Access Control Plug-in

The WinCC OA Access Control Plug-in can be used to control the access to data points (read, write, display) via user rights.

The WinCC OA Access Control Plug-in applies free programmable filters to incoming messages in WinCC OA managers. The Access Control plug-in can be used in a WinCC OA project to protect against connecting unauthorized components (Manager Authentication).

The ACCPlug-in is loaded for each manager of the project. If a manager does not load the plug-in, the communication with the event manager is blocked. This is checked in the ACCPlug-in when the manager, which connects to the data manager, is registered. Additionally data points and other information for a proper operation can be loaded even before the interaction between the current manager and the event manager (using the Init method).

Two options for securing the registration of the client are available: Identification or the challenge / response mechanism.

  • For the identification the methods getIdentity (for the client manager) and checkIdentity (for the data manager) are used for a simple check of the registering manager that connects to the data manager.
  • The "Challenge / Response" mechanism is used for establishing the communication between the clients and the data manager with increased security. For this the methods getChallenge (on the server side), getResponse (on the client side) and checkResponse (for the data and event manager of the server) can be used. This mechanism cannot be used in combination with Kerberos.

When using the plug-in for access filtering, all functions with read or write access inside of the manager interface (API) can be controlled. This includes data point functions and queries as well as CNS functions. For reading functions specific data points can be removed from the message, if necessary. For writing functions the called function is returned with a corresponding error if the access filter is triggered. Additionally "Display" functions with analytical information are available for filter operations, e.g. getIdSet.

Help functions are available as management functions in a local memory range of the plug-in as a mapping of key - value pairs (setResource / getResource).