User administration, basics
The WinCC OA user administration provides important features for controlling users that use the system. Security is an important issue in the automation technology when controlling highly sensitive systems and it is of utmost importance that the users of the system have only access to the specified area of operation. With the WinCC OA user administration, you can administer users so that they can use the resources effectively without inflicting damage to the system inadvertently or otherwise.
The WinCC OA user administration offers a number of different options for creating, editing and removing user and group profiles as well as permissions that can be assigned to groups.
Users belong to one or several different groups depending on the defined membership. The members of a group then inherit the rights assigned to this group. The user rights for a group are defined via authorization bits. The bits are set for the authorization levels. There are five predefined authorization levels (for example, level 1=visualization) and additional 27 levels can be defined.
The predefined authorization levels 1-5 are used in WinCC OA for example, for STD_Symbols and for the user administration where the levels can be changed. The levels are also used, for example, for panel topology and for system authorization where the levels cannot be changed. For more information on authorizations, see authorization levels).
Areas which are logical or geographical zones of, for example, a plant can be assigned to different groups. The rights for an area that were assigned to a group apply to all users belonging to this group. Thus, different rights can also be defined by assigning areas to different user groups.
It is also possible to set separate permissions depending on the workstation in use. The workstation authorization can however only reduce rights and it is not possible to, for example, assign administration rights to a user group that has generally only visualization rights (inherited from a group). Thus, the workstation authorization can be used to restrict the rights of a user group or several different groups for a specific workstation (for example, a user has administrator rights for a control room but in his office only visualization rights).
The user rights consist of the combination of group, area and workstation rights in the following way (Group1 && Area(Group1) && Workstation (Group1) || (Group2 && Area(Group2) && Workstation(Group2)).
This means that the rights for a user are composed of the different rights assigned to the group the user belongs to. A user belonging to Group1 inherits the rights of the Group1 and the rights of the area that was assigned to this group. Additionally, the user also inherits the workstation authorization if an authorization was defined for the group that the user belongs to.
With the WinCC OA Configuration Managementyou can set and use different user and workstation specific system settings and according default values. You can, for example, set inactivity timeouts or set panel layers visible or invisible according to a user.
Using favorites you can create panel views. At run time you can open this favorite at any time without having to navigate to this panel. See chapters Configuration Management and Multi Screen Configuration.
The control function getUserPermission allows checking the user rights. You can, for example, check if a specific user has a specific authorization level and open a panel only if the user has the required level. The control function getUserPermissionForArea checks if the user has the authorization for a specific authorization level of a specific area. See chapter getUserPermissionForArea() for more information.
As an additional feature, the WinCC OA user administration allows to choose the OS Auth. user administration if you want to. This means that users and user groups are adopted from the Windows or Linux user administration. The group rights for the adopted groups have to be defined in WinCC OA. See chapter groups for more information. The OS Auth. user administration can be used like the WinCC OA administration with the exception that you cannot add or delete users.
The WinCC OA also provides the Single Sign On feature. If this feature is activated under OS.Auth. user administration, you do not have to log in with password and the current user is logged in. The log in without password works only once when the login panel is opened after the user interface was started. After log out from WinCC OA without a restart of the user interface, a password has to be entered. Therefore, the WinCC OA and the OS Auth. user can be administered separately.
This help provides you with the necessary information for understanding the WinCC OA user administration. It shows you how to set up and administer user accounts, groups and areas and describes the use of the different panels.
Chapter | Description |
---|---|
User administration, basics | Introduction to the WinCC OA user administration. |
User administration panel | Description of the user administration panel used to create, edit and remove user and group profiles as well as areas. |
Authorization levels | Introduction to the five default authorization levels used to administer users. |
Areas | Description of areas that are logical or geographical zones (for example, a tunnel) and can be assigned to different user groups. The rights of an area assigned to a group apply to all users belonging to this group. |
Groups | Description of the WinCC OA user groups as well as the panels used to administer them. |
Users | Description of how to create and delete users as well as how to assign group memberships to the users. |
Workstation authorization | Authorization levels can also be defined for work stations. Description of the work station authorization and the panel used for the authorization. |
Configuration Management | With the WinCC OA Configuration Management you can set and use different user and workstation-specific system settings and according default values. |
System authorizations | The system authorizations are used to define authorization levels for different actions such as creating, changing and deleting data point types, data points and aliases. |
OS.Auth. user administration | Description of the OS.Auth user administration. OS.Auth user administration means that both Windows and Linux user administrations can be used. |
Functions for Windows user administration | Description of the available CONTROL functions for the Windows user administration. |