User Administration In WinCC (TIA Portal)
User Administration inWinCC (TIA Portal)WinCC V13 SP1 (Basic/Comfort/Advanced),Basic Panel, Comfort Panel,WinCC Runtime Advanced V13 iew/109738532SiemensIndustryOnlineSupport
Warranty and LiabilityWarranty and LiabilityNoteThe Application Examples are not binding and do not claim to be completeregarding the circuits shown, equipping and any eventuality. The ApplicationExamples do not represent customer-specific solutions. They are only intendedto provide support for typical applications. You are responsible for ensuring thatthe described products are used correctly. These Application Examples do notrelieve you of the responsibility to use safe practices in application, installation,operation and maintenance. When using these Application Examples, yourecognize that we cannot be made liable for any damage/claims beyond theliability clause described. We reserve the right to make changes to theseApplication Examples at any time without prior notice.If there are any deviations between the recommendations provided in theseApplication Examples and other Siemens publications – e.g. Catalogs – thecontents of the other documents have priority. Siemens AG 2018 All rights reservedWe do not accept any liability for the information contained in this document.Any claims against us – based on whatever legal reason – resulting from the use ofthe examples, information, programs, engineering and performance data etc.,described in this Application Example shall be excluded. Such an exclusion shallnot apply in the case of mandatory liability, e.g. under the German Product LiabilityAct ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life,body or health, guarantee for the quality of a product, fraudulent concealment of adeficiency or breach of a condition which goes to the root of the contract("wesentliche Vertragspflichten"). The damages for a breach of a substantialcontractual obligation are, however, limited to the foreseeable damage, typical forthe type of contract, except in the event of intent or gross negligence or injury tolife, body or health. The above provisions do not imply a change of the burden ofproof to your detriment.Any form of duplication or distribution of these Application Examples or excerptshereof is prohibited without the expressed consent of the Siemens AG.SecurityinformationSiemens provides products and solutions with industrial security functions thatsupport the secure operation of plants, systems, machines and networks.In order to protect plants, systems, machines and networks against cyberthreats, it is necessary to implement – and continuously maintain – a holistic,state-of-the-art industrial security concept. Siemens’ products and solutions onlyform one element of such a concept.Customer is responsible to prevent unauthorized access to its plants, systems,machines and networks. Systems, machines and components should only beconnected to the enterprise network or the internet if and to the extent necessaryand with appropriate security measures (e.g. use of firewalls and networksegmentation) in place.Additionally, Siemens’ guidance on appropriate security measures should betaken into account. For more information about industrial security, please mens’ products and solutions undergo continuous development to make themmore secure. Siemens strongly recommends to apply product updates as soonas available and to always use the latest product versions. Use of productversions that are no longer supported, and failure to apply latest updates mayincrease customer’s exposure to cyber threats.To stay informed about product updates, subscribe to the Siemens IndustrialSecurity RSS Feed under http://www.siemens.com/industrialsecurity.User Administration in WinCCEntry ID: 109738532, V1.1, 06/20182
Table of ContentsTable of ContentsWarranty and Liability . 21Task . 41.11.22Solution. 52.12.22.2.12.2.2 Siemens AG 2018 All rights reserved3Overview. 5Hardware and software components . 6Validity . 6Components used . 6Basics . 3.3.53.43.53.5.13.5.23.64Overview. 4Requirements . 4User administration (general) . 7Users, user groups and authorizations . 7Users . 7User groups . 8Authorizations . 8Performance characteristics depending on the operator panel . 9Functions in the Runtime. 9Access protection . 9Login and logout using system functions . 10Other system functions. 11User login with RFID card reader . 12User administration via user display . 12Local user administration concept . 12Central user administration (SIMATIC Logon) . 14Access protection with SIMATIC Logon Service . 14License protection via SIMATIC Logon Role Administration . 16SIMATIC WinCC Audit (TIA Portal) . 16Configuration and Settings. re configuration . 17Local user administration . 17Central user administration with SIMATIC Logon . 18Configuring users, user groups and authorizations . 18Configuring users . 19Configuring and assigning user groups . 21Configuring and assigning authorizations . 25Optional: Adjusting the Runtime settings . 28Configuring access protection and user display . 29Configuring access protection . 30Logging in and out via system functions . 32Display of the currently logged in user . 34User display and operation. 38Configuring SIMATIC Logon . 41Creating the user in Windows user management . 41Creating user groups in Windows user management andassigning users to these user groups . 43Creating user groups in WinCC (TIA Portal) . 47Creating and assigning authorizations in WinCC (TIA Portal) . 47Activating SIMATIC Logon in WinCC (TIA Portal) . 47Behavior in the Runtime . 495Related Literature . 506History. 50User Administration in WinCCEntry ID: 109738532, V1.1, 06/20183
1 Task1.1 Overview1Task1.1OverviewIntroductionAutomation facilities are highly accurate and available systems that play a majorrole in a company's manufacturing processes. Moreover, the increasingcommunication within a facility and across multiple facilities makes the overallsystem more complex. To be able to monitor and operate these facilitiesaccordingly, the processes are visualized through HMI operator panels.If the facility is operated by unauthorized staff, production can be impaired as aresult. What is more, unauthorized persons can directly manipulate the facilities orsteal know-how.To prevent this, all facilities have to be protected against unauthorized access.WinCC (TIA Portal) allows you to implement this feature using the integrated useradministration and thus increase the security of the facility. Siemens AG 2018 All rights reserved1.2RequirementsThe following illustration gives a brief overview of the requirements for theautomation task.It has to assure that authorized staff members can log in. multiple staff members can be logged in simultaneously (bigger facilities). staff members can access functions and data depending on theirauthorizations. unauthorized persons are denied access to the facility and the data.Figure 1-1****User Administration in WinCCEntry ID: 109738532, V1.1, 06/20184
2 Solution2.1 Overview2Solution2.1OverviewCore topics of this applicationIn this application example, you will learn: basic information on users, user groups and authorizations, how to increase the security of the facility by means of an appropriate useradministration, the difference between local and central user administration, which configuration steps are necessary to successfully implement a useradministration.Schematic layoutFigure 2-1 Siemens AG 2018 All rights reservedAdministratorShift leaderMaintenanceFitterOperatorQuality managerLogin via user administration withdifferent authorizationsController(e.g. S7-1500)Operator panel(e.g. Comfort Panel)AdvantageThe information provided on user administration provides the following benefits: time and cost savings thanks to a detailed step-by-step instruction, overview of the possible user administration concepts, help determining when a specific type of user administration is reasonable.DelimitationThis application does not describe the basic programming of an HMI in theTIA Portal and user management on Windows operating systems.Required knowledgeUsers are assumed to have basic knowledge of WinCC (TIA Portal) configurationand basic information on user management on Windows operating systems.User Administration in WinCCEntry ID: 109738532, V1.1, 06/20185
2 Solution2.2 Hardware and software components2.2Hardware and software components2.2.1ValidityThis application is valid for 2.2.2WinCC (TIA Portal) V13 SP1Components usedThe following components were used to create the application:Hardware componentsTable 2-1 Siemens AG 2018 All rights reservedComponentQtyArticle numberNoteSIMATIC CPU1513-1 PN16ES7513-1AL01-0AB0Not relevant for useradministration in WinCC(TIA Portal).Memory card 24 MB26ES7954-8FL02-0AA0SIMATIC HMIKTP700 Basic16VA123-2GB03-0AX0Alternatively, you can useother Basic Panels (requires adevice exchange).SIMATIC HMITP1200 Comfort16AV2124-0MC01-0AX0Alternatively, you can useother Comfort or MobilePanels (device exchangenecessary).Industrial PCSIMATIC IPC 547E16AG4104-3 .- .This IPC is an example; otherIPCs can be used, too.Software componentsTable 2-2ComponentQtyArticle numberSTEP 7Professional V13SP1 Upd 816ES7822-1A.03- .WinCC AdvancedV13 SP1 Upd 816AV2102-0AA3-0A.5WinCC RuntimeAdvanced V13 SP1Upd 816AV2104-0.A03-0A.0SIMATIC LogonV1.5 SP3 Upd 316ES7658-7B - .Windows 7Professional1MicrosoftUser Administration in WinCCEntry ID: 109738532, V1.1, 06/2018Note6
3 Basics3.1 User administration (general)3Basics3.1User administration (general)ObjectiveThe user administration aims to set up access protection for data and functionswithin the Runtime to protect the applications against unauthorized operation.Example projectBesides facility operation only, there are several other application cases that haveto be operated by different users.Example: An administrator can have access to the user administration. But theadministrator must not be allowed to change the product's recipe data. A quality manager is authorized to monitor the facility parameters, but hemust not operate the facility. Siemens AG 2018 All rights reservedThe use cases of the respective end customer are usually not determined beforeon-site commissioning. The user administration in WinCC (TIA Portal) includingusers, user groups and their authorization helps you implement the selected casestaking the most straightforward approach.3.2Users, user groups and authorizations3.2.1UsersGeneralThe users in WinCC (TIA Portal) are the basis of the user administration. As a firststep, a "user" has to be created in the user administration. To do so, the name andpassword of the user are stored in the user administration. The user "Admin" isalready defined by default in WinCC (TIA Portal).The following section will use an example to illustrate the principle of useradministration. Chapter 4 later describes the configuration based on this examplescenario.Example projectA company has several production facilities and employees. The employeesMueller, Meier, Schulz, Schmidt, Schneider and Fischer are responsible for"production facility A" in the company.Figure 3-1MuellerMeierUser Administration in WinCCEntry ID: 109738532, V1.1, 06/2018SchulzSchmidtSchneiderFischer7
3 Basics3.2 Users, user groups and authorizations3.2.2User groupsGeneralTo assign an authorization to a user, that user must be a member of a user group.By default, the user groups "administrator group" and "user" are defined by defaultin WinCC (TIA Portal).In addition to the predefined user groups, it is possible to create and edit othergroups, e.g. the group "Production facility A", "Maintenance", "Fitter" etc.Each user has to be assigned to a user group and can be a member of one grouponly.Example project (user groups)The six employees (Mueller, Meier, Schulz, Schmidt, Schneider and Fischer) arecreated as users in the user administration. Each of these employees has differentareas of responsibility as illustrated below. Siemens AG 2018 All rights reservedFigure 3-2AdministratorShift leaderMaintenanceFitterUserQuality cording to the employees' responsibilities, the associated user groups(administrator, shift supervisor, maintenance, fitter, user, quality manager) are nowcreated in WinCC (TIA Portal) and the employees are assigned to the groups.3.2.3AuthorizationsGeneralIn WinCC (TIA Portal), authorizations serve the purpose of defining the accessrights of the user groups. Based on these authorizations, you can select theindividual access rights at a later stage. Three authorizations ("user management","monitor" and "operate") are already defined by default in the system. They can berenamed during configuration, but not deleted. Moreover, you can create additionalauthorizations.After all authorizations have been created, you can assign the correspondingauthorization to each user group. A group can have several authorizations at thesame time.Example (authorizations)In this example scenario, three more authorizations (maintenance, recipes change,and parameter change) are defined in addition to the default authorizations.In the next step, the authorizations from chapter 3.2.2 are assigned to the usergroups according to the following table.User Administration in WinCCEntry ID: 109738532, V1.1, 06/20188
3 Basics3.3 Functions in the RuntimeTable 3-1XMaintenanceXFitterXOperatorXQuality managerXParameterchangeXRecipeschangeShift leaderServiceXOperateAdministratorMonitorUser groupsUseradministrationAuthorizationsXXXXXXThe user administration has thus been set up completely and forms the basis ofaccess protection later on. Siemens AG 2018 All rights reservedNoteCreating a user administration does not mean that data and functions arealready protected against unauthorized access. Access protection only becomesactive when assigned to objects.Chapter 4.2 details how to create a user, user group and authorizations in theTIA Portal.3.2.4Performance characteristics depending on the operator panelThe following overview shows the maximum number of users, user groups andauthorizations that can be configured.Table 3-23.3Basic PanelComfort/MobilePanelWinCC RuntimeAdvancedUsers5050100User groups505050Authorizations323232Functions in the RuntimeAfter you have created the user administration with different user groups andauthorizations, they can be assigned to objects (e.g. a button) and enhance facilityprotection.3.3.1Access protectionTo set up access protection for security-relevant functions and data of a facility, thismust be accounted for already when creating the project. Use the properties of thecorresponding control to enter the corresponding authorization under "Properties Security Security in Runtime". You thereby restrict operation of the securityrelevant functions to the respective user groups.NoteChanging or expanding the access protection in the Runtime is no longerpossible.User Administration in WinCCEntry ID: 109738532, V1.1, 06/20189
3 Basics3.3 Functions in the RuntimeOperation in the RuntimeIf the functions (e.g. a button) are activated in the Runtime, a login dialog will popup and prompt the operator to authenticate with user name and password.The system checks these entries against the data in the user administration andoperation is permitted if they are found to match. If the authentication has failed,operation will not be possible. A message opens reading "Invalid password or username. Login failed."Protecting projects and operating systemsThe principle described above now yields various security concepts for operatorpanels, projects and entire facilities. Protecting the projects and operating systemsis crucial in this context.As a rule, shutting down the Runtime should be access protected. Thus,unauthorized operators are denied access to the operator panel's operatingsystem.NoteAccess protection does not prevent operating errors. You have to make sure thatonly qualified and authorized staff constructs, starts and maintains facilities andmachines. Siemens AG 2018 All rights reservedFor more information, see the application example Panel Security Guidelines.Chapter Configuring access protection gives a step-by-step instruction on how toconfigure access protection for functions.3.3.2Login and logout using system functionsYou have successfully protected all security-relevant functions and data in yourproject against unauthorized access. Now you want to see during facility operationwho is currently logged in to change users if necessary.The system functions "Login"/ "Logout"To generally log a user in or out, e.g. before and after a shift, y
User Administration in WinCC Entry ID: 109738532, V1.1, 06/2018 8 G 8 created in WinCC (TIA Portal) and the employees are assigned to the groups. d 3.2.2 User groups General To assign an authorization to a user, that user must be a member of a user group. By default, the user group
4/4 HMI software in the TIA Portal 4/5 SIMATIC WinCC (TIA Portal) Engineering 4/9 SIMATIC WinCC (TIA Portal) Runtime 4/10 WinCC Runtime Advanced 4/14 WinCC Runtime Professional 4/19 WinCC Runtime Communication 4/25 SIMATIC WinCC (TIA Portal) options 4/26 WinCC Recipes 4/28 WinCC Logging 4
WinCC V7.4 DVD: WinCC V7.4 WinCC/WebNavigator V7.4 WinCC/DataMonitor V7.4 WinCC/Connectivity Pack V7.4 WinCC/Connectivity Station V7.4 SQL Server 2014 SP1 for WinCC V7.4 SIMATIC Logon V1.5 SP3 Automation License Manager V5.3 SP3 WinCC: General information and installation
4/76 WinCC/User Archives 4/77 SIMATIC BATCH (for WinCC) 4/80 WinCC/ChangeControl & WinCC/Audit 4/82 SIMATIC Logon 4/83 WinCC/IndustrialX 4/84 WinCC/ODK 4/85 WinCC/Comprehensive Support 4/86 WinCC Premium Add-ons and partner management 4/88 SIMATIC ProAgent process diagnostics so
SIMATIC HMI WinCC V7.2 WinCC: Installation / Release Notes System Manual Online help printout 07/2013 A5E32316184-AB WinCC Release Notes 1 What's New in WinCC 2 . To support you in protecting your system, WinCC offers a structured user management: Protect your system against unauthorized access.
SIMATIC HMI WinCC V7.4 SP1 WinCC: Configurations System Manual Print of the Online Help 02/2017 A5E40842153-AA Multi-User Systems 1 File Server 2 WinCC ServiceMode 3 Redundant Systems 4. . WinCC: Configurations System Manual, 02/2017, A5E40842153-AA 5. 1.2 Client/Server Systems in WinCC
SIMATIC HMI WinCC V7.2 WinCC/WebNavigator System Manual Print of the Online Help 07/2013 A5E32316269-AB WinCC/WebNavigator Installation Notes 1 WinCC/WebNavigator
TIA - 568.2-D TIA - 568.0-D TIA - 569-D TIA - 526-7-A Balanced twisted-pair cabling Generic cabling Telecommunications pathways and spaces Single-mode fibre testing TIA - 568.3-D TIA - 568.1-D TIA - 607-C TIA - 536- 14-C Optical fibre cabling Commercial building Bonding and
The broadcasting industry regularly erects and dismantles structures of a temporary nature, which require a significant amount of work at height. This can often involve working in outdoor environments, when building temporary concert arenas or working indoors, building stages inside existing concert halls. Typically work at height involves structural riggers, responsible for the structural .
