Creating users 

The Admin can only configure the system. All other activities must be performed by other users with other roles. You need at least a Security Engineer to access the security notifications, an Engineer to program in PLCnext Engineer and an Operator to operate an HMI. Below you will see how to add these users with their specific roles.

 For more information on the different users, roles and rights, refer to the User Authentication topic in the main PLCnext Technology ‑ Info Center.

For the following procedures you need access to the Web-based Management on the PLCnext Control.

Return to topicHow do I get to the WBM again? Click here for more information... 

System Use Notification

The system use notification is displayed each time a user wants to log on to the controller. The system use notification is independent of the language of the user interface in WBM and PLCnext Engineer. You should therefore take all required languages into account when editing.

To edit the system use notification, proceed as follows:

• Log in to the WBM.
• Open the User policies page (Security → User policies) in the WBM. 
• On the GENERAL tab, click the EDIT NOTIFICATION button.
  
  ↪ An input window opens.
• Edit the System Use Notification.
  
• Confirm the entry by clicking the Save button.
  ↪ The text is then transferred to the controller and stored.

Adding a Security Auditor

To add a Security Auditor, proceed as follows:

• Log in to the WBM.
• Open the Security → User management page in the WBM. 
• Click the + button. 
  
  ↪ The dialog Add User opens. 
• Enter a username and a password following the password complexity rules. 
  
• Click the CREATE USER button. 
• Select a password ruleset (the Admin ruleset is strongly recommended) and click the SET PASSWORD RULES button.
  
• Select the Security role SecurityAuditor. 
  
• Click the SET USER ROLES button. 
  ↪ You have added a Security Auditor. 
• When you log in as a Security Auditor, edit the user's initial password. 

Adding an Engineer

To add an Engineer, proceed as follows:

• Log in to the WBM.
• Open the Security → User management page in the WBM. 
• Click the + button. 
  
  ↪ The dialog Add User opens. 
• Enter a username and a password following the password complexity rules. 
  
• Click the CREATE USER button. 
• Select a password ruleset (the Default ruleset is recommended) and click the SET PASSWORD RULES button.
  
• Select the General role Engineer. 
  
• Additionally, select the eHMI role EHmiChanger. 
  
  Note: You need the EHmiChanger role to be able to test HMI applications that have been created. You must remove the EHmiChanger role from the engineer before commissioning the system!
• Click the SET USER ROLES button. 
  ↪ You have added an Engineer. 
• When you log in as Engineer, edit the user's initial password. 

Adding an Operator

To add an Operator, proceed as follows:

• Log in to the WBM.
• Open the Security → User management page in the WBM. 
• Click the + button. 
  
  ↪ The dialog Add User opens. 
• Enter a username and a password following the password complexity rules. 
  
• Click the CREATE USER button. 
• Select a password ruleset (the Default ruleset is recommended) and click the SET PASSWORD RULES button.
  
• Select the eHMI role EHmiChanger. 
  
• Click the SET USER ROLES button. 
  ↪ You have added an Operator. 
• When you log in as Operator, edit the user's initial password. 

Changing the password

Adding more users

If necessary, set up additional users. The number and the roles of the respective users depend on your system and the respective application.

Local user management

You can set up the users locally.

However, a global user management via LDAP is possible. When working with multiple devices (more than 3), Phoenix Contact suggests a global, network-based user management via active directory server (LDAP).

 For more information on LDAP, refer to the LDAP connection - file-based configuration topic in the main PLCnext Technology ‑ Info Center.

Information about the Admin

Even if the Security Profile is enabled, the Admin is allowed to make changes via SSH, e.g. the Netload Limiter configuration or the VPN configuration. For the commissioning phase it is possible to configure the Admin to make changes to PLCnext Technology configuration files. Afterwards the Admin must be deleted again in the User Manager!

Unauthenticated access

More accesses are possible via the Admin. This can disrupt production and reduce security. 

Do not start any plant with activated Admin!

With the Admin user, you can also use SSH to check the NTP connection. To do this, you must enable SSH in the firewall basic configurations (for more information, refer to the firewall basic configurations) and set an input rule:

Using the console, you can now check whether the connection has been established by using the ntpq -p command.

Checking password validity in the WBM

• Log in to the WBM. 

Return to topicHow do I get to the WBM again? Click here for more information... 

• Open the Cockpit page (Diagnostics → Cockpit) in the WBM. 

Based on the messages, you can check whether the passwords are still valid and whether a user has already changed his default password.