Access Control Plug-in, Basics
The WinCC OA Access Control Plug-in can be used to control the access to data points (read, write, display) via user rights.
The WinCC OA Access Control Plug-in applies free programmable filters to incoming messages in WinCC OA managers. The Access Control plug-in can be used in a WinCC OA project to protect against connecting unauthorized components (Manager Authentication).
The ACCPlug-in is loaded for each manager of the project. If a manager does not load the plug-in, the communication with the event manager is blocked. This is checked in the ACCPlug-in when the manager, which connects to the data manager, is registered. Additionally data points and other information for a proper operation can be loaded even before the interaction between the current manager and the event manager (using the Init method).
Two options for securing the registration of the client are available: Identification or the challenge / response mechanism.
- For the identification the methods getIdentity (for the client manager) and checkIdentity (for the data manager) are used for a simple check of the registering manager that connects to the data manager.
- The "Challenge / Response" mechanism is used for establishing the communication between the clients and the data manager with increased security. For this the methods getChallenge (on the server side), getResponse (on the client side) and checkResponse (for the data and event manager of the server) can be used. This mechanism cannot be used in combination with Kerberos.
When using the plug-in for access filtering, all functions with read or write access inside of the manager interface (API) can be controlled. This includes data point functions and queries as well as CNS functions. For reading functions specific data points can be removed from the message, if necessary. For writing functions the called function is returned with a corresponding error if the access filter is triggered. Additionally "Display" functions with analytical information are available for filter operations, e.g. getIdSet.
Help functions are available as management functions in a local memory range of the plug-in as a mapping of key - value pairs (setResource / getResource).
Chapter Overview
Chapter | Description |
---|---|
Access Control Plug-in, Basics | Basics and Introduction. |
Templates for the Access Control Plug-in | Overview of the available Access Control Plug-in templates. |
Access Control Plug-in Project Integration | How to integrate the Access Control Plug-in within your project. |
Generating a User-Defined Plug-in | How to create your own user-defined plug-in. |
Access Control Plug-In Programming Information | Additional information on how to develop a Access Control Plug-in. |
Example Panel for the Access Control Plug-in | Description of the example panel that is provided for the Access Control Plug-in. |