Home
User Management
All about authorization, authentication and login-customization.
Access Control Plug-in
The WinCC OA Access Control Plug-in can be used to control the access to data points (read, write, display) via user rights.

Version Information
Release Notes, Update information, Certifications and Frequently Asked Questions.
Concepts
Your first step into modern and powerful process visualization.
Deployment
Topics, you need to know, before using WinCC OA.
Security
Go beyond the norm in cybersecurity.
Engineering
Powerful tools for easy or complex engineering tasks.
Data Management
Classify, structure and archive your data.
Business Logic / Control
Endless possibilities in data processing for your projects.
Data Visualization
User interfaces, Trends and Reports for every purpose and device.
Southbound Interfaces
The process connection to the actual machines/sensors.
Northbound Interfaces
Your portal to the cloud or supervising systems.
Web Connectivity / Network Interfaces
Data exchange, APIs and web technologies
User Management
All about authorization, authentication and login-customization.
- User Administration
  The WinCC OA user administration provides important features for controlling users that use the system. Security is an important issue in the automation technology when controlling highly sensitive systems and it is of utmost importance that the users of the system have only access to the specified area of operation. With the WinCC OA user administration, you can administer users so that they can use the resources effectively without inflicting damage to the system inadvertently or otherwise
- Device Management
  The Device Management allows you to define which WinCC OA UI connections (mobile application and Desktop UI) are allowed to connect to your project. Additionally a direct overview over the available licenses and currently connected devices is shown.
- Inactivity/AutoLogout
  The inactivity management in WinCC OA prevents not authorized persons or persons with a wrong identity to use a workplace for forbidden or not traceable operations.
- Access Control Plug-in
  The WinCC OA Access Control Plug-in can be used to control the access to data points (read, write, display) via user rights.
- Authorization Check Plug-in
  The authorization check plug-in allows setting access rights on data point element level (data point values).
- Authentication via Kerberos, basics
  In a more and more networking world, a WinCC OA system could be exposed to different types of attacks. An unauthorized WinCC OA system could connect to the distribution manager or hackers could try to manipulate WinCC OA messages.
- Login Framework
  The WinCC OA login framework provides a framework that is easy to extend. The WinCC OA login panels can be easily replaced by user-specific panels without having to re-implement the functionality.
- System Use Notification
  You can use the system use notification panel to display an instruction to the user when logging into the WinCC OA system. The user must confirm the notification before logging into the WinCC OA project.
Availability
How to get your system uptime to the maximum.
Reporting
Create state of the art project reports without limits.
Addons
Useful tools and enhancements for special demands.
Reference Tables
Detailed and extensive content for special project adaptation.
Videos & Tutorials
Explore the capabilities of WinCC OA with our carefully selected collection of video tutorials and guides.
WinCC OA Documentation
Basic information about terms and functions within the documentation.
Disclaimer
A brief clarification of liability exclusions or legal notices.

Access Control Plug-in

The WinCC OA Access Control Plug-in can be used to control the access to data points (read, write, display) via user rights.

The WinCC OA Access Control Plug-in applies free programmable filters to incoming messages in WinCC OA managers. The Access Control plug-in can be used in a WinCC OA project to protect against connecting unauthorized components (Manager Authentication).

The ACCPlug-in is loaded for each manager of the project. If a manager does not load the plug-in, the communication with the event manager is blocked. This is checked in the ACCPlug-in when the manager, which connects to the data manager, is registered. Additionally data points and other information for a proper operation can be loaded even before the interaction between the current manager and the event manager (using the Init method).

Two options for securing the registration of the client are available: Identification or the challenge / response mechanism.

For the identification the methods getIdentity (for the client manager) and checkIdentity (for the data manager) are used for a simple check of the registering manager that connects to the data manager.
The "Challenge / Response" mechanism is used for establishing the communication between the clients and the data manager with increased security. For this the methods getChallenge (on the server side), getResponse (on the client side) and checkResponse (for the data and event manager of the server) can be used. This mechanism cannot be used in combination with Kerberos.

When using the plug-in for access filtering, all functions with read or write access inside of the manager interface (API) can be controlled. This includes data point functions and queries as well as CNS functions. For reading functions specific data points can be removed from the message, if necessary. For writing functions the called function is returned with a corresponding error if the access filter is triggered. Additionally "Display" functions with analytical information are available for filter operations, e.g. getIdSet.

Help functions are available as management functions in a local memory range of the plug-in as a mapping of key - value pairs (setResource / getResource).