User Administration Siemens WinCC SCADA


#1

Introduction
The user administration controls access to data and functions on the HMI device during runtime in order to protect the HMI device’s data and functions from unauthorized manipulation. The user administration function is configured in the engineering system for this purpose, and transferred to the HMI device. Not all of the functions of a machine or plant may be carried out by every user. Many tasks require special qualifications or are restricted by the process to special user groups. Carrying them out requires rights that are assigned to special user groups and users. WinCC supports the user in creating and managing user groups and users and in assigning the required rights in engineering and during runtime.

The separation of authorizations and users allows efficient user administration with reduced engineering effort. In the engineering system, user groups are defined which group together the configured authorizations in a task-oriented way. For example, the user group “Production planning” can change recipe data records, set system parameters, and log process values. The necessary authorizations are assigned to the corresponding objects in the project.

The actual user can then be accepted in the user administration with a user name or user ID and password even during operation and then be assigned to a user group without any further changes to the configuration. In this way, the unambiguous identification of the users – e.g. For Audit Trails – can be managed with minimal engineering effort.

All local operator stations are included in the user administration, as well as the standard and Web Navigator or Data Monitor clients for a SCADA system on the basis of WinCC Runtime Professional. If system-wide user administration is required, the SIMATIC Logon central user administration system can be activated as of Comfort or Multi Panels. In this case, SIMATIC Logon takes over the user administration of the local operating systems in cooperation with Windows. If communication to the central component SIMATIC Logon is interrupted, the users are then only checked locally on the HMI system. Depending on the target system, SIMATIC Logon can be installed on the HMI system itself or on another remote PC in the network or a domain controller. When SIMATIC Logon is used, the use of a chip card reader for user authentication is also supported.

Structure of the user administration
The user administration is divided into:

  • Administration of users, user groups and authorizations
  • Assignment of the corresponding authorization to the individual configuration objects

Operator authorization:
Authorizations describe the rights to access an object or to carry out a specific action on the object (e.g. “Change input value”, “Select screen”, “and Edit recipe”).
An authorization can be assigned to each accessible object (IO fields, buttons etc.).

User group:
A user group combines authorizations means all users within a group have the same authorizations. Different operator views can be mapped in user groups, e.g.
 Organizational view: commissioning engineers, operators, shift I, shift II
 Technological view: axis control, tool changers, Plant North, Plant South

User:
“Users” is the generic term for operators. Each operator is assigned to an associated user group and thus receives its authorizations. Operators may therefore only access objects for which they possess the authorization.
A user then logs on at the HMI device with the user name and associated password.

How to Access Protection Works
A user accesses an object (e.g. clicks a button). WinCC checks in runtime whether access to the object is protected.

  • If access is not protected, the function configured for the object is executed.
  • If access is protected, WinCC determines the user group to which the logged-on user belongs. The authorizations of the user are derived from this.

If the logged-on user possesses the necessary authorizations for the object, the configured
function is executed. Otherwise, a “logon dialog” automatically appears for the user to log on.
image

Login dialog appears automatically:
If a protected object has been accessed and the logged-on user does not have the required
authorization or if no user is logged on, the “Login dialog” is automatically displayed. After a
successful logon, WinCC once again checks whether or not the logged-on user has the
necessary authorization.

  • If it is, access to the object is enabled: When the user clicks the button again, the
    configured function is executed.
  • If not, a corresponding system message is displayed indicating that the user does not
    have the required authorization. Although the user is logged on in runtime, the
    configured function is not executed.

Steps in configuring user administration

  1. Structure authorizations
    Find out which groups of people and authorizations are required for access
    protection.

Example: create three screen (1 for manager, 2nd for engineer and 3rd for operator, manager can access all screen, engineer can access 2nd and 3rd screen and operator can only access 3rd screen) and all screen only can access by individual password.

  1. Go to Project tree > HMI device > User administration > “User groups” tab
  2. Create 3 groups i.e. 1. Admin, 2.operator, 3.engineer.
  3. In below tab “Authorization” give Authorization for individual group( i.e. For manager assign all access for engineer give authorization of operating and monitoring and for operator give authorization of monitoring only.
  4. Also Assign display Name for your reference
  5. Now go to “user” and create 3 user (i.e. Manager, engineer and operator) and passwords for each.
  6. Now go to below tab “group” and assign individual group for individual users.
  7. Now go to screen and take “user administration icon” from toolbox > control > user administration.
  8. Also assign security to all buttons from which you will access your screens
  9. Click buttons > properties > security > click authentication > assign user.

    (Who can access screen from this button), follow same procedure for all buttons that you have created and assign individual protection for each.

Creating Authorizations
The configured authorizations are initially only names without reference to a particular function. This changes only when an authorization is assigned to a configured object. The names can be assigned as desired (free text).The name should be oriented on the function to be executed. A consecutive number is automatically assigned to each authorization. This is the unique identification feature.

The authorizations in the range 1000 to 1099 are system authorizations and cannot be changed by the user. Please only define authorization names of an HMI device once to avoid assignment errors.

The authorizations “User administration”, “Operate”, “Monitor”, “Remote control” and “Web access - view only” are predefined and are always present. In contrast to their numbers, the names of the authorizations “User administration”, “Operate”, “Monitor” can be changed.

The Runtime authorization “User administration” (authorization number = 1) is always automatically assigned to the “User view”. The authorizations “Operate” and “Monitor” are initially unused.

A new authorization is created by clicking in the next empty line in the “Name” column. The name of the new authorization (e.g. “Exit RT”) can then be entered. A detailed description of the authorization can be entered under Comment. All entries can also be made in the Inspector window

Assigning authorizations to objects

Each accessible object has the section “Security” in the properties. If an authorization is configured and activated there, access protection is active during Runtime.

Configuring user groups
The authorizations are combined in user groups. The “Groups” table shows the existing user groups.


The group names must be unique within an HMI device. A consecutive number is assigned automatically by user administration for the user group.

User group display name
The “Display name” of the group is language-dependent (can be translated like a display text) since the users can also be administered and edited on the HMI device in runtime and each user must be assigned to a user group. The display name in the corresponding language is then shown for the user group on the HMI device in runtime.

The “Administrator group” and “Users” groups
These are already predefined and always present. Initially, the “Administrator group” has all predefined authorizations.

Newly created customized authorizations are not assigned automatically. The assignment of authorizations can be modified as necessary. This means that users in the “Administrator group” do not automatically have unlimited access to all operator control functions on the HMI device → projectable.

Only the authorization “Operate” is assigned as standard to the “Users” group. However, the assignment of authorizations can be changed as required. A group name and user name can only be assigned once.

Create new group
A new group can be defined by clicking in the next empty line in the “Groups” table. The name of the new group (e.g. “Service”) can then be entered. In the Comment field you can enter a detailed description of the user group. All entries can also be made in the Inspector window.

Processing of user groups / assignment of authorizations
If a user group is selected in the “Groups” table, the “Authorizations” table shows the authorizations assigned to the selected user group. By clicking on the check box in the “Active” column of an authorization, this can be assigned to the selected group or canceled.
Users can also be copied and functions can be assigned to the user group in advance that are then the defaults when setting up a new user.

Configuring user:
Users can already be created during the configuration phase and loaded on the HMI device along with the configuration.
Users created during the configuration phase are always transferred as a completely new user data set to the HMI device, and overwrite the users present on the HMI device. This means that you must take care when updating the configuration that the users are not transferred again, otherwise all modifications made by operators since the last configuration transfer will be lost!

When downloading (Extended download to device), you specify whether the data of “User administration” already on the HMI device will be overwritten.User “Administrator”

The “Administrator” user is predefined and is always present. This user is assigned as default to the “Administrator group”.
Newly created customized authorizations are not assigned automatically to the “Administrator group”. The group assignment can also be modified as necessary. This means that the “Administrator” user does not automatically have unlimited access to all operator control functions on the HMI device.
The default password is the word “administrator”.

Password
Both the name and a password are used to identify a user.

Logoff time
If no actions are carried out by the operator within the set logoff time, the logged-on user is automatically logged off by the HMI device, and no operator is then logged on with the HMI device. The automatic Logout can also be disabled.

  • Standard logoff time 5 minutes

Create user
A new user can be set up by clicking in the next empty line in the “Users” table. The name of the new user (e.g. “Smith”) can then be entered.

A user group is not automatically assigned to a newly created user.

A password is also not assigned automatically. This must always be configured!

  • User name: max. 24 characters

Editing users / assignment to group
If a user is selected in the “Users” table, the “Groups” table shows the group to which the selected user has been assigned. By clicking the radio button of a created group, the selected user can be assigned to it.

Configuring the user view
Users and passwords are administered using the “user view” in runtime. This is located on the “Toolbox” task card in the “Controls”.


The “User administration” authorization (or authorization with the number =1) is always assigned automatically to the “User view” and controls the number of users displayed or managed in the user view on the HMI device in Runtime.

Administering users in runtime
A configured “User view” allows administration of the users on the HMI device in runtime. The user view shows different contents depending on the authorizations of the logged-on user:

  • If no user is logged on the user view is empty.

    The user is logged on and does not have “User administration” authorization the user view only shows the logged-on users. Users can change their own user names and passwords as well as the settings for the logoff time.
  • The user is logged on and has “User administration” authorization (e.g. “Administrator” user)
    The user view shows all users of the HMI device. This user can change all users displayed in the user view.
  • Create user
  • Delete user
  • Modify user (user name, password, group assignment, logoff time)

Configuring a login dialog
The “Logon dialog” is displayed automatically on the HMI device in Runtime when a protected object is accessed, when no user is logged on or when the logged-on user does not have the


required authorization. So that the user is not surprised unexpectedly by this, a logon button should also be configured, permitting a specific user logon.

System function “showlogondialog”

> Inspector window > Properties+ Events tab > “showlogondialog” system function

This function displays the logon dialog, and enters the user as a logged-on user following a successful logon at the HMI device. If logging on is unsuccessful (e.g. Incorrect password or similar), a system alarm is output, and no user is then logged on to the HMI device.
This system function is located in the function group “User administration”.

Displaying name of logged-on user
To display the currently logged-on user, the system tag @Current User is available. This tag is generated as an internal tag (string tag) when a project is created.

System tag @Current User
WinCC Professional provides various system tags. The system tag @Current User can be found in the System tags tab of the standard tags table:

> Project tree > HMI device > HMI tags > Default tag table > System tags tab

Displaying system tag @ current user
The system tag “current user” of the type “String” is displayed via an I/O field in output mode in a screen (it makes sense to display this in the permanently visible area of the start screen if a screen window is used in the start screen).
Task card >> Toolbox > Elements > I/O field
> Inspector window > Properties tab+ Property