Professional Documents
Culture Documents
www.cadfamily.com
Printout of theEMail:cadserv21@hotmail.com
Online Help i
The document is for study only,if tort to your rights,please inform us,we will delete
Contents 03.04
www.cadfamily.com
ii EMail:cadserv21@hotmail.com Printout of the Online Help
The document is for study only,if tort to your rights,please inform us,we will delete
03.04 Structure of a user administration system
Functional principle
The "User Administrator" editor is used to set up a user administration system. The
editor is used to assign and check authorizations which allow users to access the
individual editors of the configuration system and to access the functions during
runtime. Access rights to WinCC functions, the "authorizations", are assigned in the
User Administrator. These authorizations can be assigned to individual users or to
user groups. Authorizations can also be assigned during runtime.
When a user logs on to the system, the User Administrator checks whether the
user is registered. If the user is not registered, he has no authorizations
whatsoever. This means that he cannot call up or view data, or perform control
operations.
If a registered user calls up a functionality protected by access authorization, the
User Administrator checks whether the user has the appropriate authorization to
permit this. If not, the User Administrator denies access to the desired functionality.
The User Administrator also provides the configuration functions for the "Variable
Login" function which allows a user to log on to the workstation by means of a tag
value which is set using a key-operated switch, for example. The automatic logout
of a user after a certain time is also configured in the User Administrator.
If the WinCC "Chipcard" option is installed, the User Administrator provides
functions for maintaining chipcards.
Introduction
The User Administrator is divided into two components for assigning and
maintaining user authorizations.
• Configuration system
• Runtime system
Configuration system
Runtime system
The principal task of the User Administrator runtime system is to monitor the
system logins and access authorizations.
Introduction
Introduction
Functions for project documentation and file management are combined in this
menu.
Use the "Print Project Documentation" command to print the configured user
administration data on the set printer. The page layout "@UACS.RPL", which can
be modified with the "Report Designer", is used as a template for the printout.
The printed data is dependent on the page layout used.
The "Project Documentation - Setup" command is used to configure the printer and
page layout to be used.
Note:
Further information on printing project documentation can be found in the chapter
"Working with WinCC" under "Documentation of the Configuration and Runtime
Data".
Introduction
The "User" menu contains all the items needed to set up new users or groups. You
can group users that have or will receive the same authorizations. Those users will
then receive the same authorizations as the rest of the group. This way, you can
avoid having to assign the same authorizations within a group manually.
Introduction
Use the "Add User" menu item in the "User" menu to add a new user to the
selected group.
Procedures
Procedure
1 In the project navigation window, select the group to which you want to add
a new user.
2 Select "Add User" in the "User" menu or the associated context menu. The
"Add New User" dialog appears.
Note:
A user name can only be assigned once.
Introduction
Use the "Copy User" menu item in the "User" menu to copy the selected user with
all associated settings.
Procedures
Procedure
1 In the project navigation window, select the group to which you want to add
a new user.
2 Select "Add User" in the "User" menu or the associated context menu. The
"Copy User ..." dialog appears.
Note:
A user name can only be assigned once.
Introduction
Use the "Add Group" menu item in the "User" menu to add a new group. There are
no subgroups.
Procedures
Procedure
1 Select "Add Group" in the "User" menu or the associated context menu. A
new group is created in the project navigation window. A text window with
cursor appears next to the group icon.
2 Enter the name of the new group and then press the Enter key.
3 Assign the desired authorizations to the new group.
Note:
A group name can only be assigned once.
Introduction
Use the "Delete User/Group" menu item to delete the selected user or group.
Procedures
Procedure
1 In the project navigation window, select the user or group to be deleted.
2 Select "Delete" in the "User" menu or the associated context menu. A dialog
appears in which you must confirm the deletion process.
3 Confirm by clicking the "OK" button.
Introduction
Use the "Change Password" menu item in the "User" menu to assign a new
password to the selected user. The password must be between 6 and 24
characters in length.
Procedures
Procedure
1 In the project navigation window, select the user to whom you want to
assign a new password.
2 Select "Change Password" in the "User" menu or the associated context
menu. The "Change Password" dialog appears.
Note:
The abbreviated login name of the user is shown in the dialog (max. 22
characters).
Introduction
Select this menu item to set the "Web Navigator" checkbox in the table window and
to display the "Web Options" area.
The web options are described in more detail under "Table window".
Introduction
You can change the name of a user or a group. Changing the name does not affect
the password for the user or group.
Procedures
Procedure
1 In the project navigation window, select the user to whom you want to assign
a new name.
2 Click the left mouse button on the user name. The name now appears in a
text window with cursor.
3 Enter the new name.
4 Confirm the new name by pressing the Enter key.
Note:
The user or group name can only be assigned once.
Introduction
Use the "Table" menu to change or expand the user rights in the table window. It is
not possible to delete the "User Administrator" authorization. It is permanently set
for members of the "Administrator" group.
Introduction
Use the "Insert Authorization" command to insert a line with a new authorization
into the table of the table window.
Procedures
Procedure
1 Select "Insert Authorization" in the "Table" menu. The "Insert Line" dialog
appears.
2 In the dialog, enter the line number of the new authorization. By default the
field contains the next free number.
3 Close the dialog by clicking the "OK" key.
4 In the new line, activate the "Function" column by double-clicking and enter
the name of the new authorization.
5 Confirm the new name by pressing the Enter key.
6 Assign the new authorization to the desired users.
Note:
A new authorization can be assigned to all users and not only to the user which
was selected when the authorization was created.
Introduction
Procedures
Procedure
1 In the table window, select the line containing the authorization to be
deleted.
2 Select the "Delete Authorization" menu item in the "Table" menu. A dialog
appears in which you must confirm the deletion procedure.
3 Confirm by clicking the "OK" button.
Note:
The system does not allow certain authorizations to be deleted.
Deleted authorizations are lost for all entered users.
Introduction
Introduction
Introduction
The "Variable Login" function assigns a tag value to a certain user. This user can
then log on to a workstation during runtime by setting the tag value, e.g. by means
of a key-operated switch.
This function is configured by following the steps below:
1. Assign an operating station to a configured tag ("Assigning Computer to Tag"
dialog)
2. Determine the minimum and maximum values of the value range which is to be
used for the "Variable Login" function ("Configuration" dialog)
3. Assign a certain tag value to a certain user ("Assigning User to Value" dialog)
On completion of his work, the user can log out again by setting the tag value to a
configurable logout value.
If a user is logged on at the system by means of "variable login", it is not possible
to log on at the same computer using the user dialog.
Assigning a computer to a tag
Configuration
Assigning a user to a value
Introduction
Select the "Assign Computer" menu item to open a dialog in which a computer for
the project can be assigned to a configured tag.
Each computer can be assigned to a different tag or all computers can be assigned
to the same tag.
The used tag must be "binary" or 8, 16 or 32 bit.
Name Description
"Computer" field Used to select a computer.
All computers for a project are displayed.
"Tag" field Here a tag name can be entered directly or selected in the
tag selection dialog.
1.2.5.3 Configuration
Introduction
Select the "Configuration..." menu item to open a dialog in which a value range can
be defined. A tag value within this range can be assigned to a user in the
"Assigning User to Value" dialog.
Name Description
"Minimum Value" field Defines the minimum tag value.
Value range: 0 - 32767
"Maximum Value" field Defines the maximum tag value.
The entered value must be greater than the minimum
value.
Value range: 1 - 32768
Introduction
Select the "User Assignment..." menu item to open a dialog in which a tag value is
assigned to a certain user.
If a user was already selected in the User Administrator before the dialog was
launched, the associated assignment is displayed in the dialog.
Name Description
"Value" field Used for selecting a value displayed in the table.
The selectable tag values are determined by the setting
in the "Configuration" dialog.
"User" field A user created in the User Administrator can be selected
here.
"Assign" button When a selection has been made in the "Value" and
"User" fields, this button assigns the user to the value
and displays the assignment in the table.
"Delete" button Deletes an assignment selected in the table.
"Value - User" table Shows the selectable tag values ("Configuration" dialog)
and the existing assignments to the users.
Note:
Each user can only be assigned to one tag value.
A "user" in the User Administrator can also be configured to represent a user
group or a function, e.g. "Maintenance" or "Fault" user.
1.2.6 Toolbar
Introduction
The symbols in the toolbar allow you to perform actions more quickly. You do not
have to make several selections through the menus until you reach the required
function.
Symbol Description
"User" "Add User"
"What's This?"
"Web Navigator"
Introduction
The user administration data is displayed in the project window. The window
consists of:
• the navigation window (left)
• and the multi-segment table window (right).
Navigation window
The navigation window contains a tree structure showing the configured groups
and the associated registered users. The selected user name is displayed in the
field above the navigation window. The "User" menu can be opened as a context
menu for the selected user or user group.
Introduction
In the table window, the login name and the associated settings are displayed for
the selected user and group.
If a user is to be able to log in by means of his chipcard only, this can be set by
activating the "Login Only Via Chipcard" checkbox.
Note:
The "Login Only Via Chipcard" checkbox is displayed if the WinCC "Chipcard"
option has been installed. A chipcard reader does not have to be connected to the
configuration computer. As a result, it is possible to set up the "Chipcard" function
and use it on other WinCC computers without a card reader needing to be
available during configuration.
If the automatic logout function is to be activated for the selected user, the time and
starting point for this time can be entered in this area. The automatic logout
prevents unauthorized persons having unlimited access to the system.
If "0" is entered in the input field, the function is deactivated and the user remains
logged in until the system is shut down or another user logs in.
If the "Absolute Time" option button is set, the configured time for the automatic
logout begins to run down when the user logs in, regardless of whether control
operations are performed by the user in the meantime.
If the "Idle Time" option button is set, the configured time begins to run down from
the point at which the user last performed a keyboard or mouse operation. The
automatic logout only occurs after this pause in operator control.
When a user has been logged out automatically, the same or a different user can
log in during runtime.
If the checkbox is set, the "Web Options" area is displayed. In this area, the
settings for the start screen and language are configured and then applied if the
user dials into the WinCC project from the web. Only images which are available
on the Web Navigator can be selected as the start screen.
The checkbox can also be activated using the "Web Navigator" button in the
toolbar.
Authorizations table
The lower part of the table window shows the configured authorizations. Each line
contains one authorization.
The number of displayed authorizations depends on the installed options, e.g. the
"Basic Process Control" option.
Authorizations with the numbers 1000 - 1099 are system authorizations which
cannot be set, modified, or deleted by the user.
Authorization 1 "User Administration" is set by default for users in the
"Administrator" group. This authorization cannot be deleted.
In the "Unlock" column, an authorization can be assigned to the selected user by
double-clicking in the desired line.
Each authorization must be assigned separately. Multiple authorizations can only
be transferred according to the group assignment when you add a new user to a
group. The table can be edited by selecting the "Table" menu item.
Introduction
If the "Automatic Logout" function is set, a logged-in user can be logged out
automatically after a definable time. This prevents unauthorized persons from
having unlimited access to the system following control operations by the currently
logged-in user.
If "0" is entered in the input field, the function is deactivated and the user remains
logged in until the system is shut down or another user logs in.
If the "Absolute Time" option button is set, the configured time for the automatic
logout begins to run down when the user logs in, regardless of whether control
operations are performed by the user in the meantime.
If the "Idle Time" option button is set, the configured time begins to run down from
the point at which the user last performed a keyboard or mouse operation. The
automatic logout only occurs after this pause in operator control.
When a user has been logged out automatically, the same or a different user can
log in during runtime.
Procedures
Procedure
1 In the project navigation window, select the group or user for which you want
to configure the "Automatic Logout" function.
2 In the input field in "Automatic Logout" section of the table window, enter the
time in minutes after which the system is no longer to permit process control
and the user is to be logged out.
3 The "Absolute Time" option button is set by default. Activate the "Idle Time"
option button if the time after which the automatic logout is to be performed
is to begin running down from the point at which the user last performed a
keyboard or mouse operation.
1.2.7.4 How to activate the "Login Only Via Chipcard" function for a user
Introduction
If a user is to be able to log in using his chipcard only, this can be set in the User
Administrator by activating the "Login Only Via Chipcard" function.
Note:
The "Login Only Via Chipcard" checkbox is displayed if the WinCC "Chipcard"
option has been installed. In addition, the "Terminal Active" option must also be
activated in the "WinCC Chipcard Terminal" component in the Control Panels of
Windows.
A chipcard reader does not have to be connected to the configuration computer.
As a result, it is possible to set up the "Chipcard" function and use it on other
WinCC computers without a card reader needing to be available during
configuration.
Procedure
Procedure
1 In the project navigation window, select the user for which the "Login Only
Via Chipcard" function is to be activated.
2 In the table window, activate the "Login Only Via Chipcard" checkbox.
Introduction
The left side of the status bar contains general program information.
The fields on the right side provide information on keyboard settings.
Introduction
This chapter outlines the structure of a user administration system and how to use
authorizations.
Introduction
The following basic steps are necessary to set up a user administration system:
1. Add the required groups.
2. Select the appropriate authorizations for the groups.
3. Add the users and assign the respective login names and passwords. The
properties of the group can be copied when new users are added. In this case, it is
advisable to assign the users to groups with authorizations which you want the
users to have.
4. Select the specific authorizations for the various users. It is also possible to set a
time here after which the system is to automatically log out the user in order to
protect the system from unauthorized entries. It can also be determined whether
the user should be able to log in by means of the chipcard only and which user-
specific settings apply if the user should dial into the system from the web.
The data is applied without being stored.
Introduction
Introduction
The following steps are necessary for a user to log in during runtime:
1. Start the runtime system.
2. Now open the password dialog using the shortcut keys for "Login" defined in
the WinCC Explorer (Project Properties - Hotkey tab).
3. Enter your login name and the password in the dialog.
The system checks the authorizations you have been assigned with those of the
editors and the installed components. If the authorizations match, the system
unlocks the editors and components so that they can be used.
Note:
If a large number of authorizations have been assigned to a user, i.e. around the
maximum number of 999 authorizations per user, several minutes may be
required to log in the user.
Introduction
Installing WinCC together with the options will extend the functionality of the User
Administrator.
• The OS Project Editor in the "Basic Process Control" option changes the
number and function of the authorizations in the table window. The
authorizations then correspond to the PCS7 user hierarchies.
• The "Chipcard" option inserts the "Chipcard" item together with the associated
functions in the menu bar and the "Login Only Via Chipcard" checkbox can
then be activated in the table window.
Introduction
The User Administrator provides functions for controlling a chipcard reader. You
can write to and check chipcards in the configuration system. The "Chipcard" menu
is deactivated during runtime.
Requirements
The following requirements must be met before WinCC with the "Chipcard" option
can be used:
• the "Chipcard" option must be installed and
• an interface (e.g. COM1 or COM2) must be assigned to the chipcard reader.
When these requirements have been met, the "Chipcard" menu becomes available
and the "Login Only Via Chipcard" checkbox is displayed in the table window.
Note:
No Windows Administrator rights are required to write to and check chipcards in
the configuration system or to use the chipcards during runtime.
To be able to write to and read a chipcard, the hardware connection between the
chipcard reader and computer must be connected before the computer is started.
Introduction
Note:
The current Windows user must have administrator rights in Windows to be able
to access the "WinCC Chipcard Terminal Configuration" dialog.
Procedures
Procedure
1 Open the "WinCC Chipcard Terminal" icon in the Control Panels of
Windows. The "WinCC Chipcard Terminal Configuration" dialog appears.
Introduction
When a chipcard is written, all of the data on the card is deleted. The user (login
name) and the password are stored on the card.
Procedures
Procedure
1 Select "Write To Chipcard" in the "Chipcard" menu. The "Write To Chipcard"
dialog appears.
2 Select the desired user in the "Write Card for User" field.
3 Activate the "Additional Manual Password Also Required" checkbox if this
condition is to be applied when logging in during runtime.
4 Insert the chipcard into the chipcard reader.
5 Click the "Write To Card" button. The User Administrator transfers the data
to the chipcard.
6 Close the dialog by clicking the "Close" button.
Note:
To be able to write to and read a chipcard, the hardware connection between the
chipcard reader and computer must be connected before the computer is started.
You can only activate this menu item if WinCC was installed with the "Chipcard"
option. Further requirements can be found under "Extended Chipcard menu".
Introduction
This function is used to read a chipcard. It allows the data on the chipcard to be
checked if, for example, the card has just been written or a reading error has
occurred.
The login name stored on the card is displayed in the "User" field. If the login name
already exists in the User Administrator, the text "Card valid" appears in the dialog.
If the name does not exist, the text "Card invalid" is displayed.
If there is an error when reading the chipcard, it is noted in this dialog. No user
name is provided.
Procedures
Procedure
1 Insert the chipcard into the chipcard reader.
2 Select "Check Chipcard" in the "Chipcard" menu. The "Check Chipcard"
dialog appears.
Note:
To be able to write to and read a chipcard, the hardware connection between the
chipcard reader and computer must be connected before the computer is started.
You can only activate this menu item if WinCC was installed with the "Chipcard"
option. Further requirements can be found under "Extended Chipcard menu".
Introduction
To log into WinCC, the user inserts his chipcard into the chipcard reader and the
required data is read out. If the chipcard is inserted, it is not possible to log on at
the system manually. The user remains logged on at the system until he removes
the card from the chipcard reader. The "Automatic Logout" function whereby the
user is logged out automatically after a set time is only possible in conjunction with
chipcard operation.
Note:
The "Chipcard" menu is deactivated during runtime since the functions can only
be used in the configuration system.
Introduction
Introduction
When the User Administrator is opened for the first time, the table window contains
certain default authorizations.
The authorizations in the table can be deleted or modified, except for the "User
Administration" authorization.
Authorizations with a lower number are not contained in authorizations with higher
numbers, but instead each authorization functions independently.
A member of the "Administrator Group" always receives access to the "User
Administration" authorization.
The standard authorizations are assigned in the configuration system, but are only
effective during runtime. This prevents a logged-in user from receiving unlimited
access to all system areas during runtime.
Note:
The names of the authorizations indicate what kind of influence the corresponding
authorization should have, but not how you actually use them.
This authorization enables the user to enter values manually, e.g. into I/O fields.
This authorization enables the user to change pictures and picture elements (e.g.
via ODK).
This authorization enables the user to trigger a picture change and thus open
another configured picture.
This authorization enables the user to change the application windows in Windows.
No. 7: Hardcopy
This authorization enables the user to make a hardcopy of the current process
screen.
This authorization enables the user to change messages in Alarm Logging (e.g. via
ODK).
This authorization enables the user to configure the evaluation process for the
archive tags.
This authorization enables the user to control or change the archiving process.
This authorization gives the user the right to execute and change scripts (e.g. via
ODK).
Introduction
These user authorizations correspond to the user hierarchies from PCS7 and are
available after the wizard in the OS Project Editor ("Basic Process Control" option)
has been activated.
Authorizations can be added, deleted or their names be changed in the
configuration system. Authorizations with a lower number are not contained in
authorizations with higher numbers, but instead each authorization functions
independently.
The following preset authorizations cannot be deleted or changed:
If this authorization is set, the user can call up the User Administrator and make
changes.
If this authorization is set, the user can select pictures from the specified system
areas.
If this authorization is set, the user is granted the right to make status changes, e.g.
to deactivate the runtime system.
No. 4: Monitoring
If this authorization is set, the user can monitor - but not control - the process, e.g.
selection of the batch visualization.
If this authorization is set, the user is permitted to perform control operations which
have permanent effects on the process, e.g. modifying the limit values of a
controller.
If this authorization is set, the user can trigger reports or edit the layout in the
Report Designer runtime.
If this authorization is set, the user can control the functions of Storage.
Introduction
The authorizations from 1000 to 1099 are system authorizations. They are
generated automatically by the system and cannot be created, modified, or deleted
by the user. However, the system authorizations, like any other authorization, can
be assigned to a user.
The system authorizations are effective in the configuration system and during
runtime. In the configuration system, this prevents a user who is not registered in a
project from being granted access to the project, e.g. a server project.
The authorizations mean:
If set, the user can start or stop the runtime for this project from a different
computer..
If this item is set, the user can configure and make changes to the project from a
different computer.
If this item is set, the user can only open the project from a different computer; he
cannot make changes or perform control operations.
Index
A K
Action 42 Key-operated 17
Activate / deactivate remote 47
Archive 42
Archive controlling 42, 45 L
Authorization 26, 28, 29, 42, 45, 47
assigning 33 Login 34
deleting 15 during runtime 34
inserting 14 only via chipcard 26, 29
PCS7 user hierarchies 45 Login during runtime 34
selecting 33
standard authorizations 42
system authorizations 47 M
Authorization for area 45
Automatic logout 26, 28 Message 42
confirm 42
lock 42
unlock 42
C Monitoring 45, 47
Change 42
Chipcard 36, 37
checking 39 N
operation during runtime 40
writing to 38 Navigation 25
Computer
assigning 19
Configuration 20, 21 P
Configure remote 47 Password
changing 10
Picture 42
E Printing 4
Edit 42 Process 42, 45
Process controlling 47
Project 4, 42
Project documentation
G printing 4
Group setting up 4
adding 8 view 4
deleting 9
R
H Report 45
Hardcopy 42
Higher process controlling 45
S
Start archive 42
Status 30
Stop archive 42
System 45
T
Table 26, 28, 29
Toolbar 23
U
User 5, 32, 42, 45
adding 6, 7
assigning 21
deleting 9
User administration 47
User authorization 47
User/group
deleting 9
V
Value 42
Variable Login 17
assigning a computer 19
assigning a user 21
configuration 20, 21
W
WinCC Chipcard Terminal 36, 37
Window 42