Skip to main content

Tab: Access Rights

Recommendations for data protection

In order to minimize the risk of data security violations, we recommend the following organizational and technical actions for the system where your applications are running. Whenever possible, avoid exposing the PLC and control networks to open networks and the Internet. Use additional data link layers for protection, such as VPN for remote access, and install firewall mechanisms. Restrict access to authorized persons only, change any existing default passwords during the initial commissioning, and change them in regular intervals.

Important

Detailed information on the concept and use of device user management is provided in the Handling of Device User Management chapter.

There you will also find the following instructions on how to use the editor:

  • First-time login to the controller for editing and viewing its user management

  • Setting up a new user in the user management of the controller

  • Changing of access rights to controller objects in the user management of the controller

  • Loading user management from a *.dum file, modifying it, and downloading it to the controller in offline mode

On this tab, you define the device access rights of device users to objects on the controller. As in the project user management, users must be members of at least one user group and only user groups can be granted certain access rights.

. Requirements for the Access Rights tab to be displayed:

  • The Show access rights page option has to be selected in the CODESYS options in Device editor category.

    Note that this CODESYS option can be overwritten by the device description.

. Requirements for the access rights to be granted to user groups

  • A component for the user management has to be available on the controller. That is the primary requirement.

  • Users and user groups have to be configured on the Users and Groups tab.

Toolbar of the tab

rdncy_icon_update_framed.png Synchronization

Switches on and off the synchronization between the editor and the user management on the device.

If the button is not "pressed", then the editor is blank or it contains a configuration that you loaded from the hard disk.

When you enable the synchronization while the editor contains a user configuration that is not synchronized with the device yet, you are prompted what should happen to the editor contents. Options:

  • Upload from the device and overwrite the editor content: The configuration on the device is loaded into the editor, overwriting the current contents.

  • Download the editor content to the device and overwrite the user management there: The configuration in the editor is transferred to the device and applied there.

_cds_icon_open_file_framed.png Import from disk

  • When you click the button on the Users and Groups tab to import a Device user management file *.dum2, the default dialog for selecting a file opens to select a device user management file from the hard drive. After you select the file, the Enter Password dialog opens. You need to specify the password that was assigned when the file was exported. Then the user management is enabled.

    Note: Before V3.5 SP16, the Device user management files (*.dum) file type was used which did not require any encryption.

  • When you click the button on the Access Rights tab to import a Device rights management file *.drm, the default dialog for selecting a file opens to select a corresponding file from the hard drive. The existing configuration in the dialog is overwritten by the imported file.

_cds_icon_save_to_disc_framed.png Export to disk

  • When you click the button on the Users and Groups tab, first the Enter Password dialog opens for assigning a password to the device user management file. Note: This password has to be repeated later when this file is imported to enable this user management on the controller.

    After the password assignment dialog is closed, the default dialog for selecting and importing a user management configuration from the hard disk opens. In this case, the file type is Device user management files (*.dum2).

    Note: Before V3.5 SP16, the Device user management files (*.dum) file type was used which did not require any encryption.

  • When you click the button on the Access Rights tab, the file type is Device rights management files (*.drm). In this case, a password does not have to be assigned for the file before saving.

Device user

User name of the user currently logged in on the device

Table 51. Objects

In the tree structure, the objects are listed to which actions can be executed at runtime. The objects are each assigned by their object source and partially sorted in object groups. In the Rights view, you can configure the access options for a user group to a selected object.

. Object source (root node)

  • File system objects → Device: In these objects, the permissions can be granted to folders of the current execution directory of the controller.

  • Runtime objects → /: In these objects, all objects are managed which have online access in the controller and therefore have to control the permissions.

A description of the objects is located in the Overview of the objects table.

Object groups and objects (indented)

Example: Device with child nodes Logger, PlcLogic, Settings, UserManagement.



Table 52. Permissions

In general, the subobjects inherit the permissions from the root object (Device or /). This means that if a permission of a user group is denied or explicitly granted to a parent object, then this first affects all child objects.

The table applies for the object that is currently selected in the tree. For every user group, it shows the rights currently configured for the possible actions on this object.

_cds_img_device_user_management_access_rights.png
. Possible actions on the object:

  • Add/Remove

  • Modify

  • View

  • Execute

When an object is clicked, a table on the right side shows the access rights of the available user groups for the selected object.

This allows you to quickly see:

  • Which access rights are evaluated by an object

  • Which user group has which effective rights to which object

. Meanings of the symbols

  • _cds_icon_grant.png: Access right granted explicitly

  • _cds_icon_deny.png: Access right denied explicitly

  • _cds_icon_grant_greyed.png: Access right granted through inheritance

  • _cds_icon_deny_greyed.png: Access right denied through inheritance

  • _cds_icon_clear_permission.png: The access right was not granted or denied explicitly and also not inherited by the parent object. Access is not possible.

  • No symbol: Multiple objects are selected that have different access rights.

Change the permission by clicking the symbol.



Example 510. Example

The Logger object on the Access Rights tab was created by the "Logger" component and controls its access rights. It is located directly below the Device runtime object.

The possible access rights for this object can be granted only for the View action.

_cds_img_dev_access_right_ex1.png

Initially, each object has a read access. This means that every user can read the "Logger" of a controller. If this access right should be denied for a single user group (Service in the example), then the read access to the logger object has to be denied explicitly.

_cds_img_dev_access_right_ex2.png


Overview of the objects

Runtime objects → Device

Logger

Online access to the logger is read only. Therefore, only the View access right can be granted or denied here.

PlcLogic

All IEC applications are inserted here automatically as child objects during download. When an application is deleted, it is removed automatically.

This allows specific control of online access to the application. Access rights can be assigned centrally over all applications in the PlcLogic

The Administrator and Developer user groups have full access to the IEC applications. The Service and Watch user groups only have read access (for example for read-only monitoring of values).

The following table shows which action is affected in particular when a specific access right is granted for an IEC application.

x: The permission has to be set explicitly.

-: The permission is not relevant.

Application

Operation

Permission

Add/Remove

Execute

Modify

View

Login

-

-

-

x

Create

x

-

-

-

Create child object

x

-

-

-

Delete

x

-

-

-

Download / online change

x

-

-

-

Create Boot Application

x

-

-

-

Read variable

-

-

-

x

Write Variable

-

-

x

x

Force Variable

-

-

x

x

Set and delete breakpoint

-

x

x

-

Set Next Statement

-

x

x

-

Read call stack

-

-

-

x

Single Cycle

-

x

-

-

Switch on flow control

-

x

x

-

Start / Stop

-

x

-

-

Reset

-

x

-

-

Restore retain variables

-

x

-

-

Save retain variables

-

-

-

x

PLCShell

Only the Modify permission is evaluated at this time. This means that only when the Modify permission has been granted to a user group can PLC shell commands also be evaluated.

RemoteConnections

Additional external connections to the controller can be configured below this node. Currently, access to the OPCUA server can be configured here.

Settings

This is the online access to the configuration settings of a controller.

  • Security Settings: By default, access to Modify of the security settings is granted only to the administrator.

UserManagement

This is the online access to the user management of a controller. By default, read/write access is granted only to the administrator.

Access_rights.png

  • Access Rights: When this object is selected, permissions can be configured on the permissions management in the Rights view. That means you can configure which user group is allowed to simply read the permissions management, and which user group is allowed to change the permissions management as well.

  • Groups: A separate object is automatically created for each user group of the device user management and displayed below Groups. When a user group object is selected, the permissions on the user group can be configured. That means you can configure which user group is allowed to read or modify the user group (for example, add new users to the user group).

    By default, objects are available for the following user groups:

    • Administrator

    • Developer

    • Service

    • Watch

    This allows graduated or restricted administrator groups to be set up. For example, a visualization administrator group can be set up which can only add existing users to the visualization user group, but cannot create new users or change the passwords of existing users.

  • Users: When this object is selected, the permissions of the user group on the users can be configured. That means you can configure which user group is allowed to read, modify, or add users (for example, add new users).

For more information, see: Handling of Device User ManagementHandling of Device User Management

X509

This controls the online access to the X.509 certificates. Two types of access are distinguished here:

  • Read (View)

  • Write (Modify)

Every operation is assigned to one of these two access rights. Each operation is inserted as a child object below X509. Therefore, access per operation can now be fine-tuned even more.

File system objects → /

All folders from the execution path of the controller are inserted below the "/" file system object. This allows you to grant specific rights to each folder of the file system.

: