Contents
Page
Training Training aims ............ ................. ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ............ ........... ........... ............ ........... ........... ........... ........... ........... ........... ......
2
User Administrato Administratorr Introduction Introduction ............ ................. ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ............ ........... ........... ............ ........... .......
3
User User Admin Adminis istra trator tor Defin Defining ing auth author oriza izati tion on leve levels ls
4
.... ...... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ....
User User Admi Adminis nistra trator tor Defin Defining ing user user grou groups ps and their their righ rights ts (examp (example le 1) 1)
...... .......... ....... ...... ...... ....... ....... ...... ...... ....... ....... ...... ...... ...
5
User User Admini Administra strator tor Defi Definin ning g use userr groups groups and their their rights rights (examp (example le 2) ...... .......... ....... ...... ...... ....... ....... ...... ...... ....... ....... ....... ....... ...
6
User Administrato Administratorr Assigning Assigning users users and user user groups groups ............ ................. ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... .......
7
User User Adminis Administra trator tor Group Group rights rights and and user user rights rights ...... .......... ....... ....... ........ ....... ...... ...... ....... ....... ....... ........ ....... ....... ........ ....... ..... ...... ........ ....... ....... ....... ...
8
User User Adminis Administra trator tor Editor Editor Authori Authoriza zatio tion n levels levels
....... .......... ...... ...... ...... ....... ....... ....... ....... ...... ...... ....... ....... ..... ...... ....... ...... ...... ...... ...... ....... ....... ....... ...... ..
9
User Administrato Administratorr Editor Editor Groups ............ ................. ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ............ ........... ........... ............ ........
10
User User Administra Administrator tor Editor Editor Users
11
...... ......... ...... ...... ...... ...... ...... ....... ....... ...... ...... ...... ...... ...... ..... ...... ........ ....... ..... ...... ....... ...... ...... ...... ...... ....... ....... ....... ....... ...... ....... ....
User User Administ Administrat rator or Acces Access s protect protection ion
...... .......... ....... ....... ....... ...... ...... ...... ...... ....... ....... ...... ...... ...... ...... ...... ...... ...... ...... ....... ....... ..... ...... ....... ...... ...... ...... ...... .....
User User Adminis Administra trator tor Loggi Logging ng in in and out out of of operato operators rs
....... .......... ...... ....... ....... ...... ...... ....... ........ ....... ....... ....... ...... ...... ...... ...... ....... ....... ...... ...... ...... ...
User User Admin Administ istrat rator or Use UserAd rAdmin minCon Contro troll - User User admin administ istrat ration ion in runtim runtime e
12 13
...... .......... ....... ...... ...... ....... ....... ....... ........ ....... ...... ..... ..
14
Exercise Exercise 1: Adapting Adapting authorizat authorization ion levels ............ ................. ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ............ ........... .......
15
Exer Exercis cise e 2: 2: Def Defin ining ing user user group groups s and and their their right rights s
.... ...... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ....
16
Exer Exercis cise e 2: 2: Def Defin ining ing user user group groups s and and their their right rights s
.... ...... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ....
17
............ ................. ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ............ ........... ........... ............ ........... ........ ...
18
Exercise Exercise 3: Creating Creating users users
Exer xercis cise 4: 4: Bu Buttons for for lo logging us users in in/ou /out
...... ...... ........ ....... ...... ........ ....... ........... ...... .......... ...... .... .......... ...... ........ ....... ....
19
...... .......... ....... ...... ...... ...... ..... ...... ....... ...... ...... ....... ....... ...... ...... ...... ...... ...... ...... ...... ....... ....... ....... ....... ...... ...... ...... ...
20
........ ........... ..... ...... ....... ...... ...... ...... ...... ....... ....... ....... ....... ..... ...... ....... ...... ...... ....... ....... ...... ...... ...... ...... ...... ..... ...... ........ ....... ...... ...... ...... ...... ...... ..... ...... ........ ....... ..... ....
21
User User Adminis Administra trator tor SilentL SilentLogi ogin n in runti runtime me SIMAT SIMATIC IC Logon Logon
SITRAIN Train Trainin ing g for for
ST-BWINCCS
The participant participant wi ll:
SITRAIN Train Trainin ing g for for
•
Be able able to create create and and chang change e author authorizati ization on levels
•
Know Know the relatio relations nship hip between between user user groups groups and and users users
•
Be able to protect protect any objec objects ts in pictu pictures res
•
Know Know the the option options s for logging logging users users in and and out out
ST-BWINCCS
General info rmation With the User Administrator, the assignment and management of access rights preventing unauthorized access can be configured; in other words all operator input to the process, the archives and the WinCC system can be blocked to prev ent unauthorized access. If no user is logged in or the user does not hav e adequate rights, the operator input will not be executed and the box shown above is output. Examples of operator input are changes to setpoint s, recipes, selecting pictures or calling up the configuration software from process mode. There are different access levels which allow the setup of a hierarchical access protection scheme, such as excl usive authorizations for individual operators.
SITRAIN Training for
ST-BWINCCS
Auth or izat io n lev els Up to 999 of your own authorization levels can be created. The names of your own authorization levels can be f reely selected. As of ID 1000, there are system-defined authorization levels that cannot be changed by the configuration engineer. As long as no operator control objects are protected by authorization levels, the authorization levels have no effect in runtime. Example 1
Here, an example of hierarchical access protection is shown. For more important operator input, a higher authori zation level is required. If the operator l ogs in with a "level 3" authorization, he or she also has the authorizations below this level.
Example 2
This example shows different authorization levels assigned independently of each other. This principle is often used in WinCC projects. How these two principles are implemented in WinCC is explained on the following pages.
SITRAIN Training for
ST-BWINCCS
Example 1
Here, you can see how hierarchical access protection can be configured. Four user groups are defined. The lowest group "Operator" only has authorization for "Level 1". The next group up "shift supervisor" has the authorization for "Level 1" and "Level 2", the "process engineers" have access at "Level 1" to "Lev el 3" and the "service" group has all authorization levels and can therefore access all protected objects.
SITRAIN Training for
ST-BWINCCS
Example 2
This shows the second princi ple with different authorization levels independent of each other. The names of the authorizati on levels are selected so that they describe the subsequent options. Once again there are four user groups. The authorization levels can however be assigned completely freely.
SITRAIN Training for
ST-BWINCCS
Procedure
SITRAIN Training for
After practical user groups have been defined, the operators of the plant need to be assigned to one of these groups. A user can only be in one group, a group, on the other hand, can contain several users.
ST-BWINCCS
Rights
With the assignment of a user to a group, the user inherit s the group rights. This allows more effective configuration. Following this, individual users can be assigned additional rights (in the example above, the user "A. Schmidt" receiv es the additional right "Change controller settings"). It would also be possible t o take rights away f rom individual users. The question is now whether the group rights of a user or the rights assigned to the user (user rights) take ef fect in runtime. In WinCC, the rights assigned to the user are always crucial. Exception: When using the option SIMATIC Logon, the group rights are relevant. If the rights of a group are changed (in t he example above the group "process engineers" has an extra ri ght assigned) this does not aff ect the existing users of this group. Only when new users are created do they inherit the current rights.
SITRAIN Training for
ST-BWINCCS
Starting the edito r
The editor is started as usual by double-clicking in the WinCC Explorer. Depending on the selection of a l evel in the navigation area, the corresponding options are displayed in the middle window (table). If, for example, you select the highest level "User Administrat or", the tabs "Groups [all], "Users [all] and "Aut horization levels [all]" are displayed.
New Group
SITRAIN Training for
A further user group can be created using the shortcut menu (see figure) or in the "Groups [all]" tab.
ST-BWINCCS
Editor
Depending on the selection of a l evel in the navigation area, the corresponding options are displayed in the middle window (table). Here, the "Operator" user group was selected. This allows the authorizati ons of this group to be enabled i n the Authorizations tab. Changing e.g. the name of the group is not possible here. The "Users" tab shows all the users of this group.
New User
A further user can be created using the shortcut menu (see figure) or in the "Users [Operator]" tab.
Properties
Here, an automatic logout can be set. This property is inherit ed by new users of this group.
SITRAIN Training for
ST-BWINCCS
User
If a user is selected, only the "Authorizations" tab is shown in the t able area. These relate to the selected user.
Properties
Here, for example, an automatic logout after an absolute time or after an inactive time can be set. In the example above, no password has yet been assigned.
SITRAIN Training for
ST-BWINCCS
Assi gn in g aut ho ri zati ons To prevent manipulation of graphics objects (e.g. butt on, slider, I/O box, check box etc.), the relev ant graphics object must be protected. This is achiev ed by setting one of the configured authorization levels in the property Miscellaneous/Authorization.
SITRAIN Training for
ST-BWINCCS
Configuration
Defining hotkeys for logon and logoff, see the example in the figure above. With the operator input e.g. Ctrl L, you call a system box in the runtime system via which you can enter the login name and the password so that as the user, you have password-protected access. With e.g. Ctrl O, you log off again so that no one can access protected objects after you. The login name and password are assigned with the User Administrator editor.
Note
In the example above, no hotkey has yet been defined.
SITRAIN Training for
ST-BWINCCS
UserAdminControl
This control is available as of WinCC V7.3. Here, properties of users (e.g. passwords) or the authorizati on levels can be changed. New users can also be created. Depending on whether the logged on users have the right with ID = 1 (the name of the authorization level is not relevant), they can only change their own properties or the properties of all users. In the example above, the user "Klaus" is logged on and has the user right with ID = 1. This allows him to view and edit the other users.
SITRAIN Training for
ST-BWINCCS
Objective
The existing project is to be expanded with a user administration.
Exercise
1. If it is running, exit W inCC Runtime. 2. Open the "User Administrator" editor. 3. Go to the "Authorization levels [all]" tab. 4. Create the 5 authorization levels shown in the fi gure. To do this, you can rename existing levels or create new ones. The order or the ID (with the except ion of ID = 1) are not relev ant for the function in runtime. 5. You can delete unused authorization levels.
SITRAIN Training for
ST-BWINCCS
Exercise
1. Create three new groups: - Operator - Shift supervisor - Service 2. Change the following properties for all three groups:
SITRAIN Training for
- Logout / Type of automatic logoff:
Inactive
- Logout / Period of time before automatic logoff:
10
ST-BWINCCS
Exercise
3. Select the first group "Operator" and change the group rights as shown in the figure. 4. Also adapt the group rights for the groups "Shift supervisor" and "Service".
SITRAIN Training for
ST-BWINCCS
Exercise
1. Create a new user in the "Operator" group with the name "Peter". Then assign a password (to keep things simple in the exercises we select the password 123456 for all users, for real pl ants, secure and different passwor ds should be selected.) 2. Create a new user in the "Shift supervisor" group with the name "Paul". Then assign a password. 3. Create a new user in the "Service" group with the name "Mary". Then assign a password. 4. Compare the authorizations of the group with those of the user in this group.
SITRAIN Training for
ST-BWINCCS
Objective
In the overvi ew area of the start picture, two buttons for logging Wi nCC users on and off need to be added. The picture should also show which user is currently logged on.
Exercise
1. In the Start.pdl, add two buttons and label them with "Login“ and "Logout". 2. Add the C scripts OnClick shown above to the relevant buttons. 3. Add a static text and connected with the system tag@CurrentUser. This tag is generated as an internal tag (string tag) when a project is created. 4. Apply an operator authorization to the "Exit runtime" button. To do this, go to Miscellaneous/Authorization in the properties and then select the authorization level "Exit Runtime". 5. Test the functions in runtime.
SITRAIN Training for
ST-BWINCCS
SilentLogin
With a further function (PWRTSilentLogin()) a user can be logged in silent ly by a C script. With this function, a standard user could be logged in automatically when WinCC Runtime starts. To do this, the C script must be configured for the picture selection of the start picture event.
SITRAIN Training for
ST-BWINCCS
SIMATIC Logo n
In previous versions "SIMATIC Logon" was a W inCC option that needed to be purchased. As of WinCC V7.0, this option ships with WinCC. With this option, it is possible to implement a central user administration for several Wi nCC projects. For this reason in the "SIMATIC Logon" logon dialog, a computer or a domain needs to be specified on which this centr al user administration is managed.
Login t ag
SITRAIN Training for
With this function, a user can be logged in very easily vi a the controller. To do this, a process tag must be defined. Depending on the val ue of this tag, different users can be logged in autom atically. This, for example, allows a user to be l ogged in to WinCC Runtime via a key switch connected to the controller.
ST-BWINCCS
