You configure user groups, users, and authorizations with the user administration.
Authorizations restrict security-related operations to specific user groups. To do this, set up access protection for the operating element; then only a user assigned to a user group with the relevant access rights can perform the operation using this object (Fig. 16.15).
Examples of user groups with different privileges include: Administrators or Service engineers who have unlimited access, Technicians who are permitted to make set- tings in the process or on the machine, and Operators who are responsible for the production process.
Configuration procedure
1) User groups are defined during the configuration phase. If users are already known at this point in time, they can be included in a user group. Users can also be assigned to the user group during runtime by means of the User view.
2) Define privileges, and assign the corresponding privileges to each user group.
3) During configuration of the operator-accessible object, set the privilege with which this object can be accessed in the properties under Security. This means that a user can only operate this object during runtime if he or she is included in the corresponding user group.
Configuring users and user groups
To configure the user administration, double-click in the project tree under the HMI station on User administration and select the User groups tab in the working win- dow. The Administrator group and Users user groups are always present in the top Fig. 16.14 Structure of the Data record area pointer
Data record area pointer Value of status word Current recipe number (1 … 999)
Reserved Transfer busy
Status (0, 2, 4, 12) Successfully completed
Reserved Completed with errors
Current data record number (1 … 65 535) Transfer permissible
Word 1 Decimal Binary Meaning
Word 2 0 0000 0000
Word 3 2 0000 0010
Word 4 4 0000 0100
Word 5 12 0000 1100
Data record area pointer
The data record area pointer is used to synchronize the transfer of a recipe data record.
It can be created in the PLC station as a tag of data type ARRAY [1..5] of UINT.
table Groups. The privileges Operate, User administration and Monitor are always present in the lower Privileges table.
To enter a new privilege, double-click on <Add> in the Privileges table. You can set the privilege properties in the inspector window. The name and number must be unique in the HMI station. The name of a privilege is freely-selectable, but should indicate the access privilege. The name is displayed in the user administration.
Explain the privilege in the comment field.
To enter a new user group, double-click on <Add> in the Groups table. Set the user group properties in the inspector window. The name and number must be unique in the HMI station. The name of a user group is freely-selectable, but should indi- cate the group characteristics. The name is displayed in the user administration.
Describe the user group in the comment field.
Fig. 16.15 User administration elements User 1 User group 1
User 2 User 3
User group 2 User group 3 User view
User 1 Password 1
User 2 Password 2
User 3 Password 3
User group 1
Operator-accessible object 1 Operator-accessible object 2 Operator-accessible object 3
Privilege 1
Privilege 1 Privilege 2 Privilege 3 Privilege 2
Privilege 2 Privilege 3
Privilege 1
Privilege 3 User group 2
User group 3 User administration
An HMI station is provided with access protection which protects against unauthorized operation during runtime. Safety-related operations can be restricted to special user groups.
The user view is used to administer the users during runtime (create and delete users, assign privileges).
Each user has a password.
Each user is assigned to a user group.
A user can have any name.
A privilege is assigned to each operator- accessible object during configuration.
Different objects can have the same privileges.
A privilege can have any name.
Privileges are assigned to each user group. Several privileges can be assigned to a user group.
A user group can have any name.
If a user logs in with his or her password during runtime, the user group to which he or she is assigned allows him or her to access those objects which have the same privileges.
On
To assign privileges to a user group, select the user group and activate the corre- sponding privileges in the Active column in the Privileges table.
In the Users tab, configure the users in the top table Users. One user Administrator is already present. Double-click on <Add> and enter the properties of the next user in the inspector window. The name and number must be unique in the HMI station.
Assign a password and confirm it. A user can change his or her own password during runtime.
To assign the user to a user group, select the user and then the user group in the Member of column in the Groups table. You can assign a user to exactly one user group. In the inspector window, you can set in the user properties under Automatic logoff the number of minutes after which automatic logging off is to take place.
Configuring access protection for control elements
The privileges created in the user administration must be assigned to the control elements protected against unauthorized access. Objects with access protection are the date/time field, the I/O field, the graphic and symbolic I/O fields, the switch, the button, and the recipe view.
In order to configure access protection for a control element, open the process screen and select the control element. In the inspector window, select the privilege under Properties and Security, and define whether operator access is permissible.
Configuring the user view
The user view is used to configure and administer users and privileges during run- time. The user view is configured in a process screen. Open the screen and use the mouse to drag the user view from the Tools task card under Controls into the screen.
Set the user view properties in the inspector window.
Runtime settings for user administration
Use the Runtime settings editor under an HMI station in the project tree to configure the security settings of the user administration during runtime. Start by double- clicking on the editor, and select the User administration section in the runtime set- tings.
Under General you set the number of permissible invalid login attempts by a user before the user is assigned to the Unauthorized group. If the Logon only with pass- word checkbox is activated, users are not required to enter a user name when log- ging in.
Under Hierarchy level you can activate the group-specific privileges for the user ad- ministration. This means that an administrator can only administer those users during runtime whose group number is smaller than or equal to his or her own number, and only assign a user to a user group whose number is smaller than or equal to his or her own group number.
Under Password, you can activate the password aging. You can set the number of days for which a password is valid, and the preliminary warning time before a change in password becomes necessary. Password generation is understood to be the number of past passwords before a certain password can be repeated. With password aging activated, the Password aging column can be edited for the user groups (User administration editor in the Users tab and Groups table).
Under Password complexity you can set the minimum password length and also specify whether a password must contain digits and/or special characters.