Contents Page

Training aims ...................................................................................................................................... 2

User Administrator Introduction ........................................................................................................... 3
User Administrator Defining authorization levels ........................................................................... 4
User Administrator Defining user groups and their rights (example 1) ............................................. 5
User Administrator Defining user groups and their rights (example 2) .............................................. 6
User Administrator Assigning users and user groups ......................................................................... 7
User Administrator Group rights and user rights ............................................................................... 8
User Administrator Editor Authorization levels ................................................................................ 9
User Administrator Editor Groups ...................................................................................................... 10
User Administrator Editor Users ..................................................................................................... 11
User Administrator Access protection ............................................................................................ 12
User Administrator Logging in and out of operators ........................................................................ 13
User Administrator UserAdminControl - User administration in runtime .......................................... 14
Exercise 1: Adapting authorization levels .......................................................................................... 15
Exercise 2: Defining user groups and their rights ..................................................................... 16
Exercise 2: Defining user groups and their rights ..................................................................... 17
Exercise 3: Creating users ............................................................................................................. 18
Exercise 4: Buttons for logging users in/out ................................................................. 19
User Administrator SilentLogin in runtime ........................................................................................ 20
SIMATIC Logon ............................................................................................................................... 21

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 1 User Administrator
The participant will:
Be able to create and change authorization levels
Know the relationship between user groups and users
Be able to protect any objects in pictures
Know the options for logging users in and out

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 2 User Administrator
General information With the User Administrator, the assignment and management of access
rights preventing unauthorized access can be configured; in other words all
operator input to the process, the archives and the WinCC system can be blocked
to prevent unauthorized access.

If no user is logged in or the user does not have adequate rights, the operator input
will not be executed and the box shown above is output.
Examples of operator input are changes to setpoints, recipes, selecting pictures or
calling up the configuration software from process mode.
There are different access levels which allow the setup of a hierarchical
access protection scheme, such as exclusive authorizations for
individual operators.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 3 User Administrator
Authorization levels
Up to 999 of your own authorization levels can be created. The names of your own
authorization levels can be freely selected.
As of ID 1000, there are system-defined authorization levels that cannot be
changed by the configuration engineer.

As long as no operator control objects are protected by authorization levels, the

authorization levels have no effect in runtime.

Example 1 Here, an example of hierarchical access protection is shown. For more important
operator input, a higher authorization level is required. If the operator logs in with a
"level 3" authorization, he or she also has the authorizations below this level.

Example 2 This example shows different authorization levels assigned independently of each
other. This principle is often used in WinCC projects.

How these two principles are implemented in WinCC is explained on the following
pages.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 4 User Administrator
Example 1 Here, you can see how hierarchical access protection can be configured.

Four user groups are defined. The lowest group "Operator" only has authorization
for "Level 1". The next group up "shift supervisor" has the authorization for "Level
1" and "Level 2", the "process engineers" have access at "Level 1" to "Level 3" and
the "service" group has all authorization levels and can therefore access all
protected objects.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 5 User Administrator
Example 2 This shows the second principle with different authorization levels independent of
each other.
The names of the authorization levels are selected so that they describe the
subsequent options.
Once again there are four user groups. The authorization levels can however be
assigned completely freely.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 6 User Administrator
Procedure After practical user groups have been defined, the operators of the plant need to
be assigned to one of these groups.
A user can only be in one group, a group, on the other hand, can contain several
users.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 7 User Administrator
Rights With the assignment of a user to a group, the user inherits the group rights. This
allows more effective configuration.

Following this, individual users can be assigned additional rights (in the example
above, the user "A. Schmidt" receives the additional right "Change controller
settings"). It would also be possible to take rights away from individual users.

The question is now whether the group rights of a user or the rights assigned to
the user (user rights) take effect in runtime. In WinCC, the rights assigned to the
user are always crucial.
Exception: When using the option SIMATIC Logon, the group rights are relevant.

If the rights of a group are changed (in the example above the group "process
engineers" has an extra right assigned) this does not affect the existing users of
this group. Only when new users are created do they inherit the current rights.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 8 User Administrator
Starting the editor The editor is started as usual by double-clicking in the WinCC Explorer.

Depending on the selection of a level in the navigation area, the corresponding

options are displayed in the middle window (table).

If, for example, you select the highest level "User Administrator", the tabs "Groups
[all], "Users [all] and "Authorization levels [all]" are displayed.

New Group A further user group can be created using the shortcut menu (see figure) or in the
"Groups [all]" tab.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 9 User Administrator
Editor Depending on the selection of a level in the navigation area, the corresponding
options are displayed in the middle window (table).
Here, the "Operator" user group was selected. This allows the authorizations of
this group to be enabled in the Authorizations tab. Changing e.g. the name of the
group is not possible here.
The "Users" tab shows all the users of this group.

New User A further user can be created using the shortcut menu (see figure) or in the "Users
[Operator]" tab.

Properties Here, an automatic logout can be set. This property is inherited by new users of
this group.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 10 User Administrator
User If a user is selected, only the "Authorizations" tab is shown in the table area. These
relate to the selected user.

Properties Here, for example, an automatic logout after an absolute time or after an inactive
time can be set. In the example above, no password has yet been assigned.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 11 User Administrator
Assigning authorizations
To prevent manipulation of graphics objects (e.g. button, slider, I/O box, check box
etc.), the relevant graphics object must be protected. This is achieved by setting
one of the configured authorization levels in the property
Miscellaneous/Authorization.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 12 User Administrator
Configuration Defining hotkeys for logon and logoff, see the example in the figure above.
With the operator input e.g. Ctrl L, you call a system box in the runtime system
via which you can enter the login name and the password so that
as the user, you have password-protected access. With
e.g. Ctrl O, you log off again so that no one can access protected
objects after you. The login name and password
are assigned with the
User Administrator editor.

Note In the example above, no hotkey has yet been defined.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 13 User Administrator
UserAdminControl This control is available as of WinCC V7.3.

Here, properties of users (e.g. passwords) or the authorization levels can be

changed. New users can also be created.

Depending on whether the logged on users have the right with ID = 1 (the name of
the authorization level is not relevant), they can only change their own properties
or the properties of all users.
In the example above, the user "Klaus" is logged on and has the user right with ID
= 1. This allows him to view and edit the other users.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 14 User Administrator
Objective The existing project is to be expanded with a user administration.

Exercise 1. If it is running, exit WinCC Runtime.

2. Open the "User Administrator" editor.
3. Go to the "Authorization levels [all]" tab.
4. Create the 5 authorization levels shown in the figure. To do this, you can
rename existing levels or create new ones. The order or the ID (with the exception
of ID = 1) are not relevant for the function in runtime.
5. You can delete unused authorization levels.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 15 User Administrator
Exercise 1. Create three new groups:
- Operator
- Shift supervisor
- Service

2. Change the following properties for all three groups:

- Logout / Type of automatic logoff: Inactive
- Logout / Period of time before automatic logoff: 10

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 16 User Administrator
Exercise 3. Select the first group "Operator" and change the group rights as shown in the
figure.

4. Also adapt the group rights for the groups "Shift supervisor" and
"Service".

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 17 User Administrator
Exercise 1. Create a new user in the "Operator" group with the name "Peter". Then assign
a password (to keep things simple in the exercises we select the password
123456 for all users, for real plants, secure and different passwords should
be selected.)

2. Create a new user in the "Shift supervisor" group with the name "Paul". Then
assign a password.

3. Create a new user in the "Service" group with the name "Mary". Then assign a
password.

4. Compare the authorizations of the group with those of the user in this group.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 18 User Administrator
Objective In the overview area of the start picture, two buttons for logging WinCC users on
and off need to be added. The picture should also show which user is currently
logged on.

Exercise 1. In the Start.pdl, add two buttons and label them with "Login and "Logout".

2. Add the C scripts OnClick shown above to the relevant buttons.

3. Add a static text and connected with the system tag @CurrentUser. This tag is
generated as an internal tag (string tag) when a project is created.

4. Apply an operator authorization to the "Exit runtime" button.

To do this, go to Miscellaneous/Authorization in the properties and then select
the authorization level "Exit Runtime".

5. Test the functions in runtime.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 19 User Administrator
SilentLogin With a further function (PWRTSilentLogin()) a user can be logged in silently by a C
script.

With this function, a standard user could be logged in automatically when WinCC
Runtime starts. To do this, the C script must be configured for the picture selection
of the start picture event.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 20 User Administrator
SIMATIC Logon In previous versions "SIMATIC Logon" was a WinCC option that needed to be
purchased. As of WinCC V7.0, this option ships with WinCC.

With this option, it is possible to implement a central user administration for

several WinCC projects. For this reason in the "SIMATIC Logon" logon dialog, a
computer or a domain needs to be specified on which this central user
administration is managed.

Login tag With this function, a user can be logged in very easily via the controller. To do this,
a process tag must be defined. Depending on the value of this tag, different users
can be logged in automatically. This, for example, allows a user to be logged in to
WinCC Runtime via a key switch connected to the controller.

SITRAIN Training for ST-BWINCCS

Automation and Industrial Solutions Page 21 User Administrator