Security - User Authentication page

Return to topicThis is a WBM topic - How do I get to the WBM again? Click here for more information...

Establishing a connection to WBM:

  • Open a web browser on your computer.
  • In the address field, enter the URL https://<IP-address-of-the-controller>/wbm, for example: https://192.168.1.10/wbm.

For further information, see here Web-based management (WBM)

 

The security-related settings for the controller are configured in the Security area of the Web-based Management (WBM).

Enable or disable user authentication on the User Authentication page. When user authentication is enabled, authentication with a user name and password is required for access to certain components of the controller and certain functions in PLCnext Engineer.

WBM Benutzerauthentifizierung.png

When User Authentication is disabled, authentication is not necessary to access the WBM, the OPC UA server of the controller, or to access the controller using PLCnext Engineer. Access to the file system via SFTP and access to the shell via SSH requires authentication (with administrator rights) even if user authentication is disabled.

User authentication is enabled by default. In the delivery state, the admin user is already created with administrator rights.

 

Recommended:
Only use the administrator password printed on the controller for initial login into WBM.
Once you have logged in successfully, change the administrator password to prevent unauthorized administrator access.
The modified administrator access data is stored in the overlay file system on the internal parameterization memory. If you operate the controller with an SD card, the overlay file system is saved to the SD card.

 

Please note:
Enabled user authentication only provides a limited degree of protection against unauthorized network access.
Due to the communication interfaces of the controller, the controller should not be used in safety-critical applications unless additional security appliances are used.
Make sure you always operate the controller with the latest firmware version.
Follow the security advice on unauthorized network access.

Enabling/disabling user authentication

To enable/disable user authentication, proceed as follows:

  • Click on the Enable/Disable button next to the User Authentication check box.

The Enable/Disable User Authentication dialog opens.

Benutzerauthentifizierung_aktiv_deaktiv.png

  • To enable user authentication, enable the User Authentication check box.
  • To disable user authentication, disable the User Authentication check box.
  • Click the Save button to apply the setting.

User management

Via user authentication, the access data of all users who are authorized to access the controller is managed and the required access permissions are assigned to each user.

The access data of all newly created users is stored on the internal parameterization memory. If you operate the controller with an SD card, the access data is saved to the SD card.
If the SD card is inserted into another controller of the same type, the access data stored on the SD card is used for access to the controller.

 

When inserting the SD card into another controller please note:

If you have changed the administrator access data after logging into WBM for the first time, the modified access data stored on the SD card will be used for access to the controller. In this case, it is no longer possible to log in with the admin user name and the administrator password printed on the device.

Adding a user

Proceed as follows to add a user:

  • Click on the Add User button on the User Authentication page.

The Add User dialog opens.

Benutzer_hinzufuegen.png

 

  • Enter the user name and password into the respective input field.
  • To add the user in the user manager, click on the Add button.

 

Note: 

When assigning a user name and password, note the length limitation of 127 bytes for passwords and 63 bytes for user names. The characters are encoded using UTF-8 and the number of bytes used depends on which character is entered. Characters are coded with one (e.g. letters a-z or digits 0-9) to four bytes (e.g. special characters, umlauts, etc.). The length limitation therefore limits the number of bytes and not the number of characters.

 

Setting a password

Proceed as follows to change a user password:

  • Click on the Set Password button in the line of the desired user on the User Authentication page.

The Set User Password dialog opens.

BenutzerPW_setzen.png

 

  • Enter the new password in the New Password and Confirm Password input fields.
  • To save the new password, click on the Save button.

Modifying user roles

You can select one or more user roles with different permissions for each user.
These permissions control access to:

  • The controller SD card
  • The controller using PLCnext Engineer
  • The PLCnext Engineer  HMI
  • WBM
  • The OPC UA server of the controller

To assign one or more user roles to a user, proceed as follows:

  • Click on the Modify Roles button in the line of the desired user on the User Authentication page.

The Modify Roles dialog opens.

BenutzerRolle_aendern.png

 

  • Enable the check box of the user role(s) that you would like to assign to the user.

Note: You can manage access permission to the PLCnext Engineer HMI application via the HmiLevel1...10, EHmiViewer and EHmiChanger user roles. The assigned user roles specify if and to what extend a user can read and write to the HMI application.
For detailed information on the security functions in a PLCnext Engineer HMI application as well as on handling HMI user roles, please refer to the PLCnext Engineer online help.

  • Click on the Save button to save the selected user role(s) for the user.

The following table shows the possible user roles and access permission

 

User roles and their assigned access permissions in the various applications

Application or
component of the controller

Access permission User role
Admin Certificate
Manager
User
Manager
Engineer Commissioner Service Data
Viewer
Data
Changer
Viewer File
Reader
File
Writer
EHmi
LevelX
EHmi
Viewer
EHmi
Changer
SD card/parameter­ization memory

SFTP access to the file system with an SFTP client

Please note:
Authentication with a user name and password is always required for SFTP access, even when user authentication is disabled.

                         
Shell

SSH access to the shell

Please note:
Authentication with a user name and password is always required for SSH access, even when user authentication is disabled.

                         

PLCnext Engineer

View values in the cockpit (e.g., utilization,
etc.)
             
PLCnext Engineer Transfer a project to the controller                        
PLCnext Engineer Start (cold/warm restart) or stop the controller                    
PLCnext Engineer Restart the controller (reboot)                          
PLCnext Engineer Reset the controller to default setting type 1                          
PLCnext Engineer View online variable values                
PLCnext Engineer Overwrite variables                    
PLCnext Engineer Set and delete breakpoints                      
WBM View “General Information” page          
WBM Manage users                        
WBM Edit TrustStores and IdentityStores                        
WBM Configuring the firewall                          
WBM Update the firmware                          
WBM Proficloud status                          
WBM Configuring SD card use                          
WBM Overview of app licenses used                          
WBM Offline activation of licenses                          
WBM Installing/Uninstalling apps                        
WBM PROFINET diagnostics          
WBM Local Bus diagnostics          
PLCnext Engineer
HMI application
View online variable values                      
PLCnext Engineer
HMI application
Overwrite variables                        
OPC UA client View online variable values                
OPC UA client Overwrite variables                    
OPC UA client Read files                


InfoInfoFileReaders can only read files via an OPC UA client if the OPC UA file transfer is activated in PLCnext Engineer (for additional information, please refer to the PLCnext Engineer online help). 

       
OPC UA client Write files                  

✓ 
InfoInfoFileWriters can only write files via an OPC UA client if the OPC UA file transfer is activated in PLCnext Engineer (for additional information, please refer to the PLCnext Engineer online help). 

     

Removing a user

Proceed as follows to remove a user:

  • On the User Authentication page, click the Remove User button in the line of the user to be removed.

The Remove User dialog opens.

Benutzer_entfernen.png

 

  • Click on the Remove button to delete the user.

 

 


 • Published/reviewed: 2020-03-29 •  Rev. 24