NI DataFinder Server Edition - Setting the Security on Your DataFinder

Updated Aug 25, 2020



  • DataFinder Server

Table of content:
1. Activating security
2. How Does Security in NI DataFinder Server Edition Work?
3. What Boundary Conditions Apply?

Activating security

Restrict the access to DataFinder by simply activating a checkbox in the configuration dialog – that’s all. You can define the security settings in two places within the NI DataFinder Server Manager.

Option 1 - Setting up Security on a New DataFinder Server:

When configuring a new DataFinder Server, set up your new search area and click on the Advanced tab.

Figure 1. Select the Advanced tab to enable security on a new DataFinder Server.

Then navigate to the Security section and select the check-box to enable security.

Figure 2. Enable security on a new DataFinder Server with one click.

Option 2 - Setting up Security on an Existing DataFinder Server: 

For an existing DataFinder server you have set up, you can enable security by navigating to  Settings » Configure…Then click on the General tab and you can choose to enable security.

Figure 3. Enable security on an existing DataFinder server with one click.

How Does Security in NI DataFinder Server Edition Work?

DataFinder Server Edition’s built-in security is based on Windows Active Directory’s Cerberos and allows mutual authentication of LabVIEW or DIAdem clients and the DataFinder server. This technology allows DataFinder to provide single sign-on (SSO) – meaning neither a username nor a password are required, the already entered Windows user credentials are re-used. This is neither insecure nor uncommon – it’s the same technology used by your email client (if it supports single sign-on) or using Windows Explorer to explore files on a file server’s file share.

When activating security in DataFinder Server Edition, DataFinder scans the access restriction of the file shares specified as DataFinder search areas. If the user of a LabVIEW or DIAdem client has read-access to a search area, the data stored in that search area are provided to the client when browsing or querying. If a client does not have read-access to at least one search area, the access of that client to the DataFinder server is denied.

After enabling security, the Edit... and Import… buttons will become available. The Edit button will open the Windows dialog box Permissions for (DataFinder name), where you can specify the security settings of a search area to the selected DataFinder server.

​​​​​​Figure 4. You can manage security permission for any user with the Permissions dialog box. 

The Import button opens the Windows dialog box Select Search Area, where you can apply the Windows security setting of a search area to the selected DataFinder Server.

What Boundary Conditions Apply?

As mentioned above DataFinder’s built-in security is based on Windows Active Directory. If your computer network is based on a different directory service than Active Directory, DataFinder’s built-in security does not work at all (in this case you even cannot activate security).

Furthermore DataFinder needs to be able to retrieve the access control lists (ACL) of the individual search areas as defined for that specific DataFinder server. In some network environments those ACLs cannot be retrieved for various reasons. In this case those search areas cannot be accessed if security is turned on. If this applies to all search areas, clients cannot access DataFinder; in this case turn-off security.

Another reason why DataFinder may not be able to retrieve the needed ACLs from the shares is missing permissions of the DataFinder itself. The user that executes the DataFinder must belong to the group of power users or administrators on all the computers that have search areas. If in doubt, please ask your system administrator. In case the user that executes DataFinder cannot be a power user or administrator on all computers that have search areas, you may try the “File system only” option. This option only works as expected when the rights to access the search areas are granted to the file system level of the specific computers and when all users have read access to the shared level. Otherwise in the situation when a specific client has read access for the file system, but no rights for the specific share, this user can browse and query the data in DataFinder, but cannot load the data with the DataFinder clients.

Here’s a more specific example:

Consider a file server "MyFileServer" with a volume d:\ and the folder d:\data containing all files.

To read and write data to the file server a "share" will be defined, for instance \\MyFileServer\data.

Access rights can be defined on both ends, the data folder d:\data (file system) and the share \\MyFileServer\data.

Now consider a user "admin" with read/write access to the data folder and the share, a "local_admin" with read/write access to the data folder only and a user "engineer" with read access to both.

Lastly consider the share to be added as search area for DataFinder.

When DataFinder security is turned on for "share and file" only the "admin" and the "engineer" can see and load files from the search area, whereas the "local_admin" cannot see files of that search areas (and if this is the only search area "local_admin" even cannot log in).

When DataFinder security is turned on for "file system only" all three user can see the files in DataFinder while "local_admin" still cannot load the data.

Please note, if a search area is declared with a local path or with a connected drive, and the security settings are activated, the client cannot see the search area.