Network Security: Authentication with User Role and Password
This topic contains the following sections:
User roles with
PLCnext Technology controllers
Note
If the controller provides an embedded OPC UA server, the OPC server-client-communication is separately secured by a server certificate. Refer to the chapter "OPC UA server configuration". |
To prevent unauthorized access to the controller, i.e., to protect the controller configuration and operation mode, user roles with specified access rights can be defined for PLCnext Technology controllers. To increase the protection level against manipulation, the user roles (and the rights assigned to each role) are not defined in the PLCnext Engineer system but directly on the controller via the WBM (Web Based Management) interface.
The user role with which you log on to the controller defines the (type of) operations you are allowed to perform on the controller.
List of exemplary, pre-defined user roles and access rights
The following are predefined user roles. The roles have possibly been modified, deleted or extended for your controller. See section "How to define/edit a user role and password for the controller" below.
| User role | Permissions |
| Unauthenticated | No permissions
except to perform authentication. |
| Admin | Full access to the device, i.e., includes permissions of all other user roles. |
| Usermanager | Device administrator with permission to define the set of users who have access.Permissions:
- Add/remove users
- Set and modify passwords
- Define role assignments for users
|
| Engineer | Project developers (mostly engineers) are allowed to pre-configure, program, and debug devices.Permissions:
- Write files to/read files from the controller
- Read, write, force variables
- Read and clear error catalog on the controller
- Debug using breakpoints, stepping and stack examination
- Define and control the controller state
|
| Commissioner | Personnel who performs device installation on-site.Permissions:
- Write files to/read files from the controller
- Define and control the controller state
|
| Service | Service personnel responsible for maintaining, inspecting, and/or trouble-shooting a device or the complete machine.Permissions:
- Write files to/read files from the controller
- Read, write, force variables
- Read and clear error catalog on the controller
- Debug using breakpoints, stepping and stack examination
- Define and control the controller state
|
| DataViewer | Restricted access allowing read access to all variables.Permissions:
- Read variables (no writing and forcing)
- Read error catalog on the controller (no clearing)
|
| DataChanger | Restricted access including read and write access to all variables.Permissions:
- Read and write variables (no forcing)
- Read error catalog on the controller (no clearing)
|
| Viewer | Restricted access allowing read access to all files, all variables and controller state.Permissions:
- Read files from the controller
- Read variables (no writing and forcing)
- Read error catalog on the controller (no clearing)
- Read the controller state (no controlling)
|
| EHmiLevel1 to EHmiLevel10 | Levels for access through HMI: the HMI project defines which role has which permissions.
Further Info
Refer to the description of the 'User Management' function blocks for further details. |
|
| FileReader | Defines the access rights of an OPC UA client to the (Linux) file system on the PLCnext Technology controller. With this user role, the OPC UA client can read data stored in the controller file system via the OPC UA server embedded on the PLCnext Technology device using OPC UA standard mechanisms.Which folders and files are generally visible and browsable via the OPC UA server is defined in the 'Filesystem' editor page of the 'OPC UA' PLANT node. See topic "OPC UA Filesystem Settings" for details. |
| FileWriter | Defines the access rights of an OPC UA client to the (Linux) file system on the PLCnext Technology controller. With this user role, the OPC UA client can read and write data stored in the controller file system via the OPC UA server embedded on the PLCnext Technology device using OPC UA standard mechanisms.Which folders and files are generally visible and browsable via the OPC UA server is defined in the 'Filesystem' editor page of the 'OPC UA' PLANT node. See topic "OPC UA Filesystem Settings" for details. |
| EHmiViewer | The user can only view HMI data but cannot write them, i.e., variables can only be read. |
| EHmiChanger | The user has read and write access to the HMI data, i.e., variables can be read and written. |
Possibilities for logging on/off
There is a logon/logoff command available in the context menu of the controller icon in the PLANT as well as in the controller Cockpit:
If you perform an operation which requires to be logged-on to the controller while you are logged-off (such as the 'Connect' or 'Write and Start' command), the authentication mask appears automatically.
To log on, enter a user name (which corresponds to a particular user role with specific access rights) and the relating password into the authentication mask. While being logged on, you can change the user role via the 'Switch User' command in the context menu of the controller node or the Cockpit. See procedures below.
Note
Make sure that the user role you are entering provides suitable access rights for the intended operations. |
Storing user credentials for controller logon
The combination of user name and password for logging on to the controller can be stored on your PC.
Stored user names are offered for selection in a drop-down list when the same Windows user is logging on to the controller the next time. After selecting a user name from the list in the LOGIN mask, the relating password is automatically filled in. (An automatically filled-in password is followed by the string "Password from Password Manager".)
Note
Stored user names are only available and related passwords are only filled-in for the same Windows user on the same PC and for the same secure device to be logged on. |
For storing your credentials, mark the checkbox 'Remember credentials' in the LOGIN mask (and in the CHANGE PASSWORD mask) before pressing <Enter> or clicking the log-on button:
The following applies:
- The passwords are protected by encryption in the storage file.
- The storage of the user name/password combination is done Windows user-specific and PC-dependent, i.e., a separate storage file is created for each Windows user on each PC.
- Stored credentials can even be used after modifying your Windows login.
- If you modify an automatically filled-in password while 'Remember credentials' is marked, the stored password is overwritten by the newly
entered one.
- If you confirm the authentication mask while the 'Remember credentials' checkbox is not marked, all stored credentials will be deleted.
PLCnext Engineer allows to delete all user name/password combinations stored for your Windows account:
- Select 'Extras > Options'.
- In the 'Options' dialog, open the category 'Administration
| Password Manager' and click the 'Delete' button.
Shield symbol in PLANT indicates logon state
The shield symbol beside the controller icon in the PLANT indicates the logon state:
 (black) | logged off from the controller |
 (green) | logged on to the controller |
 | "Unsecured" connection, after an authentication error occurred during connection establishment and you have instructed PLCnext Engineer to establish the connection nevertheless.
See section "Accepting a rejected controller certificate..." for details. |
Note the following:
- When hovering the mouse on the controller icon, a tooltip appears showing logon information.
- While the authentication mask is open for logging on, the shield appears orange.
- If no shield symbol is visible beside the controller icon, the controller does not implement the security concept described here.
- While being logged on to the controller, an unexpected disconnection results in an automatic logoff which is indicated by the desktop alert "Credentials withdrawn". In this case, you have to relogon as described below.
While the simulation mode is active in PLCnext Engineer (the controller simulation is set as target in the Cockpit instead of the real controller), the PLANT node "Simulation" is visible instead of the controller node. The shield icon beside the node is different from the shield icon which indicates a controller connection:
Security settings
As PLCnext Technology controllers implement a secure device concept, the section 'IT security' editor is available in the controller's 'Settings' editor.
- Double-click the controller in the PLANT to open its properties in the editors area.
- In the editors area, open the 'Settings' editor.
Example
In the current version, the security settings are read-only and indicate the implemented security protocol, the authentication method as well as the security version.
TLS security protocol
TLS means Transport Layer Security is a hybrid encryption protocol which secures the Internet data transfer.
TLS is better known as SSL (Secure Sockets Layer). SSL is the predecessor of TLS whose latest released version was 3.0. After this version SSL was further developed and released under the name TLS. Known implementations of the TLS/SSL protocol are OpenSSL and GnuTLS.
What do you want to do?
How to define/edit a user role and password for the controller
User roles are not defined in PLCnext Engineer. To create or edit a user role and assign access rights to it, logon to the controller via the WBM (Web Based Management) interface and edit directly on the controller.
How to log on to the controller (logon = connect)
If you are not logged on to the controller (black shield symbol beside the controller icon in the PLANT), the execution of any command which requires to be logged on also opens the authentication mask. This may be, for example, the 'Connect' or 'Write and Start' command or if you activate the debug mode.
You can also log on by right-clicking the controller icon in the PLANT and selecting the 'Logon/Logoff' command or by opening the Cockpit and clicking the 'Logon/Logoff' icon:
How to open the 'Cockpit'
- Double-click the controller in the PLANT to open its properties in the editors area.
- In the editors area, open the 'Cockpit' editor.
If an authentication error occurs, a dialog appears where you can instruct PLCnext Engineer to establish the connection nevertheless. See section "Accepting a rejected controller certificate..." for details.
After the successful authentication (or after accepting the unsecured connection), the logon mask appears.
In the logon mask, select a previously stored user name from the drop-down list. The relating password is then automatically filled in. Refer to the section "Storing controller logon credentials" for details.
If no user credentials have been stored yet: Enter the user name of the desired and suitable role (with sufficient rights) and the relating password. Mark the 'Remember credentials' checkbox if you want to store your user name/password combination on the local PC for future use.
Finally, press <Enter> or click the following icon to log on:
Logging on to the controller automatically establishes a communication connection to the controller like the 'Connect' command.
- If you cancel the logon mask by clicking outside the mask or the
icon, you are not logged on and the command is not executed. The same applies if you enter a wrong user name/password (combination). A corresponding desktop alert (such as "Credentials missing") appears.
- If the entered user role does not have sufficient rights for the command to be executed, a corresponding desktop alert appears. You are logged on but the command is not executed.
While you are logged on to the controller, this is indicated by a green shield symbol beside the controller icon in the PLANT. When hovering the mouse on the controller icon, a tooltip appears showing logon information.
Example:
If an authentication error occurred during connection establishment and you have instructed PLCnext Engineer to establish the connection nevertheless, the "unsecured" connection is indicated by the following shield symbol:
See section "Accepting a rejected controller certificate..." for details.
You remain logged on
- until you log off,
- or you are automatically logged off due to inactivity
- or you close the project
- or until the communication connection is interrupted unintentionally and reconnecting is impossible.
See section below for details on logging off from the controller.
How to switch the user role
Switching the user role corresponds to logging off from the current role and logging on again with the new role.
- To switch the user role, right-click the controller icon in the PLANT and select 'Switch User' from the context menu. The command is also available as button in the controller Cockpit:
The logon mask appears.
- In the logon mask, select a previously stored user name from the drop-down list. The relating password is then automatically filled in. Refer to the section "Storing controller logon credentials" for details.If no user credentials have been stored yet: Enter the user name of the desired and suitable role (with sufficient rights) and the relating password. Mark the 'Remember credentials' checkbox if you want to store your user name/password combination on the local PC for future use. Finally, press <Enter> or click the following icon to log on:
If you cancel the mask by clicking anywhere outside mask or the icon, or if you enter a user role which does not exist or a wrong password, the user role is not switched.
In this case, a desktop alert appears informing about the failed role switch.
How to change the password of the user currently logged on at the controller
To change the password of the user that is currently logged on at the controller, proceed as follows:
- Right-click the controller icon in the PLANT and select 'Change Password' from the context menu. The command is also available as button in the controller Cockpit:
The change password mask appears.
- Enter the user name, the current password and the new password. (You can click on the "eye" icon to view an entered password.) Retype your new password in the last input field.
- Mark the 'Remember credentials' checkbox if you want to store your user name/password combination on the local PC for future use. Refer to the section "Storing controller logon credentials" for details.
- Confirm by clicking the arrow button right to the last input field.You can cancel the operation by clicking anywhere outside the mask or clicking the close icon in the top-right corner.
How to log off from the controller (logoff = disconnect)
There is a logoff command available in the context menu of the controller icon in the PLANT as well as in the 'Cockpit' editor:
To open the
Cockpit:
- Double-click the controller in the PLANT to open its properties in the editors area.
- In the editors area, open the 'Cockpit' editor.
Logging off automatically disconnects PLCnext Engineer from the controller, i.e., terminates the communication connection.
Note
While being logged on to the controller, an unexpected disconnection results in an automatic logoff which is indicated by the desktop alert "Credentials withdrawn". In this case, you have to relogon as described below. |
While you are logged off from the controller, the shield symbol beside the controller icon shows black:
