Creating users 

The SecurityAdmin can only configure the system. All other activities must be performed by other users with other roles. You need at least a Security Auditor to access the security notifications, an Engineer to program in PLCnext Engineer and an Operator to operate an HMI. Below you will see how to add these users with their specific roles.

Note: It is strongly recommended that you only use the default user password for the first access. Change the default password immediately after the first access. Observe the password complexity rules .

If you have created a user, you will see a corresponding message in the WBM to change the default password (from firmware 2024.0 LTS).

 For more information on the different users, roles and rights, refer to the User Authentication topic in the main PLCnext Technology ‑ Info Center.

 

For the following procedures you need access to the Web-based Management on the PLCnext Control.

Return to topicHow do I get to the WBM again? Click here for more information... 

Establishing a connection to the Web-based Management (WBM):

  • Open a web browser on your computer.
  • In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
    for example: https://192.168.1.10/wbm.

For further information, see WBM.

System Use Notification

The system use notification is displayed each time a user wants to log on to the controller. The system use notification is independent of the language of the user interface in WBM and PLCnext Engineer. You should therefore take all required languages into account when editing.

To edit the system use notification, proceed as follows:

  • Click the Edit Notification button.

An input window opens.

  • Edit the System Use Notification.
  • Confirm the entry by clicking the Save button.

The text is then transferred to the controller and stored.

 

Adding a Security Auditor

To add a Security Auditor, proceed as follows:

  • Log in to the WBM.
  • Open the SecurityUser Authentication page in the WBM. 
  • Click the Add User button. 

The dialog Add User opens. 

  • Enter a username and a password following the password complexity rules
  • Click the Add button. 
  • In the added row SecurityAuditor, click the Edit User button. 

  • In the dialog that opens, select a ruleset (Password rules; we advise the "Admin Ruleset") and the appropriate role (User Roles) by activating the checkbox at SecurityAuditor
  • Click the Save button. 

You added a Security Auditor. 

Adding an Engineer

To add an Engineer, proceed as follows:

  • Log in to the WBM.
  • Open the SecurityUser Authentication page in the WBM. 
  • Click the Add User button. 

The dialog Add User opens. 

  • Enter a username and a password following the password complexity rules
    Add user via WBM
  • Click the Add button. 
  • In the added row Engineer, click the Edit User  button. 

  • In the dialog that opens, select a ruleset (Password rules; we advise the "Admin Ruleset") and the appropriate role (User Roles) by activating the checkbox atEngineer

  • Click the Save button. 

You added an Engineer. 

Adding an Operator

To add an Engineer, proceed as follows:

  • Log in to the WBM.
  • Open the SecurityUser Authentication page in the WBM. 
  • Click the Add User button. 

The dialog Add User opens. 

  • Click the Add button. 
  • In the added row Operator, click the Edit User  button. 

  • In the dialog that opens, select the appropriate role by activating the checkbox at EHmiChanger

     
  • Click the Save button. 

You added an Operator. 

 

Changing the password

Note: Users must change their passwords following the password complexity rules when they log in with their role for the first time.

Adding more users

If necessary, set up additional users. The number and the roles of the respective users depend on your system and the respective application.

Local user management

You can set up the users locally.

However, a global user management via LDAP is possible. When working with multiple devices (more than 3), Phoenix Contact suggests a global, network-based user management via active directory server (LDAP).

 For more information on LDAP, refer to the LDAP connection - file-based configuration topic in the main PLCnext Technology ‑ Info Center.

Information about the Admin

Even if the Security Profile is enabled, the Admin is allowed to make changes via SSH, e.g. the Netload Limiter configuration or the VPN configuration. For the commissioning phase it is possible to configure the Admin to make changes to PLCnext Technology configuration files. Afterwards the Admin must be deleted again in the User Manager!
 

warning label CAUTION

Unauthenticated access

More accesses are possible via the Admin. This can disrupt production and reduce security. 

Do not start any plant with activated Admin!

 

With the Admin user, you can also use SSH to check the NTP connection. To do this, you must enable SSH in the firewall basic configurations (for more information, refer to the firewall basic configurations) and set an input rule:

Basic Configuration:

Input Rule:

Note: Configure the IP addresses in the firewall so that SSH access can only take place from the defined device.

 

Using the console, you can now check whether the connection has been established by using the ntpq -p command.

 

Checking password validity in the WBM

  • Log in to the WBM. 

Return to topicHow do I get to the WBM again? Click here for more information... 

Establishing a connection to the Web-based Management (WBM):

  • Open a web browser on your computer.
  • In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
    for example: https://192.168.1.10/wbm.

For further information, see WBM.

  • Open the Cockpit page (DiagnosticsCockpit) in the WBM. 

Based on the messages, you can check whether the passwords are still valid and whether a user has already changed his default password.

 

 

 

 


• Published/reviewed: 2024-12-16 • Revision 016 •