you can upgrade your version of Proficy Workflow.

If Proficy Workflow is already installed and the new version to be installed is equal to or greater than the installed version, then the installed version is upgraded. For more information, see Upgrade to a newer version of Proficy Workflow.

If Proficy Workflow is already installed, but the new version to be installed is earlier than the installed version, you are alerted that a newer version of Proficy Workflow is already installed.

If Proficy Workflow is not installed, installing a newer version (1.5 SP3 or greater) will perform a full install.


Uninstalling Proficy Workflow does not remove the SQL Server database or the Active Directory Lightweight Directory Services (AD LDS) instance; all of your project data is preserved. When you install a new version and specify the same SQL Server database and AD LDS instance, then the previously configured project is automatically upgraded.

Data Item Links

If, in an earlier version of Proficy Workflow, you created data item links to Historian tag names that contain special characters, those data item links will not upgrade. You must recreate those links in the new version of Proficy Workflow. The special characters are: ', ~, !, @, #, and $. For example, if you have an equipment property, MyProperty1, linked to a Historian tag, HistTag#1, in Proficy Workflow version 1.01, that link will break when you upgrade to version 1.2 or 1.5.

The special character "-" is fully supported in the upgrade process; that is, data item links to Historian tags containing the "-" character will upgrade correctly. NOTE: Proficy Workflow 1.2 and greater support all of these special characters.

When you upgrade from Proficy Workflow 1.01, the display names of data item links from workflows or condition events to equipment properties will contain a GUID. You must reconfigure these data item links to remove the GUID. After reconfiguring the data item, the display name is updated correctly as <EquipmentOwnerName.PropertyName>.

Upgrade to a newer version of Proficy Workflow

This procedure describes how to upgrade your version of Proficy Workflow without uninstalling the previous version.


55



2. Click Install Proficy Workflow. The License Agreement page appears.

3. Review the license agreement, and then click I Agree. The Proficy Upgrade page appears.

4. Optional: Select one or more of the following install options:

Skip the SQL Server database backup. If you want a backup of your database and have not performed your own backup, select this option.

Set up the server to run in legacy mode. If you select this option, legacy host servers, such as Plant Applications and Proficy Host, can be configured to connect the existing server.





Upgrade custom forms

Before upgrading and starting the Proficy Workflow 1.2 or 1.5 server, ensure that all of your custom form DLLs are located in the following directory: ..\Data\AllUsers\Displays.

If you added forms or user displays using Proficy Workflow 1.0 or 1.01, and those forms had dependencies on any Proficy assemblies, there are additional steps for upgrading.

For each form or user display in the system, do the following:

1. Check for errors.

In the Navigator, select the form or user display, and then click Global Viewer. If additional upgrade steps are required, an error displays in the Feedback Zone, indicating that the existing item could not be loaded.

NOTE: If you are using GEFanuc.Platform.FormsLibrary.dll, skip to step 3 and use the new file, Proficy.Platform.FormsLibrary.dll, found in the Program folder in the install directory.

2. Update the project.

a) In Visual Studio, open the source code project you originally used to build the custom form.

NOTE: This source code should be found somewhere on your system; it is not persisted in the Proficy Workflow database.

b) Update references to GEFanuc assemblies. View the project’s references to see the list of assemblies it is dependent upon.


57

NOTE: Since Proficy Workflow version 1.01, the Proficy assemblies have been renamed from GEFanuc.*.dll to Proficy.*.dll; therefore, any references to assemblies named GEFanuc.* must be removed and re-added to point to the renamed assembly. For example, if the project previously referenced GEFanuc.Platform.Core.DisplayFramework.dll, then the project must be updated to reference Proficy.Platform.Core.DisplayFramework.dll.

a) Update references to GEFanuc namespaces.

The namespaces have also been changed from GEFanuc.* to Proficy.*. Therefore, any other references to GEFanuc in your project must also be changed to Proficy.

3. Build the project.

Build your project and continue fixing errors until you have a successful build.

4. Save your changes. In the Proficy Client, select the form or user display in the Navigator and open it in the Display Editor. An error may display indicating that the assembly or class is invalid. If the error displays, do the following:

a) In the .NET Assembly field, browse to the updated version of the assembly you want to use for the form.

b) In the Class Name field, select the appropriate class name to use.

c) Click Save to save your changes to the server and make the form available to other Clients.

5. Validate the form.

Open the form in the Global Viewer or run it in a workflow to ensure the form works as expected.


Proficy Real-Time Information Portal

The Proficy SOA Server provides the ability to connect to Proficy Real-Time Information Portal and view displays created there.

Most businesses use tools to help their decision-makers analyze sales, visualize financial data, and make process improvements that enhance the manufacture of their products. Analysis of business and process data is critical to knowing where to make investments and to learning how to improve a company's performance.

Proficy Portal provides superior data analysis tools in a personalized web environment. Using Proficy Portal and a web browser, you can make key decisions by analyzing and visualizing data from historians, SQL relational databases, process databases, or OPC servers. By combining and comparing historical, real time, and SQL data, you can see how the leading performance indicators for your company are progressing, allowing you to make sound business decisions.

Proficy Portal integrates well into your existing intranet or web site. You can create links between your web server and Proficy Portal displays, allowing you to create seamless navigation between the web pages on your site and the analysis displays on the Proficy Portal server.

Proficy Portal also integrates with the Proficy SOA Server. From Proficy SOA, you can connect directly to your Proficy Portal server to view and use your Portal displays and to retrieve data tags.

NOTE:

Proficy Workflow supports Proficy Portal v3.0 only, with SP1 or the SIMs that are included on the installation DVD.

To connect to and view Proficy Portal displays, you must install Java Run-time v6.0 or greater.

Proficy Real-Time Information Portal

59

For information on adding a Proficy Portal data source connection, see Proficy Portal Data Source.

Install Proficy Real-Time Information Portal

The Proficy Real-Time Information Portal installation files are included on the Proficy Workflow DVD.

IMPORTANT:

Proficy Workflow supports Proficy Portal v3.0 only, with SP1 or the SIMs that are included on the installation DVD.

You must install the Proficy Portal SIMs or SP1, which are included on the installation CD in order to use Proficy Portal with Proficy Workflow.

NOTE:

Proficy Portal can be installed on a different computer than the one Proficy Workflow is installed on.

To connect to and view Proficy Portal displays, you must install Java Run-time v6.0 or greater.

The Proficy Real-Time Information Portal Getting Started guide is included as a PDF in the Proficy Portal folder on the Proficy Workflow installation DVD.


NOTE: If it does not appear, double-click Setup.exe from the root directory on the installation DVD.


2. Click Browse the CD. Windows Explorer appears, displaying the folders contained on the installation DVD.

3. Locate the Proficy Portal folder. The installation files are located in this folder.

4. Double-click Setup.exe, and then follow the installation instructions in the Proficy Real-Time Information Portal Getting Started guide.

Proficy Reporting Database

61


Proficy SOA includes an option to install a reporting database. This database can be used with any valid reporting tool, and allows you to build reports on up-to-date data that you synchronize from your production database. For more information on the Proficy Reporting Database, see Reporting.

Install the reporting database

The reporting database allows you to use the data synchronized from your production database to build reports for your facility. You can use any reporting tool to extract the information from the reporting database and create your reports.

You must have installed a supported SQL Server version before you install the reporting database (see Software Requirements). In addition, you must select the SQL Server Integration Service (SSIS) component when you install SQL Server. Select the SQL Reporting Services component, as well, if you want to use SQL as your reporting tool.

NOTE: We recommend that you install the reporting database on a separate computer from the production database to prevent performance issues on the production database. In this scenario, additional configuration changes are required. Refer to Configure Component Services for more information. However, if the Proficy SOA Server computer meets the requirements for both databases, they can be installed on the same computer.



NOTE: If it does not appear, double-click SetupReporting.exe from the root directory on the installation DVD.

2. Click Install Proficy Reporting. The License Agreement page appears.

3. Review the license agreement, and then click I Agree.

4. Select an SSIS version, and then click Next. NOTE: This step is needed only if more than one version of SSIS installed. If only one version of SSIS is installed, then installation proceeds with the next step.

The Choose Install Location page appears.

5. Accept the default destination folder or browse for a new location, and then click Next.

6. In the Configure Reporting SQL Server area, enter the following information and then click Next.

a) In the Server field, accept the default value if the reporting database is on the local machine with the default instance. If the SQL Server named instance is used, enter the SQL Server name and instance name; for example, <servername>\<instance name>.

NOTE: The Reporting SQL Server must be local.

b) In the Database field, enter the name of the reporting database. This creates a new database; however, if a database of the same name already exists, this database will append to the existing one.


63

c) From the Authentication list, select the type of authentication you want to use. If you choose to use integrated security, select Windows Authentication; otherwise, select SQL Server Authentication, and then enter the user name and password for the SQL Server.

7. In the Configure SQL Server area, perform one of the following actions:

Leave the Use a local SQL database with Windows Authentication check box selected, and then click Next.

Clear the Use a local SQL database with Windows Authentication check box, then enter the following information, and then click Next.

a) In the SQL field, enter the name of the SQL Server where the SQL database is located.

b) In the Database field, enter the name of the production (SQL) database that you will connect to for synchronization.

c) From the Authentication list, select the type of authentication you want to use. If you choose to use integrated security, select Windows Authentication; otherwise, select SQL Server Authentication, and then enter the user name and password for the SQL Server.

8. In the Proficy Workflow Server Configuration area, enter the following information, and then click Next.

In the Server computer name field, enter the fully qualified name of the server computer.

9. In the Configure Security area, enter an Administrator user name and password. This can be the user name and password of any valid Proficy SOA user.


10. Click Install.

11. Click Exit.

Configure Component Services

If your production database is on a different computer than the Proficy Reporting Database, the following configuration changes are required.

IMPORTANT: You can perform these steps either before or after installing the Proficy Reporting Database; however, you must complete these configuration changes before you run your reporting data synchronization.

NOTE: For this procedure, your production database server is the “server”, while the reporting database server is the “client”.

1. Verify that the Distributed Transaction Coordinator service is running on both the Server and Client computers.

a) From the Start menu, point to Administrative Tools, and then click Services.

b) If the Distributed Transaction Coordinator service is not running, right-click it, and then click Start.

2. On the server computer, from the Start menu, point to Administrative Tools and click Component Services.

3. In the left navigation tree, click Component Services, and then expand Computers.

4. Right-click My Computer and select Properties. The My Computer Properties dialog box appears.

5. Click the MS DTC tab.


65

IMPORTANT: If you are using Windows 7 or Windows Server 2008, you must use the following path to retrieve these computer properties:

Component Services > Computers > My Computer > Distributed Transaction Coordinator >Local DTC

6. Click Security Configuration. The Security Configuration dialog box appears.

7. Select the following check boxes:

Network DTC Access

Allow Remote Clients

Allow Inbound/Outbound Administration

Enable Transaction Internet Protocol (TIP) Transactions

8. Click OK. A message appears telling you “MS DTC Service will be stopped and restarted. All dependent services will be stopped. Please press Yes to proceed.” Click Yes.

9. In the My Computer Properties dialog box, click OK.

10. If required, reboot your production database server.

NOTE: We recommend that you reboot your production database server.

11. On the Client computer, repeat steps 2 through 6.

12. Select the Network DTC Access and Allow Inbound/Outbound Administration check boxes.

13. The DTC Service is stopped and restarted.

14. Restart the Client computer.


15. Verify that the Distributed Transaction Coordinator service is running on both the Server and Client computers, and if required, repeat steps 1a and 1b.

Uninstall the reporting database

When you uninstall the reporting database, you can choose to remove it completely from the computer, or maintain the database but lose the ability to synchronize the data from your production database. Uninstalling the reporting database does not affect the production database or the data contained in it.

1. From Control Panel, double-click Add or Remove Programs. The Add or Remove Programs dialog box appears, displaying all of the programs installed on the computer.

2. Select Proficy Reporting, and then click Remove.


4. In the Uninstall Reporting message box, click Yes if you want to completely remove the reporting database from the computer. If you select No, the reporting database remains on the computer, but the ability to synchronize with the production database is lost; however, you can still run reports on the data stored in the database.

Task Controls in Proficy HMIs

67


The Proficy Workflow Task List can be integrated into other Proficy HMI applications.

Workflow task controls can be integrated into existing HMI applications, such as Proficy HMI/SCADA CIMPLICITY and Proficy HMI/SCADA iFIX. Workflow tasks are displayed in your application so you can operate them from within these applications. You use the Task List and Task Indicator controls to interact with and view workflow tasks. The Task List provides users with a list of tasks for a workflow. The Task Indicator provides a user with relevant information regarding the status of the Task List.

Proficy Task List Configuration

The configuration utility allows you to modify server information and its authentication credentials.

NOTE:

Each installation of the Task List can connect to only one Proficy Workflow server at a time.

At a single workstation, only one task indicator object and one task list object can be connected at a time per HMI application instance.

Proficy task controls and Proficy HMIs are related, but work independently from each other. Therefore, user names and logins are separate.

Like the Proficy Workflow client, the NET. TCP Port Sharing service must be enabled to use the Task List in a host application.


To change the server name, use the Configure Client utility. For more information, see Modify the server configuration. If you install the Task List on a different machine than the Proficy Server, you must access the Configure Client utility from the following location: ../Program Files/Proficy/Proficy Task List/Program.

Server Authentication

In this section, you can select how a user connects to the server in order to access the Task List. You can select from three different ways of accessing the server:

Manual Login

Select this option to prompt the user to manually enter a user name and password when accessing the Task List.

Control Property

Select this option to require the user to configure the user name and password through the control properties of the HMI host. The following control properties are available:

ProficySOALoginUser - indicates the user’s login name

ProficySOALoginPassword - indicates the user's login password

Password Encryption

Select this option to require that user names and passwords be preconfigured. These credentials are added in the User Configuration section prior to accessing the Task List. In the object's properties, the password is encrypted.


69

When your system requires password encryption for server authentication, you must add user names and passwords. This section is enabled only when the Password Encryption option in the Server Authentication section is selected.

NOTE: For the server authentication to be successful, users must have already been configured in Proficy Workflow.

Modify Task List installation configurations

NOTE: To change the server name, use the Configure Client utility. For more information, see Modify the server configuration. If you install the Task List on a different machine than the Proficy Server, you must access the Configure Client utility from the following location: ../Program Files/Proficy/Proficy Task List/Program.

1. From the Start menu, select the Proficy Workflow Task List Configuration. The Proficy Task List Configuration window appears.

2. To add or modify a server, in the Server Name section, enter the fully qualified name of a server.

3. To modify the login authentication, in the Server Authentication section:

Select... To...

Manual Login

prompt the user to enter a user name and password at each login.

Control Property

allow the user to view the user name and password in the host's object properties.

Password Encryption

log the user in automatically.


4. If you selected Password Encryption in the Server Authentication section, add user credentials in the User Configuration section:

a) In the Users panel, click Add.

b) In the Details panel, in the User Name field, enter an existing Proficy Workflow user name.

c) In the Password field, enter the password for the user name.

d) In the Confirm Password field, re-enter the password.

5. Click Save.

Install task list controls


NOTE: If it does not appear, double-click SetupTaskList.exe from the root directory on the installation DVD.

2. Click Install Task List. The License Agreement page appears.


4. Accept the default destination folder or browse for a new location, and then click Next. The Proficy Workflow Server Configuration page appears.

5. In the Server Name field, enter the name of the server that you want to install the Task List on. The Configure Task List Authentication page appears.


71

6. From the Authentication Type drop-down menu, select one of three login options, and then click Next. If you want the user name and password:

e) entered manually, select Manual Authentication, or

f) exposed in plain text, select Control Property Authentication, or

g) saved automatically after initial setup, select Password Encryption Authentication.

NOTE: You must first configure users using the Proficy Task List Configuration tool.



7. Click Install.

8. When the installation is complete, click Exit.


Key Concepts

Proficy Workflow—Powered by Proficy SOA is a unifying architecture for our software products, and a framework to leverage existing applications and functionality. The role of Proficy Workflow is to provide the components and services which, when adopted by a product line, drives common operational behavior and support.

Proficy Workflow implements the S95 standard, giving you a flexible, standards-based foundation for building applications and interfacing with other software.

Proficy Workflow contains the tools you need to create applications that can be used to facilitate the management and analysis of activities in your enterprise. Proficy Workflow provides a customizable environment that can:

host editors for building Proficy applications

display HMI screens for monitoring plant activities

display workflow tasks to operators on the plant floor

accept input into forms that can be created and routed to clients throughout the enterprise

Proficy Workflow also provides a configurable event engine that can trigger workflows and other code based on different types of internal and external triggers.

Failover Clustering

Proficy Workflow allows you to configure a failover cluster to maintain a consistent image of the cluster on all nodes. It also allows nodes to transfer resource ownership on demand.

Key Concepts

73

Multiple Server Environments

Proficy SOA provides the ability to install across multiple servers, each of which hosts a set of services. A multi-server environment is transparent and appears to be a single server to remote clients.

The Client

The Proficy Client provides a customizable environment for using various views and displays to access and use your data. Access to specific views and displays is determined by the permissions assigned to you or any group you are a member of.

The Proficy Client:

Provides you with a command center for interfacing to Proficy applications and third-party legacy systems.

Provides you with a single solution-centered environment that allows you to link all aspects of the plant floor, from operations to analytics.

Allows you to customize the environment, tailoring it to your specific needs.

The diagram displays the main components of Proficy Client. The table following describes these components.


Figure 1. Proficy Client

Cross Reference Description

Menu bar: includes access to product information, Help Menu, Client layout modes, Global Displays, Task List, login/logout, system status.

Models list: Production, Material, Equipment, Personnel, Events, Workflows, Global Displays, Proficy System.

Resource type list: includes all the types that you can add a

Key Concepts

75

resource to.

Resources: includes all the resources that you have added to the model.

Navigator: includes all the information related to your input, such as the ability to locate, add, delete, and duplicate resources.

Compatible view: displays information on the model that has been selected in the Navigator.

Display panel: displays compatible options for viewing and working with the selected resource.

Workspace: displays information related to the selected resource after an appropriate view, such as an editor, has been selected.

Information bar: includes warnings and the Feedback Zone.

Security

The Security feature is intended for system administrators who must configure and maintain security for Proficy Workflow.

In some companies, access to the production configuration and management environment is available to everyone. In such an environment, changes to the data files and access to files and applications are not critical to the process. However, in other companies, these applications and data are available only to authorized personnel because they are critical to the process.

For more information, see Security and Personnel Model.


Electronic Signatures and Audit Trails

Proficy Workflow provides the ability to electronically sign forms in the run-time environment and to create an audit trail of those signatures, as well as auditing other configuration changes made to the system.

You can use electronic signatures to create a more secure environment by requiring that operators electronically sign for data entry changes on forms in the Task Client. An electronic signature uniquely identifies the operator making the change, and can optionally require the electronic signature of another person to verify the change. Operators no longer need to use paper and pen to record and sign for their actions, and the possibility of losing or damaging such records is essentially eliminated.

An audit trail is necessary for regulatory compliance, because it provides a method of recording actions that have been performed in the Proficy Workflow system. An audit trail helps to prove that you have control of your process and allows you to track not only what occurred; but when it occurred, and who was responsible for the occurrence. For example, an audit trail can be used to assist with an investigation of a product discrepancy.

Proficy Workflow provides the ability to generate reports based on your audit trail and electronic signature data.

For more information, see Electronic Signatures and Audit Trails.

Models

In Proficy Workflow, models are used to define and organize system and application information. A model is a representation of a physical structure or conceptual idea and is composed of objects that have hierarchical or other relationships between them. Rules or schemas outlining object nesting, order, number, and requirement define the structure of a model.

Key Concepts

77

Production and manufacturing models are used to represent your production or manufacturing organization and operation. Based on the industry standard ISA-95, these models define basic structure rules and object relationships.

Production models share a common object-oriented system of definition using properties that can be used to define classes, definitions, and specifications. When you create your production or manufacturing structure and object relationships, the properties, classes, definitions, and specifications are used to define your processes and can be inherited by another object as a result of direct associations.

For more information, see Material Model, Equipment Model, Personnel Model, Production Model, and Events Model.

Navigation and Search

The Navigator is one of the main components of the Proficy Client, and is used to navigate models to target elements. Using the Navigator, you can locate an element of focus, whether by browsing or searching. The Navigator provides two tabbed panes: Navigate and Search.

The Navigator is a point and click interface on all tabbed areas. The Navigate tab is the main tab that is used to configure, set up, add, delete, and browse resources within Proficy Workflow.

The Search tab provides a unique way to search all available objects created within Proficy Workflow. By using the search you can quickly locate and use objects within the system.

For more information, see Navigate Tab and Search Tab.


Display Panel

Proficy Workflow uses displays to organize editors and resource information into relevant groupings that make it easy to select, view, and configure resources. You can view and configure model resources within Proficy Workflow.

When you navigate to a resource, you are automatically shown the compatible displays of the resource you are viewing. The icons of related to these displays turn green when they are compatible.

For more information, see Display Panel.

The Feedback Zone

The Feedback Zone is a tool that displays error and informational messages about the currently executing process or the operation last performed. Various components that are hosted within Proficy Workflow can also post messages about the results of operations and tasks in the Feedback Zone.

For more information, see Feedback Zone.

Data Sources

Proficy Workflow provides the ability to connect to external data sources to access the data contained within those applications.

When these data sources are configured, their data (for example, tags, displays, SQL statements) are used to bind to data items in equipment, workflows, and condition events. The available data sources and their uses are as follows:

Key Concepts

79

The Proficy Historian data source allows you to connect to Historian servers to read from and write to Historian data tags. You add Historian tags to Proficy Workflow and then use those tags as data sources throughout Proficy Workflow.

The Proficy Portal data source allows you to connect to Portal servers through Proficy Workflow. Portal servers allow you to read from and write to iFIX and OPC data items, and execute Portal SQL statements. The Portal server makes its displays available, which you can select and view using the Global Viewer, based on user credentials.

An OPC client provides direct access to data served by OPC Data Access (DA) servers without relying on Proficy Historian or Proficy Portal as a bridge between an OPC server and Proficy Workflow.

The Data Source Editor is used to select the data tags and other data items to be used when configuring data items, as well as when configuring connections to Proficy Portal servers, Proficy Historian servers, and OPC Clients.

NOTE:

You can add up to 3000 data items from each data source you connect to.

The Portal and/or Historian server you want to connect to must be on the same network domain or workgroup as the Proficy Workflow server.

You can configure each Historian and Portal server only once.

For information on working with data items, see Data Items.


NOTE: The Proficy Portal installation CD is included with the Proficy Workflow installation package. For information about Proficy Portal, see the Proficy Portal Real-Time Information Portal Getting Started guide and the Proficy Real-Time Information Portal online help.

Service Providers

Proficy Workflow provides the ability to connect to external applications, called service providers. These service providers allow you to publish and use the data in those applications within Proficy Workflow.

The Plant Applications service provider provides services to publish the Plant Applications plant model, product, and event resources, and to support operations relevant to the resources. Proficy Workflow clients can then browse Plant Applications resources, such as production lines and units, variables, products and events, and link to or call the interface functions to access Plant Applications data and event services.

In order to connect to Plant Applications, you must install a Proficy Host and the Plant Applications Service Provider. For more information, see Plant Applications Service Provider and Proficy Host.

One-Click Deployment

One-click deployment allows you to deploy Proficy Workflow to users without running a client installation on their computers. It also provides the ability for a client to update itself when the server is upgraded.

For more information, see One-Click Deployment.

Key Concepts

81

Forms and User Display Designer

The Designer is a graphical design application that allows you to easily create forms and user displays and publish them to the Proficy SOA Server where other authors can access and use them.

For more information, see Forms and User Displays.

User Solutions

Proficy Workflow provides the ability to create user-defined solutions. User solutions provide a way to organize the user displays that you create.

User solutions are displayed in the solution panel as separate and distinct solutions. When you create a user solution, it automatically appears in the solution panel.

For more information, see User Solutions.

Task List Controls

Workflow task controls can be integrated into existing HMI applications, such as Proficy HMI/SCADA CIMPLICITY and Proficy HMI/SCADA iFIX. Workflow tasks are displayed in your application so you can operate them from within these applications. You use the Task List and Task Indicator controls to interact with and view workflow tasks.

For more information, see Task Controls in Proficy HMIs.


Integrated Products–Workflow

Proficy Workflow is a user-configurable, dynamic, decision-making engine for integrating automated and manual business and production processes across system and departmental boundaries—promoting reliable, repeatable process execution.

Proficy Workflow consists of a workflow execution engine, which is the core component of Proficy Workflow's process management system. The engine is responsible for interpreting workflows, controlling multiple workflow instances, and sequencing subprocesses and activities.

Workflows consist of programs that can carry out complex activities, respond to events and data changes, and write values back out to the Proficy data models or through external connectors.

For more information, see Workflows.

User-Defined Activities

User activities allow you to develop and store standard and frequently used activities. They are configured in isolation, can be reused in various subprocesses, and have the capability of taking input and output parameters. When a user activity is used by a workflow or subprocess, it cannot be deleted. It also cannot be edited if a workflow that uses the activity is running. A subprocess may be composed of several user activities.

For more information, see User Activities.

Key Concepts

83

Reporting Database

Proficy Workflow includes an option to install a reporting database. This database can be used with any valid reporting tool, and allows you to build ad-hoc reports on up-to-date data that you synchronize from your production database.

For more information, see Reporting Database and Reporting Data Synchronization.

Proficy Host / Embeddable Proficy Host

Proficy Workflow provides support that allows service providers from other products in the Proficy product family, such as Proficy Plant Applications, to integrate and interact with a master Proficy SOA Server. This integration allows you to publish data from these products to the Directory of Resources and access it from within the Proficy Client.

Help

There are three ways to access the Proficy Workflow help:

Ribbon Bar: Click

F1: Click anywhere in the Proficy Client and press F1 on your keyboard.

Program Group: From the Start menu, point to All Programs, then Proficy, then Proficy Workflow, and then click Proficy Help.

There are several ways to use the help:


Table of Contents: The table of contents is organized into books and pages. Click a book or page to display its contents. Double-click a book to expand it and display the books and pages nested below it.

Index: To access the online help index, click the Index tab in the left-hand pane.

In the Proficy Workflow help index, you can search for topics by keyword. Type a keyword in the box, or select one from the list.

When you find the topic that you want, double-click it to display that topic. If more than one topic applies to the keyword, the Topics Found dialog box appears listing all topics that apply to that keyword.

Full-text Search: To access the online help full-text search, click the Search tab in the left-hand pane.

Use the Search tab to perform full-text searches in the help. If your search results include too many results, you can enter additional terms to narrow down the list. Click the button to add boolean terms to your search expression, such as AND, OR, NEAR, and NOT.

If you want to search for a specific phrase, enclose the phrase in quotation marks.


85


One-click deployment allows you to deploy Proficy Workflow to users without running a client installation on their computers. It also provides the ability for a client to update itself when the server is upgraded.

IMPORTANT: Before you can use one-click deployment, you must complete the following prerequisites:

.NET 4.0 Full Install must be installed on the computer where one-click deployment will be used.

The NetTCPPortSharing service must be enabled and started.

An administrator must run the WorkflowCertificates.msi file.

Security certificates cannot be deployed remotely. Therefore, before users can use the one-click deployment, an administrator user must run the WorkflowCertificates.msi file, which is located on the installation DVD. This executable file sets up Proficy Workflow security and the security certificates on the specific computer and must be run on each computer that will use one-click deployment.

MIME types must be added to each computer in order for the .manifest and .deploy files to work correctly. For more information, see the following:

http://msdn.microsoft.com/en-us/library/ms228998(VS.85).aspx

http://msdn.microsoft.com/en-us/library/ms752346.aspx






http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cd72c0dc-c5b8-42e4-96c2-b3c656f99ead.mspx?mfr=true

When an administrator installs Proficy Workflow on a server computer, the files required for the one-click deployment are installed when you perform a server installation.

On 32-bit computers, these files are located in a folder called Deployment in the following location:

<install dir>\Program Files\Proficy\Proficy Workflow\Program\Deployment

On 64-bit computers, these files are located in a folder called Deployment in the following location:

<install dir>\Program Files (x86)\Proficy\Proficy Workflow\Program\Deployment

An Administrator user must share this folder on the server computer and then users can access it through a web page. The file used for one-click deployment is:

ProficyClient.application

You can create a web page, a button, or any means of access you want to use to make one-click deployment available to your users.

Each time a user uses the one-click deployment, it checks for any code updates, such as patches and service packs, that have been applied to the server (and subsequently to the one-click deployment files) and applies those changes to the one-click client. This allows your users to always be working with the same version of code as the server.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cd72c0dc-c5b8-42e4-96c2-b3c656f99ead.mspx?mfr=true%20




87

After installing Proficy Workflow on the server computer, you can copy the Deployment folder to another location for users to access. If you copy the folder to another location, you must re-copy the folder whenever code updates are applied in order for users to get the updates.

IMPORTANT: Do not move the Deployment folder from its install location. If this folder is moved, code updates cannot be applied to it.


Supported Regional Settings

Proficy SOA supports the following regional settings available in the Windows Control Panel:

Decimal symbol - one character

Digit grouping symbol

List separator - one character

Time style

Time separator

Short date style

Date separator

NOTE: The decimal symbol and the digit grouping symbol cannot be the same character. Also, the time separator and the date separator cannot be the same character.

Formatting the Time and Date

Avoid changing the time style or short date style in regional settings to values that are outside of the standard styles provided. Changing these values to non-standard styles may result in improperly formatted times and dates in some parts of Proficy SOA.

Proficy SOA supports the following short date formats, some of which may not be available in certain language versions of Windows:

dd/mm/yy or dd/mm/yyyy

dd/yy/mm or dd/yyyy/mm

mm/dd/yy or mm/dd/yyyy

Supported Regional Settings

89

mm/yy/dd or mm/yyyy/dd

yy/dd/mm or yyyy/dd/mm

yy/mm/dd or yyyy/mm/dd

Formatting the Regional Language Setting

Avoid changing the language setting when Proficy SOA is running.

Setting the System Default Locale

The selected locale must be set as the system default.


Daylight Saving Time

In Proficy SOA, all dates and times are stored independent of time zones, in UTC format.

Special Keyboard Buttons

91

Special Keyboard Buttons

Some computer keyboards have special buttons for e-mail launch, Internet launch, search, and other functions. These keyboard buttons may disable certain key macros or allow users to circumvent Proficy SOA security measures.

We recommend that you reprogram or disable the software that operates such special buttons. Refer to your computer’s documentation for instructions on disabling these buttons.


SQL Server Backup and Restore

Proficy Workflow utilizes SQL Server 2008 or SQL Server 2005 to store information. In order to ensure that the integrity of the information is maintained, it is important to back up your database on a regular basis. In addition to backing up and restoring your Microsoft SQL Server database, maintenance plans can assist in keeping your systems up and running. Refer to your SQL Server manual or Microsoft's web site for additional information on backing up, restoring, and maintaining your SQL database.

Proficy Workflow Security

93


The Security feature is intended for system administrators who must configure and maintain security for Proficy Workflow.

This chapter explains the concepts of Proficy Workflow security and steps you through the implementation process.

Introducing Security

In some companies, access to the production configuration and management environment is available to everyone. In such an environment, changes to the data files and access to files and applications are not critical to the process. However, in other companies, these applications and data are available only to authorized personnel because they are critical to the process.

Proficy Workflow provides an integrated security program to assist you in protecting your process.

System Protection

There are different levels of security that you can implement to protect your system. On one level, you can control the security of your machines and buildings, as well as your processes. On another level, you can implement security for your operating system and your network using firewalls, passwords, and filters.

You can also protect your data from unauthorized changes by restricting access to your system. The information in this section focuses on the security in Proficy Workflow, not your operating system or network.


Logging into Proficy Workflow requires a login name and password. Depending on your configuration, this data can be the same or separate from your Windows® login name and password. For more information on Windows login, refer to the Windows Security section.

Security is user-based, meaning operators cannot access anything unless you assign access to the specific areas.

Proficy Workflow security is flexible and easy to use, allowing you to assign operator rights, login names, and passwords. Refer to the Personnel model for more information about configuring your users, groups, and key sets.

Security Concepts

Before you restrict access to Proficy Workflow features, you need to understand how security works. The security concepts described here are described in more detail in the Understanding Security chapter. For information on implementing the concepts, see the Personnel model section.

People - allow you to define security credentials and properties that are specific to an individual user. Security credentials and properties are defined in the S95 Model Editor.

Key Sets - allow you to assign permissions to users who hold a specific key set. In addition, key sets inherit permissions from their child sets. Proficy Workflow provides the following predefined high level key sets:

Guest

S95 Configurator

Workflow Author


95

The S95 Configurator key set includes the following child key sets:

Equipment Configurator

Material Configurator

Personnel Configurator

The Workflow Author key set includes the following child key sets:

Workflow Builder

Workflow Manager

Workflow Supervisor

Workflow Operator

You can also create your own key sets at any level.

Groups - allow you to create groups of users who share the same key sets. Proficy Workflow provides the predefined groups Administrators, Guests, and Windows Users.

Client Access - allows you to configure automatic login and logout, lockdown mode, default startup options for an individual workstation, and user overrides.

Security Status

Proficy Workflow security is always enabled. This prevents any unauthorized users from accessing or modifying any part of the system.

With security, all users must log in with their user accounts to gain access to the areas they have been given permissions to.


Understanding Security

Your main design goal when developing a Proficy Workflow security strategy is to effectively use the Proficy Workflow security configuration. Proficy Workflow simplifies security configuration by abstracting the three main areas that are constantly changing in a plant or facility. These main areas are:

people/personnel

equipment/machinery

operational hierarchy of the people

New personnel are hired and some retire in an organization. Machinery is added, replaced, and updated. People are promoted; for example, from being an operator to a supervisor, and so on.

Proficy Workflow security accommodates all of these cases using three different constructs.

People can be configured in groups; for example, Production Group, Maintenance Group.

Machinery is modeled with the Equipment model using the S95 Model Editor, which defines a plant in a hierarchical fashion. An Enterprise can have multiple sites and sites can have multiple areas, and so on.

An operational hierarchy can be defined as a set of keys that each person can hold. For example, an Operator can have keys to Start and Stop a workflow. A Supervisor can have additional keys to Create and Delete a workflow.


97

The first step in configuring security is to add people (users) to the system, then configure groups, and then define the key sets. Only an Administrator user can define these three fundamental pieces of security configuration. An Administrator user is created when Proficy Workflow is installed.

After the groups and key sets are defined, security can be applied to any resource in the system. For example, a group can be granted a key set on a resource such as an Enterprise in the Equipment model. Any user who belongs to the configured group will then, upon logging in to the Proficy Client, have the rights granted by the key set on the Enterprise.

Using groups minimizes the amount of work needed to create similar users while providing you with flexibility and power. For example, when a new user comes in the plant, the user can simply be added to an existing group and will automatically inherit all the rights defined for that group.

In the following example, John, Dave, Tim, and George are all line operators. Their needs are summarized in the table.

User Name Key Set Permissions

John Workflow Permissions

Execute Workflows, Execute Schedules, Perform Tasks

Dave Workflow Permissions


Tim Workflow Permissions


George Workflow Permissions



Since each line operator requires access to the same permissions, it is possible to create a group called Line Operators that provides these privileges. After you create the group, you can assign it to each line operator, as the following figure shows.

Users

Proficy Workflow identifies each user with a login name, a password, and an optional e-mail address. Users can belong to one or more groups. When a user belongs to a group, he or she inherits all the key sets assigned to the group. The user can have separate key sets in addition to the group key sets.

When you are designing your security plan, always include the full name, login name, and password for each user. If you plan to use Windows security, you should also include the domain name if you want to store the user information on a domain controller.


99

Groups

You can simplify security configuration significantly if you take the time to assess your users’ needs. If the security requirements at your site do not warrant such an effort, use the default groups provided. These groups provide you with a simpler approach to implementing security. For example, the default groups define functional roles in a manufacturing facility. The default groups are:

Administrators

Guests

SSO Users

Windows Users

Key sets are assigned to groups only; you cannot assign key sets to individual users. This assigns common key sets needed by two or more users performing similar tasks. Configuring your groups in this way provides a modular approach that is easy to maintain.

NOTE:

The SSO Users group should be used if you are using GE Single Sign On security.

The Windows Users group should be used if you are using Windows authentication.

For example, in the following figure, the Supervisors group defines access to the equipment model to create and edit equipment resources. These permissions define the common security rights shared by all users in the group.


Create Groups and Users

You can create groups and users by selecting the Groups and People resource types from the Personnel model and then adding them to your resource list. You then configure either the Group or User properties found in the Security Editor and S95 Model Editor. If you are creating a user, you must also configure the user's security credentials.

For a user, you can modify the assigned groups, and set the password for this user.

For detailed information on creating and configuring your group and user accounts, see the Personnel model.

Modify Groups and Users

As group and user responsibilities change, you may find it necessary to modify them.

NOTE: When operators log in, their group assignments and user information reside in memory. As a result, changes to groups or user information do not take effect until the user logs out and logs in again. By logging in again, the operator forces Proficy Workflow to re-read the information.


101

Delete Groups and Users

You can delete groups and users that you no longer need. Deleting a user that automatically logs into Proficy Workflow on an individual workstation also deletes the access and layout configuration defined for that user account.

For more information, see Computers: Client Access and Layouts.

Design and Plan Security

Since security is enabled when you install Proficy Workflow and cannot be disabled, you should plan and design all required users and groups before you deploy Proficy Workflow.

When you install Proficy Workflow, you are prompted to create an Administrator user. This allows you to log in as the administrator and begin creating users and groups. Proficy Workflow provides default groups and key sets that you can examine to learn how to create your own users and groups.

After you have logged into Proficy Workflow as the newly created Administrator user, you can create one or more additional users who have a key set assigned to them that allows them to configure personnel resources for your facility. You can also create users who have a key set assigned that allows them to configure security aspects, such as configuring and assigning groups and/or key sets. These can be the same or different users, but if they will have security privileges, they must be accounted for in your security plan.


Your security design plan should include all of the information that you need to configure your personnel resources. For example, if you have a set of users that all perform the same tasks, you can create a group and add each of those users to the group. You can then assign key sets to the group and all members of the group inherit the permissions configured for those key sets.

By designing a well-defined security plan, you can build a security system that provides all of the permissions and access that your employees need to perform their assigned facility operations.

For information on logging into Proficy Workflow, see Login and Logout.

Assign Key Sets

After you create your groups and add users, you assign the appropriate key sets to the groups.

For example, consider the users Dave, George, and Tim, who are all members of the Operator A group. All three users need access to Storage Zone A, while Tim needs additional access to Storage Zone B. In order for Tim to have access to Storage Zone B, he must be a member of the group Operator B, which has the key set for Storage Zone B assigned to it.


103

For more information on assigning key sets, see Security Configuration.

Login to Individual Workstations

You can configure a default user and enable automatic login to an individual workstation. If you configure and enable automatic login, then when the Client starts, it displays the layout configured for the default user account.

For more information, see Login and Logout.

Limit Login Time

Proficy Workflow allows you to enter a login time-out interval when configuring a default login account on an individual workstation. This interval limits the length of time an operator can remain logged into Proficy Workflow without any user activity.

With this feature, you can configure Proficy Workflow to automatically log out operators who forget to do so at the end of their shift.


This feature does not eliminate the need to manually log out when an operator finishes using Proficy Workflow, particularly if you have strict security requirements. If you decide to use this feature, consider it as a safety mechanism that prevents operators from remaining logged in indefinitely.

For more information about automatic logout, see Login and Logout.

Using Security

Operators can log into Proficy Workflow manually or automatically. By logging in, operators identify themselves as Proficy Workflow users and gain access to resources that they are authorized to use.

Manual Login and Logout

Operators can log into Proficy Workflow manually using the Login dialog box. When the login dialog box appears, it allows operators to enter their login name and password.

Windows passwords are case sensitive.

NOTE: Each time an unsuccessful attempt is made to access the Proficy Workflow system, a message is sent to the log file.

Password Expiration Considerations

When Proficy Workflow security is synchronized with Windows security, passwords can expire. If the Windows password has expired, the user is notified and prompted to change the password. If the Windows password is about to expire, a notification message displays, reminding the user to change the password.

For more information about synchronizing Proficy Workflow security with Windows security, see Windows Security.


105

Security Log File

Proficy Workflow security generates a log of security-related actions taken by Proficy Workflow users. The security log file resides in the default log path and is called ProficySTS.LOG.

The information in the log file is displayed in chronological order. The security log file is a cumulative file; that is, all new security-based actions are appended to the bottom of the file. To avoid the log file growing too large, it is set to a maximum of 2 MB. If the content grows larger than that, it automatically deletes the oldest information to accommodate the new. You can also manually delete old information from the file.

By reviewing the log file, you can learn about:

who logged in and out.

unsuccessful attempts to access Proficy Workflow.

when someone attempted to access an area they had no privileges for.

Windows Security

You can connect Proficy Workflow users to Windows user accounts. This allows you to use your existing Windows user accounts for password validation. Only domain Windows accounts are supported.

You also gain the following advantages of Windows security:

Case sensitive passwords

Passwords that expire

Online password changes


Ability to specify minimum password requirements

Account lockout

A user can log into Proficy Workflow by entering his or her Windows user name and password. Proficy Workflow sends this information to Windows for authentication. If the user's account specifies a Windows domain name, the user name and password are sent to a Windows domain controller for authentication. If Windows verifies the user name and password, Proficy Workflow completes the login process. Otherwise, it logs an error. For more information about logging into Proficy Workflow, see Using Security.

For information on setting up Windows user accounts for use in Proficy Workflow, see Configuring Windows User Accounts.

Configuring Windows User Accounts

When you are setting up Windows user accounts for use with Proficy Workflow security, you should configure the passwords and set account lockout thresholds.

Setting passwords to expire

One of the benefits of using Proficy Workflow with Windows security is that you can set Windows passwords to expire.

Configure the local password expiration policy

1. In the Control Panel, from the Administrative Tools folder, double-click Local Security Policy. The Local Security Settings window appears.

2. Expand the Account Policies folder.

3. Select Password Policy. The password policies display in the Policy list.


107

4. Double-click Maximum password age. The Maximum password age Properties dialog box appears.

5. In the Password will expire in field, set the number of days after which passwords expire.

6. Click OK.

Limiting the number of invalid login attempts

When a Proficy Workflow user is connected to a Windows user account, the application developer can set an account lockout threshold, which prevents a user from accessing the account after he enters the incorrect user name or password beyond the number of acceptable times. When the account lockout threshold has been reached, the account is disabled.

Limit the number of invalid login attempts

1. In the Control Panel, from the Administrative Tools folder, double-click Local Security Policy. The Local Security Settings dialog box appears.

2. Select the Account Policies folder.

3. Select the Account Lockout Policy folder. The account lockout policies display in the Policy list.

4. Double-click Account Lockout Threshold. The Account lockout threshold Properties dialog box appears.

5. In the Account will not lock out field, enter the number of invalid login attempts before the account is disabled.

6. Click OK.


Adding user accounts that log into Windows

When you use Windows security in Proficy Workflow, user accounts that need to log in to a machine must have the Act as Part of the Operating System right enabled in the local security policy.

Add the Act as Part of the Operating System right

NOTE: User accounts that are not used to log in to Windows should not have this right.

1. In the Control Panel, from the Administrative Tools folder, double-click Local Security Policy. The Local Security Settings dialog box appears.

2. Select the Local Policies folder.

3. Select the User Rights Assignment folder.

4. In the Rights list, double-click Act as Part of the Operating System. The Act as part of the operating system Properties dialog box appears.

5. Add the users that you want to have this right to the list, and then click OK.

6. Log out of Windows and log in again for your changes to take effect.


109

Domain Users Logging into Windows

If you are using Windows user names and passwords within Proficy Workflow security, be aware that Windows user accounts must have the policy Access this computer from the network applied under Local Security Settings. By default, this policy is assigned to the groups Users and Everyone on the local machine. If the domain policy overrides the local policy settings by removing these groups, then the Windows user names and passwords will fail with insufficient rights when trying to log in from Proficy Workflow. If domain administrators want to restrict this right, then they must do one of the following tasks in order to continue to use Window user names and passwords within Proficy Workflow:

Create a Domain Group that contains all the Domain Users that will be used within Proficy Workflow security, add this group to the domain policy Access this computer from the network, and deploy this policy to all machines running Proficy Workflow.

Add the Domain Users group to the domain policy Access this computer from the network, and then deploy this policy to all machines running Proficy Workflow.

Add Authenticated Users to the domain policy Access this computer from the network, and then deploy this policy to all machines running Proficy Workflow. Be aware that this group requires each user to log on to the domain at least once to be considered an authenticated user.

Leave at least the Users group in the domain policy Access this computer from the network. If you choose this option, be aware that the Anonymous user and the Guest user are not part of the Users group.


Contact Information

If you purchased this product through an Authorized Channel Partner, please contact the seller directly.

General

Online technical support & GlobalCare: www.ge-ip.com/support Comments about our manuals and online Help: [email protected] Additional information: www.ge-ip.com Solution Provider: [email protected] Authorization: [email protected]

Technical Support

If you have technical problems that cannot be resolved with the information in this guide, please contact us by telephone or e-mail, or on the web at www.ge-ip.com/support.

Americas

Online technical support: www.ge-ip.com/support Telephone: 1-800-433-2682 International Americas direct dial: 1-434-978-5100 Technical support e-mail: [email protected] Customer care e-mail: [email protected] Inside Sales: [email protected] Primary language of support: English

Contact Information

111

Europe, Middle East, and Africa

Online technical support: www.ge-ip.com/support Telephone: +800 1-433-2682 Technical support e-mail: [email protected] Customer care e-mail: [email protected] Inside Sales: [email protected] Primary language(s) of support: English, French, German, Italian, Czech, Spanish

Asia Pacific

Online technical support & GlobalCare: www.ge-ip.com/support Telephone: +86-400-820-8208 +86-21-3217-4826 (India, Indonesia, and Pakistan) Technical support e-mail: [email protected] (China) [email protected] (Japan) [email protected] (other Asian locales) Customer care e-mail: [email protected] [email protected] (China)