Creating users
The SecurityAdmin can only configure the system. All other activities must be performed by other users with other roles. You need at least a Security Auditor to access the security notifications, an Engineer to program in PLCnext Engineer and an Operator to operate an HMI. Below you will see how to add these users with their specific roles.
If you have created a user, you will see a corresponding message in the WBM to change the default password (from firmware 2024.0 LTS).
For more information on the different users, roles and rights, refer to the User Authentication topic in the main PLCnext Technology ‑ Info Center.
For the following procedures you need access to the Web-based Management on the PLCnext Control.
Return to topicHow do I get to the WBM again? Click here for more information...
Establishing a connection to the Web-based Management (WBM):
- Open a web browser on your computer.
- In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
for example: https://192.168.1.10/wbm.
For further information, see WBM.
System Use Notification
The system use notification is displayed each time a user wants to log on to the controller. The system use notification is independent of the language of the user interface in WBM and PLCnext Engineer. You should therefore take all required languages into account when editing.
To edit the system use notification, proceed as follows:
- Click the
button.
An input window opens.
- Edit the System Use Notification.
- Confirm the entry by clicking the button.
The text is then transferred to the controller and stored.
Adding a Security Auditor
To add a Security Auditor, proceed as follows:
- Log in to the WBM.
- Open the Security → User Authentication page in the WBM.
- Click the
button.
The dialog Add User opens.
- Enter a username and a password following the password complexity rules.
- Click the button.
- In the added row SecurityAuditor, click the button.
- In the dialog that opens, select a ruleset (Password rules; we advise the "Admin Ruleset") and the appropriate role (User Roles) by activating the checkbox at SecurityAuditor.
- Click the button.
You added a Security Auditor.
Adding an Engineer
To add an Engineer, proceed as follows:
- Log in to the WBM.
- Open the Security → User Authentication page in the WBM.
- Click the
button.
The dialog Add User opens.
- Enter a username and a password following the password complexity rules.
- Click the button.
- In the added row Engineer, click the button.
- In the dialog that opens, select a ruleset (Password rules; we advise the "Admin Ruleset") and the appropriate role (User Roles) by activating the checkbox atEngineer.
- Click the button.
You added an Engineer.
Adding an Operator
To add an Engineer, proceed as follows:
- Log in to the WBM.
- Open the Security → User Authentication page in the WBM.
- Click the
button.
The dialog Add User opens.
- Enter a username and a password following the password complexity rules.
- Click the button.
- In the added row Operator, click the button.
- In the dialog that opens, select the appropriate role by activating the checkbox at EHmiChanger.
- Click the button.
You added an Operator.
Changing the password
Adding more users
If necessary, set up additional users. The number and the roles of the respective users depend on your system and the respective application.
Local user management
You can set up the users locally.
However, a global user management via LDAP is possible. When working with multiple devices (more than 3), Phoenix Contact suggests a global, network-based user management via active directory server (LDAP).
For more information on LDAP, refer to the LDAP connection - file-based configuration topic in the main PLCnext Technology ‑ Info Center.
Information about the Admin
Even if the Security Profile is enabled, the Admin is allowed to make changes via SSH, e.g. the Netload Limiter configuration or the VPN configuration. For the commissioning phase it is possible to configure the Admin to make changes to PLCnext Technology configuration files. Afterwards the Admin must be deleted again in the User Manager!
Unauthenticated access
More accesses are possible via the Admin. This can disrupt production and reduce security.
Do not start any plant with activated Admin!
With the Admin user, you can also use SSH to check the NTP connection. To do this, you must enable SSH in the firewall basic configurations (for more information, refer to the firewall basic configurations) and set an input rule:
Basic Configuration:
Input Rule:
Using the console, you can now check whether the connection has been established by using the ntpq -p command.
Checking password validity in the WBM
- Log in to the WBM.
Return to topicHow do I get to the WBM again? Click here for more information...
Establishing a connection to the Web-based Management (WBM):
- Open a web browser on your computer.
- In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
for example: https://192.168.1.10/wbm.
For further information, see WBM.
- Open the Cockpit page (Diagnostics → Cockpit) in the WBM.
Based on the messages, you can check whether the passwords are still valid and whether a user has already changed his default password.