Tab: Users and Groups

Recommendations for data protection

In order to minimize the risk of data security violations, we recommend the following organizational and technical actions for the system where your applications are running. Whenever possible, avoid exposing the PLC and control networks to open networks and the Internet. Use additional data link layers for protection, such as VPN for remote access, and install firewall mechanisms. Restrict access to authorized persons only and change any existing default passwords during the initial commissioning as well as in regular intervals.

On this tab of the generic device editor, you edit the device user management of the PLC.

Depending on how it is supported by the device, you can define user accounts and user groups. In combination with the configuration on the Access Rights tab, you thus control access to control objects and files at runtime.

Requirements: The controller has a user management and allows it to be edited. You have login data in order to be able to log in to the controller.

Tip

It is possible to apply user account definitions from the project user management into the device user management (see below: Import button).

Toolbar of the tab

Synchronization	Switches on and off the synchronization between the editor and the user management on the device. If the button is not "pressed", then the editor is blank or it contains a configuration that you loaded from the hard disk. When you enable the synchronization while the editor contains a user configuration that is not synchronized with the device yet, you are prompted what should happen to the editor contents. Options: Upload from the device and overwrite the editor content: The configuration on the device is loaded into the editor, overwriting the current contents. Download the editor content to the device and overwrite the user management there: The configuration in the editor is transferred to the device and applied there.
Import from disk	When you click the button on the Users and Groups tab to import a Device user management file .dum2, the default dialog for selecting a file opens to select a device user management file from the hard drive. After you select the file, the Enter Password dialog opens. You need to specify the password that was assigned when the file was exported. Then the user management is enabled. Note: Before V3.5 SP16, the Device user management files (.dum) file type was used which did not require any encryption. When you click the button on the Access Rights tab to import a Device rights management file *.drm, the default dialog for selecting a file opens to select a corresponding file from the hard drive. The existing configuration in the dialog is overwritten by the imported file.
Export to disk	When you click the button on the Users and Groups tab, first the Enter Password dialog opens for assigning a password to the device user management file. Note: This password has to be repeated later when this file is imported to enable this user management on the controller. After the password assignment dialog is closed, the default dialog for selecting and importing a user management configuration from the hard disk opens. In this case, the file type is Device user management files (.dum2). Note: Before V3.5 SP16, the Device user management files (.dum) file type was used which did not require any encryption. When you click the button on the Access Rights tab, the file type is Device rights management files (*.drm). In this case, a password does not have to be assigned for the file before saving.
Device user	User name of the user currently logged in on the device

Table 53. User

All currently defined users, and below them their memberships of user groups, are listed in a tree structure.
Add	Opens the Add User dialog for creating a new user account. For a description of the dialog, see below on this page.
Import	Opens the Import User dialog. The dialog displays all the user accounts defined in the project user management. Select the desired entries and click OK in order to import them into the device user management. CAUTION: The passwords are NOT applied.
Modify	Opens the Edit User <user name> dialog The dialog corresponds to the Add User dialog and you can change the settings of the user account.
: Delete	Deletes the account of the currently selected user

Table 54. Groups

All currently defined groups, and below them the users assigned to them, are listed in a tree structure.
Add	Opens the Add Group dialog Define a new group name. From the list of defined users, select those that are to belong to the group. Click OK to confirm the selection. The group is displayed in the tree.
Import	Opens the Import User dialog. The dialog displays all the user groups defined in the project user management. Select the desired entries and click OK in order to import them into the device user management.
Modify	Opens the Edit Group <group name> dialog The dialog corresponds to the Add Group dialog where you can change the group definition.
: Delete	Deletes the currently selected group

Table 55. Dialog: Add User

Name	Name of the new user
Default group	List box with all configured user groups Every user has to belong to at least one group. You define this here as a "default group".
Password
Confirm password
Password strength	Password security in a range from Very weak to Very good
Hide password	: The password is shown only with asterisks "*" when it is typed in.
Password can be changed by the user
Password must be changed at first login
Password Policy	When the new password is entered, the rules which are valid but not yet applied are displayed in red. You can click the OK button to confirm the dialog only when all rules of the password policy are fulfilled. For more information about the runtime system password policy, see: Table 33, “Dialog: Change Runtime Password Policy”