AVEVA™ Products Feedback Portal

Welcome to our new feedback site!


We created this site to hear your enhancement ideas, suggestions and feedback about AVEVA products and services. All of the feedback you share here is monitored and reviewed by the AVEVA product managers.

To start, select the product of your interest in the left column. Then take a look at the ideas in the list below and VOTE for your favorite ideas submitted by other users. POST your own idea if it hasn’t been suggested yet. Include COMMENTS and share relevant business case details that will help our product team get more information on the suggestion. Please note that your ideas will first be moderated before they are made visible to other users of this portal.

This page is for feedback for specific AVEVA solutions, excluding PI Systems and Data Hub. For links to these other feedback portals, please see the tab RESOURCES below.

Add a new idea Subscribe
Status Planned
Portfolio area Enterprise SCADA Server
Products Security and DMZ
Created by Julian Reyes Riveros
Created on Jun 15, 2023

RELATED IDEAS

Add 'Workstation Administrator' Role to Active Directory

Big Picture User Experience

Following the Principle of Least Privilege, AD-Tiering and now Enterprise Access Model , add 'Workstation Administrator' Role to Active Directory to enable a separation of duties between server administrators and desktop/workstation administrators.


Detailed Description

Customers require the ability to separate those that only need to administer workstations from those that also administer the servers.

This new role would be allowed to:

  • Install and configure new workstations as well as reinstalling and replacing existing workstations.

  • Troubleshooting workstation related issues including shutting down and rebooting workstations.

  • Joining and removing workstations from the domain.

The new role should be:

  • a member of Local Administrators group

Customers wish to be able to assign users with this role into custom AD groups. It has been noted that this may not be possible due to restrictions in place.

AIT uses local administration on the first DC to build the domain and run OADC, which creates the dnaInstaller account.

Then, AIT use dnaInstaller to install servers and workstations, and promote the secondary DC. I.e performs configuration in tier 0,1,2

Then, all accounts and groups are moved to a tier, and restricted to that tier.

dnaInstaller goes into tier 1, meaning that it cannot be used to install into tier 2

We need an admin role with sufficient privs that is limited to tier 2

Acceptance Criteria

Ability to assign the new Workstation Admin role to existing DNA users.

Ability to assign users with the new Workstation Admin role to custom AD groups.


Business Value

Security is evolving, and this practise aligns with best practices from Microsoft, who call it "AD Tiering".

The best way to protect your systems is to ensure that privileged AD accounts are never used for administration of devices that don’t have the same level of trust as domain controllers.

https://www.beyondtrust.com/blog/entry/protect-privileged-active-directory-credentials-using-tiered-administrative-model


Target Version

Target version for this feature: TBD

Version the customer is on or consuming: Various


Customer, Project, and Deadline Details

Customers (names/projects) that will consume this:

Three customers are already doing this via project customised AD/GPOs.

Request is to ship new product with this design.

Deadlines and Commitments: None.

Commercial and/or Contractual Impacts: None identified, although we may already be marking compliance to this as a requirement in tenders.


Customers System / Architecture

Size: Small, Med, Large

Topology: Single site, Multi Site, and Enterprise

Any Unique configuration to note?: No.

Has this functionality been delivered before?: Yes - see above.


Out of Scope


Assumptions

This is possible without dramatically changing the existing AD/GPO design.


Dependencies

AIT

Another new role has been requested: the ability to request a POLL from a read-only user in the DSS.

ES2023 will have considerations for installing into existing Enterprise SCADA domains.


Upgradability

The new role can be added to an existing domain without breaking the existing system.

Using the new role on the latest version of Enterprise SCADA in the same domain as older versions will be documented as either supported with manual steps if required, or not supported.


PSR - Performance, Scalability, Resilience

Important PSR aspects for this feature? None.

What if there are 10,000 of these? n/a

How quickly is this expected to react/respond? n/a

Does this impact failover / mode switch? no

Is this assumed to have performance impact, or not? no


NFR - Non-Functional Requirements

Operating System: OS2022

Other AVEVA products: none

3rd Party products: none

CPU / Memory / Disk requirements/constraints: none.


Risks/Mitigations

None

Work in
OASYS-417 Add 'Workstation Administrator' Role to Active Directory
Work status
  • Attach files